Beyond
This is the beyond page that an additional post enumeration and assessment are conducted as SYSTEM after compromising the target system by uploading a ASPX webshell and site.master file
Firewall
c:\windows\system32\inetsrv> netsh firewall show config
netsh firewall show config
Domain profile configuration:
-------------------------------------------------------------------
Operational mode = Enable
Exception mode = Enable
Multicast/broadcast response mode = Enable
Notification mode = Disable
Allowed programs configuration for Domain profile:
Mode Traffic direction Name / Program
-------------------------------------------------------------------
Port configuration for Domain profile:
Port Protocol Mode Traffic direction Name
-------------------------------------------------------------------
5985 TCP Enable Inbound Allow port 5985
450 TCP Enable Inbound Allow port 450
445 TCP Enable Inbound Allow port 445
139 TCP Enable Inbound Allow port 139
135 TCP Enable Inbound Allow port 135
25 TCP Enable Inbound Allow port 25
21 TCP Enable Inbound Allow port 21
Standard profile configuration (current):
-------------------------------------------------------------------
Operational mode = Enable
Exception mode = Enable
Multicast/broadcast response mode = Enable
Notification mode = Disable
Allowed programs configuration for Standard profile:
Mode Traffic direction Name / Program
-------------------------------------------------------------------
Port configuration for Standard profile:
Port Protocol Mode Traffic direction Name
-------------------------------------------------------------------
5985 TCP Enable Inbound Allow port 5985
450 TCP Enable Inbound Allow port 450
445 TCP Enable Inbound Allow port 445
139 TCP Enable Inbound Allow port 139
135 TCP Enable Inbound Allow port 135
25 TCP Enable Inbound Allow port 25
21 TCP Enable Inbound Allow port 21
Log configuration:
-------------------------------------------------------------------
File location = C:\Windows\system32\LogFiles\Firewall\pfirewall.log
Max file size = 4096 KB
Dropped packets = Disable
Connections = Disable
IMPORTANT: Command executed successfully.
However, "netsh firewall" is deprecated;
use "netsh advfirewall firewall" instead.
For more information on using "netsh advfirewall firewall" commands
instead of "netsh firewall", see KB article 947709
at https://go.microsoft.com/fwlink/?linkid=121488 .Firewall is enabled
This explains why attempting to upload and execute payload via port 80, 443, 1234, and 9999 failed
Explicitly allowed for those listed ports
Web
C:\inetpub\wwwroot> dir
dir
Volume in drive C has no label.
Volume Serial Number is D4C7-EAE0
Directory of C:\inetpub\wwwroot
02/26/2025 03:51 PM <DIR> .
02/26/2025 03:51 PM <DIR> ..
05/18/2020 09:37 AM 950 default.aspx
05/18/2020 09:37 AM 2,409 default.cs
05/20/2020 05:37 AM <DIR> dev
05/18/2020 09:37 AM 2,376 favicon.png
05/18/2020 09:37 AM 214 logout.aspx
05/18/2020 09:37 AM 400 logout.cs
05/20/2020 05:37 AM 909 repo.aspx
05/18/2020 09:37 AM 1,333 repo.cs
02/26/2025 03:51 PM 7,168 shell.exe
02/26/2025 03:51 PM 1,720 site.master
05/18/2020 09:37 AM 262 site.master.cs
05/20/2020 05:37 AM 1,191 style.css
09/24/2020 04:52 AM 423 web.config
12 File(s) 19,355 bytes
3 Dir(s) 33,619,218,432 bytes freeWebroot directory
web.config
C:\inetpub\wwwroot> type web.config
type web.config
<?xml version="1.0" encoding="UTF-8"?>
<configuration>
<system.webServer>
<directoryBrowse enabled="true" />
</system.webServer>
<connectionStrings>
<add name="myConnectionString" connectionString="server=localhost\SQLEXPRESS;database=butch;uid=butch;password=CaskLawgiverConstant486;Trusted_Connection=False;MultipleActiveResultSets=true; Integrated Security=False" />
</connectionStrings>
</configuration>site.master.cs
C:\inetpub\wwwroot> type site.master.cs
type site.master.cs
using System;
using System.Data;
using System.Web;
using System.Web.UI;
using System.Web.UI.WebControls;
namespace MyNamespaceMaster {
public class MyClassMaster : MasterPage {
protected void Page_Load(object sender, EventArgs e) {
}
}
}repo.aspx
C:\inetpub\wwwroot> type repo.aspx
type repo.aspx
<%@ Language="C#" MasterPageFile="site.master" src="repo.cs" Inherits="MyNamespaceRepo.MyClassRepo" %>
<asp:Content ID="Content1" ContentPlaceHolderID="ContentPlaceHolder1" Runat="Server">
<a href="logout.aspx" class="link"><input type="button" id="logout" class="button" value="Logout"></a>
<form id="MyForm" runat="server">
<h1>Welcome to Butch's Ultimate File Repository!</h1>
<h2><i>Drop your files here for safekeeping...</i></h2>
<br /><br />
<table class="center">
<tr>
<td><asp:FileUpload id="File1" runat="server" /></td>
