Laundanum ASP Shell
Previously, I wrote a post providing a brief introduction to Laudanum. If you haven’t read it, or don’t know what Laudanum is, I encourage you to read that post first (don’t worry, it is fairly short). In this post, I am going to take a look at how Laudanum can be used. Specifically, I am going to upload a shell command file and then start running shell commands against the target server. Target The first step in using Laudanum is to have a target server to deploy to. When doing a legal penetration test or security assessment, you may be given a list of servers that are in scope. If not, make sure that you have identified a server that is in scope for your contract. Please do not do this on systems that you do not have ownership and permission as it would be illegal and you may get in a lot of trouble (don’t say I didn’t warn you). In this example, I have identified a Ubuntu server that is running a java based web server. Since the server allows running JSP pages, I will chose to use the JSP files included with Laudanum. At this time, there is only a cmd.jsp file in the JSP folder. This file allows running commands against the target server. Deployment In order to deploy the cmd.jsp file to the server, I have to identify a vulnerability that allows uploading a file. In this case, I have identified that the server is running Tomcat. This would not normally be vulnerability, but….. it just so happens that when I installed Tomcat I used easily guessable credentials, that I can use to access the management interface. By default, the Tomcat installer did not have any users with the permissions to access the manager interface. I had to purposely make this vulnerable. I know that may sound unlikely, but trust me, it is not. Tools like Nessus are great at identifying these default/weak credentials too. Lets assume I used Nessus to find this vulnerability (even though I built this machine just for the purpose of this post). The Tomcat manager UI has a cool little feature that allows deploying .war files to the server. The following image shows where Tomcat allows deploying local files to the server.