Hello hackers, if you’ve made it this far, it means you now have all the basic knowledge required about GNU/Linux systems to carry out any job in cybersecurity. However, we all know that basics and theory aren’t always enough, which is why this exercise exists. A month has already passed since the assignment was given until the day I’m writing this post. I hope you’ve had enough time to put into practice everything we covered throughout the course.
As you’ll see in this solution, we’re not applying any knowledge that hasn’t been previously covered in the course. It’s just about gaining practice and fluency. Keep going — anything is possible with a bit of time and effort.
As you may recall, during the last class we were assigned a PHP-based web application vulnerable to RCE through the cmd parameter (for the purposes of this lab, we’ll skip the parameter fuzzing part needed to discover the vulnerability). Additionally, you were provided with the source code, making it 100% possible to deploy the application on your own machine. Thanks to the Makefile, deployment is simple and replicable.
According to the instructions, the goal was to make the webshell (via the cmd parameter) simulate a pseudo TTY without actually being one (since the assignment runs in Bash, achieving a fully functional TTY or pseudo TTY would be overly complex). Since we are not working within a real TTY environment, our aim is simply to give ourselves — as users of the tool — the feeling of having a pseudo TTY, allowing for a more comfortable interaction than what the webpage alone could offer.
First we must deploy the lab, it’s easy once you understand the lab structure
❯ tree rev_shell
rev_shell
├── index.php
├── makefile
└── shell.php
1 directory, 3 files
There are three files in total. The index.php file is our main goal for this lab. The Makefile simplifies the deployment process, allowing you to set up the environment quickly and consistently. Lastly, there’s the shell.php file, which is quite similar to index.php, but without any HTML or CSS — it’s a clean and minimal web shell. This one is provided as a starting point for practice, in case index.php feels too overwhelming at first.
You’ll notice that I’m not deploying on port 8080 like your lab does — it’s just because I already have that port occupied in Burp. Feel free to change the port as needed without any issues.