Day 02 - The Elf Strikes Back!
Date: 02, December, 2020
Author: Dhilip Sanjay S
Reverse Shell
Attack Box will be listening for incoming connection. The victim will connect back to the attack box (by some malicious script).
In this example, the PHP script is used to create a reverse shell.
Bind Shell
A bind shell is created in the victim and binds to a specific port to listen for an incoming connection from the attack box.
Solutions
What string of text needs added to the URL to get access to the upload page?
Answer:
?id=Your-ID
What type of file is accepted by the site?
Answer: image
Steps to reproduce: View source code. You can see that, it will accept files with following extensions:
.jpg, .jpeg, .png
(which are image extensions).
Bypass the filter and upload a reverse shell.
To bypass the file upload extension filter:
your-file.(jpg|jpeg|png).php
The filter will check the extension after the first dot in the filename. This way, you can upload any file format.
Reverse shell is used to obtain the flag. 3 ways to obtain flag using PHP:
Reverse Shell using the pre-written script
Make a copy of the script:
/usr/share/webshells/php/php-reverse-shell.php
Replace
$ip
and$port
in the script with your IP Address and the port on which your netcat is listening.
Reverse Shell using exec command
To obtain Reverse shell without much complicated code.
And also netcat is not available in target.
Note: Replace
$ip
and$port
with your IP Address and the port on which your netcat is listening.
In the same way, bind shell can be established:
But
nc
is not installed on the server. So, it is not possible in this case.To connect to the bind shell, on the attack machine type the command:
nc $target_ip $port
.
Print the flag directly
We know that the flag is in the file
/var/www/flag.txt
. So, we can use PHP to directly fetch and display the flag for us.
In which directory are the uploaded files stored?
Answer: /uploads/
Use
dirbuster
to find the folders.
Activate your reverse shell and catch it in a netcat listener!
To activate the reverse shell, go to the
/uploads/
directory and click on the file you uploaded.To listen to the reverse shell:
What is the flag in /var/www/flag.txt
?
/var/www/flag.txt
?Answer: THM{MGU3Y2UyMGUwNjExYTY4NTAxOWJhMzhh}
Reference Links
Last updated