Black-Hat Bash scripting part 9

Guess who’s back, back again…honestly its been a few hrs for me anyway moving on to the next chapter that is Chapter 6: Gaining a web shell

They say a picture is worth a thousand words but without context, if you aren’t following the book you will wonder what i am doing.

so just like the title, this chapter is teaching me how to gain a web shell and with certain methods to do that using bash as the medium.

Bypassing file upload controls

• A file upload has a vulnerability flaw like arbitrary file upload where you can upload different file types than the one assigned by the developers.

so a technique to bypass can be the accept attribute modification. Here developers specify what type of file extensions they want to be accepted. it can be manipulated using browser developed tools.

nothing happened, so another technique is the file extension modification. Again with the naming sense of a big bang theory episode, anyway

always be careful when typing

Nothing but net

malicious polyglot files

The authors have a good explanation but always better to do more research such as jhaddix who has a great resource explanation on this: https://medium.com/swlh/polyglot-files-a-hackers-best-friend-850bf812dd8a Yes, if you clicked the link it’s Vickie li another great hacker on her take, I am not gonna try to find the video where Jhaddix goes into detail but its one of his on bug bounty methodology.

uploading files with burpsuite

let me be honest, the authors weren’t specific on which content type to edit, one gives you the status of 500 and the other gives you the above picture, do the latter.

staging web shells

There is more to popping a web-shell like ippsec likes to say in his videos, certain tech considerations such as:

execution content- what is the target’s programming language, the syntax, you could find different types of shells here: https://www.revshells.com/ and here: https://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet Gotta love ippsec for teaching me this. Man makes me realize i have gotten better but still got lots to learn and no, this is not imposter syndrome just appreciation for the art that is hacking.

file-path and location- figure out the file-path you are going to use to attack your target as file structure is prevalent here, who has access, yada..yada..yada, could test for file traversal like this opt/../…/../

access controls and authorization- figure out who has what access to the web application, try to exploit vulns related to user roles, privilege escalation, authentication can give more chances to get a successful web shell staging.

web application firewalls- if you are in the blue team a tool like wazuh can be used to detect suspicious attempts such as webshell access.

Finding Directory Traversal Vulns

direcotory vulns allow crackers to access files that should not be accessed e.g ../../../etc/passwd. the dots have to do with directories, a single dot is the current directory, two dots is the parent directory, the more .. and / you use the higher up the fileystytem you go. Its like a game of snake and ladders

this took a while to parse all becuase of a fullstop hahaha(pain):)

Exercise 8: Building a web shell interface

limitations of web shells

lack of persistence- it all depends on how long the web server is accessible, if an sys admin is actually doing their job, then persistence and effectiveness has become useless

lack of real time responses- you have to be careful of what you type on a shell, otherwise it can hang.

limited functionality- no error messages, so you can’t really know what’s wrong.

well that’s all for now,

may you always be in a state of flow.