.

Limited shell

<<

caissyd

User avatar

Hero Member
Hero Member

Posts: 894

Joined: Thu Dec 31, 2009 11:20 am

Location: Ottawa, Canada

Post Wed Jan 16, 2013 9:45 am

Limited shell

Ok, here's another problem I have had for way too long now and I want to fix.

Here's the scenario: I have got a limited shell on a server in a lab through a web application vulnerability.

By "limited shell", I mean:
- The shell doesn't give me any output on the screen and I cannot output results of commands in a file
- I can change directory and list files (using a second ASP shell), but that's about it.
- I am able to ftp files/modify files into the web root directory (for example, I have uploaded nc.exe in C:\inetpub\wwwroot)

So for example:
C:\Windows\system32>cd ../..    (works)
C:\>cd inetpub\wwwroot    (works)
C:\inetpub\wwwroot> dir    (doesn't display anything)
C:\inetpub\wwwroot> dir > files.txt    (doesn't create a file)
C:\inetpub\wwwroot> nc.exe -lvp 4444    (doesn't work)
C:\inetpub\wwwroot> nc.exe -v 192.168.1.20 4444    (doesn't work either)

I have tried 5 or 6 different ASP shells, but couldn't get much more out of it.

So what approach should I take at this point? Write my own ASP shell code? Focus on trying to get a full shell (for example, using netcat somehow)? Maybe priv escalation (I don't think so at this point, but I could be wrong)

I really just need a direction so I can continue working on a solution...

Thanks
OSCP, GPEN, GWAPT, GSEC, CEH, CISSP
(aka H1t.M0nk3y)
<<

ziggy_567

User avatar

Sr. Member
Sr. Member

Posts: 378

Joined: Tue Dec 30, 2008 1:53 pm

Post Wed Jan 16, 2013 9:56 am

Re: Limited shell

The link below is Linux specific, but there's quite a bit that could be adapted to Windows.

http://pen-testing.sans.org/blog/pen-testing/2012/06/06/escaping-restricted-linux-shells

Also, maybe something in there will click for you and give you some further avenues to explore.

Good luck!
--
Ziggy


eCPPT - GSEC - GCIH - GWAPT - GCUX - RHCE - SCSecA - Security+ - Network+
<<

Dark_Knight

User avatar

Sr. Member
Sr. Member

Posts: 294

Joined: Mon Aug 11, 2008 7:03 pm

Post Wed Jan 16, 2013 10:26 am

Re: Limited shell

H1t M0nk3y wrote:Ok, here's another problem I have had for way too long now and I want to fix.

Here's the scenario: I have got a limited shell on a server in a lab through a web application vulnerability.

By "limited shell", I mean:
- The shell doesn't give me any output on the screen and I cannot output results of commands in a file
- I can change directory and list files (using a second ASP shell), but that's about it.
- I am able to ftp files/modify files into the web root directory (for example, I have uploaded nc.exe in C:\inetpub\wwwroot)

So for example:
C:\Windows\system32>cd ../..     (works)
C:\>cd inetpub\wwwroot    (works)
C:\inetpub\wwwroot> dir    (doesn't display anything)
C:\inetpub\wwwroot> dir > files.txt    (doesn't create a file)
C:\inetpub\wwwroot> nc.exe -lvp 4444    (doesn't work)
C:\inetpub\wwwroot> nc.exe -v 192.168.1.20 4444    (doesn't work either)

I have tried 5 or 6 different ASP shells, but couldn't get much more out of it.

So what approach should I take at this point? Write my own ASP shell code? Focus on trying to get a full shell (for example, using netcat somehow)? Maybe priv escalation (I don't think so at this point, but I could be wrong)

I really just need a direction so I can continue working on a solution...

Thanks




Are you able to run "net" commands for "net user" etc?
CEH, OSCP, GPEN, GWAPT, GCIA
http://sector876.blogspot.com
<<

caissyd

User avatar

Hero Member
Hero Member

Posts: 894

Joined: Thu Dec 31, 2009 11:20 am

Location: Ottawa, Canada

Post Wed Jan 16, 2013 10:31 am

Re: Limited shell

Thanks ziggy_567, I will be reading this tonight!!


Are you able to run "net" commands for "net user" etc?

No, it doesn't work either...

