Arbitrary File Upload
Validating the cracked password hash of the butch user revealed an endpoint, repo.aspx, that supports file upload. Uploaded files are accessible at the web root directory.
This appears to be the entrypoint for initial foothold.
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/butch]
└─$ cp /usr/share/webshells/aspx/cmdasp.aspx ./Practice/Butch/3-Exploitation/attachments/{7F1B287F-BEDE-43FF-AB9B-F4A05E6C7F12}.png)
Attempting to upload a ASPX webshell fails due to the presence of an extension filter
Extension Filter Bypass
Attempting various techniques to bypass the extension filter present at the file upload feature of the repo.aspx endpoint
Case Sensitivity
/Practice/Butch/3-Exploitation/attachments/{3E48564C-E665-4A3C-96C8-7F7BE3AEC5D1}.png)
Negative on case sensitivity
Content-Type Manipulation
/Practice/Butch/3-Exploitation/attachments/{923E2BE7-9D92-4EF4-BC5D-25C28FA92B72}.png)
Negative on the Content-Type manipulation
Double Extension
/Practice/Butch/3-Exploitation/attachments/{9DAD45BD-90ED-4CAC-AA72-71F731513D76}.png)
/Practice/Butch/3-Exploitation/attachments/{0B7F34B7-6B91-4EC3-A49A-7791E6B0A93F}.png)
False-positive on the double extension technique as the server interprets the file as with the .png extension
Null-byte Injection
/Practice/Butch/3-Exploitation/attachments/{96552435-6412-4C89-B364-813F1C5655CF}.png)
/Practice/Butch/3-Exploitation/attachments/{400936D1-376B-4221-A41C-6F8DDDD0A4DC}.png)
False-positive on the null-byte injection technique
Alternative Extensions
/Practice/Butch/3-Exploitation/attachments/{B8988C7B-C72B-4E5F-BC87-F31EBF630783}.png)
/Practice/Butch/3-Exploitation/attachments/{3076A6F0-DBB3-49ED-BB0F-05C1CA8180E2}.png)
/Practice/Butch/3-Exploitation/attachments/{253B34FF-4DBB-4BCE-81C5-A859C1CB5001}.png)
/Practice/Butch/3-Exploitation/attachments/Pasted-image-20250226200001.png)
False-positive on the alternative extensions technique
.config
/Practice/Butch/3-Exploitation/attachments/{7743A778-4417-4D31-8D52-2769B12F79FE}.png)
/Practice/Butch/3-Exploitation/attachments/{2F3D9A7A-1268-40EE-A112-653680E84196}.png)
However, the .config extension returns the IIS 404 page. This suggests that RCE via overwriting the eweb.config file might be possible.
Trailing Characters
/Practice/Butch/3-Exploitation/attachments/{80F66925-5393-4D97-B684-5E7413519C48}.png)
/Practice/Butch/3-Exploitation/attachments/{063E1146-D5E9-4559-808C-26D758AFBE02}.png)
/Practice/Butch/3-Exploitation/attachments/{5A164B0A-8A76-4E41-BBA9-36857F35BC52}.png)
/Practice/Butch/3-Exploitation/attachments/{52CC51CF-2617-467D-8044-1AF46B92632D}.png)
Both whitespace and . trailing-character techniques work
Webshell uploaded successfully
/Practice/Butch/3-Exploitation/attachments/{32FBDA4C-D7FF-4C13-92EA-B9B6C9B85831}.png)
The current process is running as SYSTEM
System level compromise