</tr>
<tr>
<td><asp:button id="UploadButton" class="button" text="Upload" Onclick="Upload" runat="server"></asp:button></td>
</tr>
<tr>
<td><asp:label id="MyError" CssClass="error" runat="server" /></td>
</tr>
<tr>
<td><asp:label id="MyLabel" runat="server" /></td>
</tr>
</table>
</form>
</asp:Content>repo.cs
C:\inetpub\wwwroot> type repo.cs
type repo.cs
using System;
using System.Text;
using System.Data;
using System.Web;
using System.Web.UI;
using System.Web.UI.WebControls;
using System.Collections;
using System.Configuration;
using System.Collections.Specialized;
namespace MyNamespaceRepo {
public class MyClassRepo : Page {
protected System.Web.UI.WebControls.FileUpload File1;
protected System.Web.UI.WebControls.Button UploadButton;
protected System.Web.UI.WebControls.Label MyLabel;
protected System.Web.UI.WebControls.Label MyError;
protected void Page_Load(object sender, EventArgs e) {
if (Session["username"] == null) {
HttpContext.Current.Response.Redirect("/");
}
}
protected void Upload(Object sender, EventArgs e) {
MyError.Text = "";
MyLabel.Text = "";
if (Session["username"] == null) {
HttpContext.Current.Response.Redirect("/");
}
else if (File1.PostedFile != null && File1.PostedFile.ContentLength > 0) {
string ext = System.IO.Path.GetExtension(File1.PostedFile.FileName).Replace(".", "").ToLower();
if (ext == "asp" || ext == "aspx") {
MyError.Text = "ERROR: Invalid file format...";
}
else {
File1.PostedFile.SaveAs("C:\\inetpub\\wwwroot\\" + File1.PostedFile.FileName);
MyLabel.Text = "File uploaded successfully!";
}
}
}
}
}default.aspx
C:\inetpub\wwwroot> type default.aspx
type default.aspx
<%@ Language="C#" MasterPageFile="site.master" src="default.cs" Inherits="MyNamespaceMain.MyClassMain" %>
<asp:Content ID="Content1" ContentPlaceHolderID="ContentPlaceHolder1" Runat="Server">
<form id="MyForm" runat="server">
<table class="center">
<tr>
<td><b>Enter Name:</b></td>
<td><asp:textbox id="UsernameTextBox" placeholder="admin" runat="server"></asp:textbox></td>
</tr>
<tr>
<td><b>Enter Passkey:</b></td>
<td><asp:textbox id="PasswordTextBox" TextMode="Password" placeholder="butch" runat="server"></asp:textbox></td>
</tr>
<tr>
<td colspan=2 style="padding-top: 20px;"><center><asp:button id="LoginButton" class="button" text="Enter" Onclick="Login" runat="server"></asp:button></center></td>
</tr>
<tr>
<td colspan=2 style="padding-top: 20px;"><center><asp:label id="MyLabel" CssClass="error" runat="server" /></center></td>
</tr>
</table>
</form>
</asp:Content>default.cs
C:\inetpub\wwwroot> type default.cs
type default.cs
using System;
using System.Text;
using System.Data;
using System.Web;
using System.Web.UI;
using System.Web.UI.WebControls;
using System.Collections;
using System.Security.Cryptography;
using System.Configuration;
using System.Collections.Specialized;
using System.Data.SqlClient;
namespace MyNamespaceMain {
public class MyClassMain : Page {
protected System.Web.UI.WebControls.TextBox UsernameTextBox;
protected System.Web.UI.WebControls.TextBox PasswordTextBox;
protected System.Web.UI.WebControls.Button LoginButton;
protected System.Web.UI.WebControls.Label MyLabel;
protected void Page_Load(object sender, EventArgs e) {
if (Session["username"] != null) {
HttpContext.Current.Response.Redirect("/repo.aspx");
}
}
protected void Login(Object sender, EventArgs e) {
string dbUsername = "";
string dbPassword = "";
bool isAuthentic = false;
SqlConnection myConnection = new SqlConnection();
myConnection.ConnectionString = ConfigurationManager.ConnectionStrings["myConnectionString"].ConnectionString;
try {
using (var sqlWrite = new SqlCommand("SELECT username, password_hash FROM users WHERE username = '" + UsernameTextBox.Text.ToString() + "';", myConnection)) {
myConnection.Open();
SqlDataReader myReader = null;
myReader = sqlWrite.ExecuteReader();
if (myReader.HasRows) {
while (myReader.Read()) {
dbUsername = myReader["username"].ToString();
dbPassword = myReader["password_hash"].ToString();
}
}
myConnection.Close();
string passwordHash = "";
using (SHA256 sha256Hash = SHA256.Create()) {
byte[] bytes = sha256Hash.ComputeHash(Encoding.UTF8.GetBytes(PasswordTextBox.Text.ToString()));
StringBuilder builder = new StringBuilder();
for (int i = 0; i < bytes.Length; i++) {
builder.Append(bytes[i].ToString("x2"));
}
passwordHash = builder.ToString();
}
if (UsernameTextBox.Text.ToString() == dbUsername && passwordHash == dbPassword) {
isAuthentic = true;
}
}
if (!isAuthentic) {
MyLabel.Text = "Invalid username or passkey...";
}
else {
Session["username"] = dbUsername;
HttpContext.Current.Response.Redirect("/repo.aspx");
}
}
catch (Exception ex) {
MyLabel.Text = ex.ToString();
}
}
}
}