8 - Web Shells - JA Smith

- a web shell is a browser-based shell session we can use to interact with the underlying operating system of a web server - to gain RCE via web shell, we must first find a website or web application vulnerability that can give us file upload capabilities - most web shells are gained by uploading a payload written in a web language on the target server - NOTE: relying on the web shell alone to interact with the system can be unstable and unreliable because some web applications are configured to delete file uploads after a certain period of time - before achieving persistence on a system, in many cases, this is the initial way of gaining RCE via a web application, which we can then use to later upgrade to a more interactive reverse shell - common web app languages: asp, aspx, jsp, php - aspx (active server page extended): file type/extension written for Microsoft's .NET framework - on a web server running the ASP.NET framework, web form pages can be generated for users to input data. On the server side, the information will be converted into HTML. We can take advantage of this by using an ASPX-based web shell to control the underlying Windows operating system # PHP Web Shells - Hypertext Preprocessor (PHP) is an open-source general-purpose scripting language typically used as part of a web stack that powers a website - PHP is the most popular server-side programming language - run on ~79% of all websites - Since PHP processes code & commands on the server-side, we can use pre-written payloads to gain a shell through the browser or initiate a reverse shell session with our attack box - We will be using [WhiteWinterWolf's PHP Web Shell](https://github.com/WhiteWinterWolf/wwwolf-php-webshell) - Download this or copy and paste the source code into a `.php` file - Keep in mind that the file type is significant when uploading a form to a website - Our goal is to upload the PHP web shell via an upload button - Attempting to do this may initially will fail since there may be a file type checker, for example, that only allowed uploads of image file types (.png,.jpg,.gif, etc.) - We can bypass this utilizing Burp Suite - Start Burp and also enable browser HTTP proxy wrt 127.0.0.1:8080 - Either use Foxy Proxy extension or go into browser proxy settings - initial attempt to upload wwwolf-webshell.php shows invalid file ![[images/Pasted image 20251002150833.png]] - change content-type field from "application/x-php" to "image/gif" ![[images/Pasted image 20251002151508.png]] - go back to devices > vendors page, and right click+open in new tab on a new vendor to launch semi-interactive shell # Antak - Antak is a web shell built in ASP.Net included within the [Nishang project](https://github.com/samratashok/nishang) - Antak utilizes PowerShell to interact with the host, making it great for acquiring a web shell on a Windows server - Antak web shell functions like a PowerShell console - Nishang is an Offensive PowerShell toolset that can provide options for any portion of your pentest ```bash sudo apt install -y nishang #create copy of payload for local modification cp /usr/share/nishang/Antak-WebShell/antak.aspx /home/administrator/Upload.aspx ``` - modify payload by entering user_name and password ![[images/Pasted image 20251002142049.png]] - after uploading payload, the below login page is shown ![[images/Pasted image 20251002142702.png]] - after entering the creds in the payload, we are dropped into the Antak shell where we can issues PowerShell commands into the lower field and click the submit button ![[images/Pasted image 20251002143558.png]] ```powershell whomai #shows current user in PS [Security.Principal.WindowsIdentity]::GetCurrent() #PS command for extended whoami info ``` # Laudanum - a repository of ready-made files that can be used to inject onto a victim and receive back access via a reverse shell, run commands on the victim host right from the browser, and more - repo includes injectable files for many different web application languages to include asp, aspx, jsp, php, and more - built into Kali and Parrot by default - files found in `/usr/share/laudanum` ```bash #create copy of payload for local modification cp /usr/share/laudanum/aspx/shell.aspx ~/Documents/htb/demo.aspx ``` - modify payload to include <kali_host_ip> as part of allowedIps list ![[images/Pasted image 20251002110004.png]]