top of page
groovinlibbercquad

How To Upload Shell 



Before using public-key authentication, the public/private key pair files must be created, with a copy of the public-key file being uploaded to a specific location on the server. The public and private keys are generated with a key generation utility. While the private and public keys within a key pair are related, a private key cannot be derived by someone who only possesses the corresponding public key.


Successful public-key authentication requires: (1) generating a key pair, (2) uploading the public key to the Secure Shell server, and (3) configuring the client to use the public-key authentication method. SecureCRT and SecureFX provide utilities to generate keys and automatically place a copy of the public key on a VShell server. Public-key authentication between a VanDyke Software client application and a non-VShell server such as OpenSSH requires generation of a public/private key pair and placing the public-key file on the server in the right location and in a format supported by the Secure Shell server.




How To Upload Shell 



The public key can be uploaded to a VShell server at the end of the Key Generation wizard process, or at any time later through the Session Options dialog. Use the following steps to upload an existing public-key file:


*Note that the upload instructions apply only to servers like VanDyke Software's VShell that implement the Secure Shell Public Key Subsystem (RFC 4819). Although there may be server implementations that support the public-key subsystem, those connecting to servers that aren't VShell will typically need to use manual methods to place their public-key files on the server to meet the server's requirements.


Uploaded files represent a significant risk to applications. The firststep in many attacks is to get some code to the system to be attacked.Then the attack only needs to find a way to get the code executed. Usinga file upload helps the attacker accomplish the first step.


The consequences of unrestricted file upload can vary, includingcomplete system takeover, an overloaded file system or database,forwarding attacks to back-end systems, client-side attacks, or simpledefacement. It depends on what the application does with the uploadedfile and especially where it is stored.


Sometimes web applications intentionally or unintentionally use somefunctions (or APIs) to check the file types in order to process themfurther. For instance, when an application resize an image file, it mayjust show an error message when non-image files are uploaded withoutsaving them on the server.


Apart from installing applications like emacs on my guest machine, I would also like to upload some configuration files (e.g. to configure emacs for Clojure development). Sadly, Vagrant's documentation gives no clue about how to do this. I guess I'd have to put the configuration files into a shared folder and then copy them from the shared folder on the guest machine to the desired locations?


First catch is that it is run as the ssh user ("vagrant" by default) without sudo, so you need to have write access to the directory on the VM. A workaround is to copy to a temporary location and then use a normal shell provisioner to copy/move it to right place.


Realistically there are several ways we could achieve this, for example if we were able to install additional tools we could leverage azcopy. In my scenario I only have the following available to me and I'm limited to leveraging bash/shell scripting:


The --os-shell works for MySQL by attempting to use an into outfile to write a file to the web root. This can fail for any number of reasons. The most common reason being that the database and web server and different machines. Ubuntu's default AppArmor rule sets forbid MySQL from writing to /var/www/. Also, into outfile requires file privileges that should never be granted (but often is). You could try using sqlmap's file-io functionality to read and write to the remote file system.


in the context of this application, dumping the contents of the Wordpress MySQL database will yield the administrator's password hash. Cracking this hash will yield a Wordpress admin account which almost always has the ability to upload and install Wordpress extensions.... or PHP shells.


The easiest way to install shell integration is to select the iTerm2>Install Shell Integration menu item. It will download and run a shell script as described below. You should do this on every host you ssh to as well as your local machine. The following shells are supported: tcsh, zsh, bash, and fish 2.3 or later. Contributions for other shells are most welcome.


For zsh and bash users: if you are unable to modify PS1 directly (for example, if you use a zsh theme that wants to control PS1), you must take an extra step. Add export ITERM2_SQUELCH_MARK=1 before the shell integration script is sourced. Add the iterm2_prompt_mark as directed above to your prompt through those means available to you.


If you drop a file (e.g., from Finder) into iTerm2 while holding the option key, iTerm2 will offer to upload the file via scp to the remote host into the directory you were in on the line you dropped the file on. A new menu bar item will be added called Uploads that lets you view uploaded files and track their progress.