The IIS server is run with a pretty limited user...
OSCP, GPEN, GWAPT, GSEC, CEH, CISSP
(aka H1t.M0nk3y)
<<

dynamik

Recruiters
Recruiters

Posts: 1119

Joined: Sun Nov 09, 2008 11:00 am

Location: Mile High City

Post Wed Jan 16, 2013 11:20 am

Re: Limited shell

What shells are you trying to use? What OS and version of IIS are you using?

I've encountered instances where i can blindly execute commands, but I can't think of a time where I was using a web shell and wasn't able to receive output for non-privileged commands.

Here's another collection of shells you might want to try: http://laudanum.inguardians.com/ I'm pretty sure there is at least one ASP-based shell in there.
The day you stop learning is the day you start becoming obsolete.
<<

caissyd

User avatar

Hero Member
Hero Member

Posts: 894

Joined: Thu Dec 31, 2009 11:20 am

Location: Ottawa, Canada

Post Wed Jan 16, 2013 12:57 pm

Re: Limited shell

What shells are you trying to use? What OS and version of IIS are you using?

Microsoft Windows 2000 SP4
Microsoft IIS httpd 5.1
Using ASPshell and zephir4 (tried 3 or 4 others that I don't remember)

But I am not really looking for help to debug this problem. I am more looking at a methodology or links with tricks I could try.

I have already tried something like 25 differents tricks (not all listed here, obviously), but I would like to learn a few other ones.

I might write my own ASP shell code tonight or modify an existing one...
OSCP, GPEN, GWAPT, GSEC, CEH, CISSP
(aka H1t.M0nk3y)
<<

dynamik

Recruiters
Recruiters

Posts: 1119

Joined: Sun Nov 09, 2008 11:00 am

Location: Mile High City

Post Wed Jan 16, 2013 11:34 pm

Re: Limited shell

Methodology-wise, I'd skip the fancy shells and just see if a basic script works. Something like executing the the value of a GET variable called cmd and output it to the screen. The web service account should at least be about to output a directory listing. If not, there may be something else quirky going on.
The day you stop learning is the day you start becoming obsolete.
<<

dynamik

Recruiters
Recruiters

Posts: 1119

Joined: Sun Nov 09, 2008 11:00 am

Location: Mile High City

Post Thu Jan 17, 2013 10:20 am

Re: Limited shell

Also, remember that you can use msfpayload/msfencode or msfvenom to create asp files that contain Meterpreter, reverse shells, etc.
The day you stop learning is the day you start becoming obsolete.
<<

caissyd

User avatar

Hero Member
Hero Member

Posts: 894

Joined: Thu Dec 31, 2009 11:20 am

Location: Ottawa, Canada

Post Thu Jan 17, 2013 11:16 am

Re: Limited shell

I didn't know that.
I will play with this later today.

Thanks ajohnson
OSCP, GPEN, GWAPT, GSEC, CEH, CISSP
(aka H1t.M0nk3y)
<<

dynamik

Recruiters
Recruiters

Posts: 1119

Joined: Sun Nov 09, 2008 11:00 am

Location: Mile High City

Post Thu Jan 17, 2013 11:33 am

Re: Limited shell

This tutorial uses WebDAV as the delivery mechanism, but shows how to create the asp file, which works regardless of how you get it up to the web server: http://carnal0wnage.attackresearch.com/ ... ebdav.html
The day you stop learning is the day you start becoming obsolete.
<<

caissyd

User avatar

Hero Member
Hero Member

Posts: 894

Joined: Thu Dec 31, 2009 11:20 am

Location: Ottawa, Canada

Post Thu Jan 17, 2013 1:12 pm

Re: Limited shell

I appreciate it ajohnson. Thanks
OSCP, GPEN, GWAPT, GSEC, CEH, CISSP
(aka H1t.M0nk3y)
<<

caissyd

User avatar

Hero Member
Hero Member

Posts: 894

Joined: Thu Dec 31, 2009 11:20 am

Location: Ottawa, Canada

Post Fri Jan 18, 2013 12:09 pm

Re: Limited shell

OSCP, GPEN, GWAPT, GSEC, CEH, CISSP
(aka H1t.M0nk3y)

Return to Network Pen Testing

Who is online

Users browsing this forum: No registered users and 0 guests

cron
.
Powered by phpBB® Forum Software © phpBB Group.
Designed by ST Software