Want to run this Docker container locally?

docker run -d -p 9000:80 --restart always --name flag-b joshbeck2024/ctf-simple-rev-shell

IP: 172.25.200.200

Port: 9000

If you aren’t familiar with the concept of a Reverse Shell, this is the place to start.

First, an nmap of the IP Address 172.25.200.200 on port 9000 shows that this is most likely a Linux machine running a web server (Apache).

nmap -sC -sV 172.25.200.200 -p 9000

If we connect to it using a web browser, we’ll see the following webpage:

• HTTP://172.25.200.200:9000

When you upload a file, you’ll see that it uploads to:

• This is a restricted endpoint. When you upload something, remember the file name!

<http://172.25.200.200:9000/uploads/>

The idea here is that the web server isn’t checking what type of file we are uploading.

• The webpage tells us to upload a .gif file, but we can also upload php code ending in .php.
• If we can place a .php page on the web server, once we click on it, the code will execute
• We’ll want to upload a ‘reverse shell’ that calls back to our Kali Linux machine and gives us command-line access.

Start by identifying the IP address of our Kali Linux machine. (It should be in ‘bridged’ networking mode.)