With shell integration, iTerm2 will remember which directories you have used recently. The list of preferred directories is stored separately for each username+hostname combination. It is sorted by "frecency" (frequency and recency of use). There are two places it is exposed in the UI:


If you'd like to be able to use shell integration as root, you have twooptions. The first option, presuming you use bash, is to become root with sudo-s (which loads your .bashrc as root) and add this to your .bashrc:


For some users, installing a login script on every host they connect to is notan option. To be sure, modifying root's login script is usually a bad idea. In these casesyou can get the benefits of shell integration by defining triggers. The following triggers are of interest:


iTerm2 links in libssh2, and does not shell out to scp. It respects /etc/known_hosts and /.ssh/known_hosts, and will update the latter file appropriately. Host fingerprints are verified. Password, keyboard-interactive, and public-key authentication are supported. Private keys by default come from /.ssh/id_rsa, id_dsa, or id_ecdsa, and may be encrypted with an optional passphrase.


Settings pulled from ssh_config override the hostname and user name provided by shell integration. The shell integration-provided host name is used as the text against which Host patterns are matched.


After exploit a remote command execution vulnerability then we can use a reverse shell to obtain an interactive shell session on the target machine. Throughout our article we are going to use this web shell to achieve the reverse shell of the target machine. Ready ? !! We execute the given command to edit the localhost address from the malicious shell.


Sometimes plugins installed in WordPress CMS are vulnerable, by taking advantage of which we can upload our malicious PHP shells to the target server and get reverse shells. In our case, as you can see a vulnerable plugin called Reflex is located on the WordPress CMS, so now we will try to exploit target mahcine by uploading shell through this plugin.


Weevely is a command line web shell dynamically extended over the network at runtime, designed for remote administration and penetration testing or bad things. It provides a ssh-like terminal just dropping a PHP script on the target server, even in restricted environments. The best thing about Weevely is its stealth functionality. So today we will see how Weevely functions.


When working with Azure Cloud Shell (opens new window), you sometimes need the ability to upload files to work with later. I'm going to call out the two methods that I use to accomplish this task all the time.


In method one, we'll update the file share that's associated with Cloud Shell by using the clouddrive mount command. Note: that you may already have a cloud drive that is created upon initial start of cloud shell. Go ahead and spin up Azure Cloud Shell and type clouddrive -h to see the commands to mount and unmount a drive.


We'll now simply call clouddrive mount -s subscription-id -g your-resource-group-name -n storage-account -f storage-file-name to create our drive. Once it has completed, we'll navigate to the resource and hit the Upload button and upload a file. Again, you could have navigated to your existing resource group instead of creating a new one - but I want you to learn how to do this manually.


In our blog post on ASP.NET resource files and deserialization issues [1], we showed how to run code by abusing deserialization features when uploading a RESX or RESOURCES file. In this blog post, similarly we show abuse of XAMLX file capabilities to run commands on a server when such files can be uploaded within an IIS application.


The second method is by a XAMLX file feature that can run code on the server-side when browsing the uploaded file. It is possible to simply use Visual Studio to develop a basic payload for this case. Examples provided here have been modified to be shorter and perhaps more effective.


It is possible to solve this issue when a web.config can be uploaded. However, in that case other techniques can be used to run code on the server as well (see [5] for more details). The following web.config file can be used to enable the .XAMLX file extension:


Often times on an engagement I find myself needing to copy a tool or a payload from my Kali linux attack box to a compromised Windows machine. As a perfect example, on a recent pentest, I found a vulnerable ColdFusion server and was able to upload a CFM webshell. It was a very limited, non-interactive shell and I wanted to download and execute a reverse Meterpreter binary from my attack machine. I generated the payload with Veil but needed a way to transfer the file to the Windows server running ColdFusion through simple commands. 2ff7e9595c


2 views0 comments

Recent Posts

See All

Comments


bottom of page