Introduction
We covered how to bypass disable functions in php and how to evade upload filters in this TryHackMe Machine.
The Challenge: Disabled Functions and Upload Filters
First, let’s talk about the problem. On many web servers, PHP functions that can execute system commands (like system
, shell_exec
, etc.) are disabled. This is a good security practice, but for a penetration tester, it’s a hurdle to overcome. The goal here is to find a way around these disabled functions.
To do this, I’ll be using a nifty tool called Chankro. Chankro is designed specifically to bypass these kinds of restrictions. It works by creating a special PHP file that, when uploaded and executed, uses some clever tricks with environment variables (putenv
) and LD_PRELOAD
to load a library and give me a reverse shell.
Getting a Foothold
My first step is always reconnaissance. I run an Nmap scan to see what’s running on the target machine and find an Apache web server. I also fire up Burp Suite to intercept the web traffic.
The website has a job application feature with a CV upload form. This is my way in! However, the server is picky and will only accept image files. When I try to upload a standard PHP reverse shell, it tells me to upload a “real image.”
To get around this, I use a classic trick: I modify the magic number of my PHP shell file. A magic number is a sequence of bytes at the beginning of a file that identifies the file type. I simply add the magic number for a GIF image (GIF87a
) to the very beginning of my PHP code in Burp Suite. The server is fooled, and my file is uploaded!
Now I have to find where my file went. I use Gobuster to brute-force directories on the web server and quickly discover an /uploads
directory.
Bypassing the Disabled Functions
I set up a Netcat listener on my machine and try to execute my uploaded shell by visiting its URL. As expected, nothing happens. This confirms that the dangerous PHP functions are disabled.
To be absolutely sure, I use a tool called ffuf to look for common PHP configuration files. I find a phpinfo.php
file, which is a goldmine of information. It lists all the disabled functions, confirming my suspicions, and also tells me the exact document root of the web server, which is /var/www/html
.
Now it’s time to bring in Chankro.
- I clone the Chankro repository from GitHub.
- I create a simple Netcat reverse shell script.
- I use the Chankro Python script to generate my final payload. I tell it the target architecture (64-bit), give it my reverse shell script, name the output file, and provide the document root I found earlier.
- Chankro spits out a new PHP file,
config_v1.php
. I upload this file to the server, again using the GIF magic number trick to bypass the filter.
Victory!
With my Chankro payload uploaded, I start my Netcat listener one last time. I navigate to the uploaded config_v1.php
file in the /uploads
directory, and this time… I get a shell! 🐚
I’m now in control of the server. I navigate to the user’s home directory, and there it is: the flag.
Technical Commands
Here’s a list of the commands I used in my terminal during this engagement:
- Nmap Scan:Bash
nmap -sC -sV <target_ip>
- Gobuster for Directory Brute-forcing:Bash
gobuster dir -u http://<target_ip> -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
- Netcat Listener:Bash
nc -lvnp 4545
- FFUF for File Fuzzing:Bash
ffuf -w /usr/share/seclists/Discovery/Web-Content/raft-medium-files.txt -u http://<target_ip>/FUZZ -e .php
- Cloning Chankro Repository:Bash
git clone https://github.com/TarlogicSecurity/Chankro.git
- Creating Reverse Shell File:Bash
nano rev.sh
- Executing Chankro to Generate Payload:Bash
python chankro.py --arch 64 --input rev.sh --output config_v1.php --path /var/www/html
- And some basic navigation:Bash
ls cd <directory_name> id