> For the complete documentation index, see [llms.txt](https://capcap-1.gitbook.io/capcap/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://capcap-1.gitbook.io/capcap/readme/ctf-modules/vulnerability-assessment/shells-and-payloads/web-shells/laudanum.md).

# Laudanum

```bash
# Add the target to your hosts file
echo "<target_ip> status.inlanefreight.local" | sudo tee -a /etc/hosts
```

```bash
# 1. Copy the template to your working directory (Never edit the original)
cp /usr/share/laudanum/aspx/shell.aspx ~/demo.aspx

# 2. Modify the file using your preferred terminal editor (nano/vim)
nano ~/demo.aspx
```

#### 1. What is Laudanum?

* Concept: A repository of ready-made, injectable web shells.
* Supported Languages: `asp`, `aspx`, `jsp`, `php`, etc.
* Capabilities: Reverse shells, browser-based command execution, and local file interaction.

#### 2. Setup & Weaponization

You cannot just upload these files blindly; they require modification to work and to avoid easy detection.

| **Step**        | **Action**                                                          | **Why it Matters**                                                                                        |
| --------------- | ------------------------------------------------------------------- | --------------------------------------------------------------------------------------------------------- |
| 1. Acquire      | Clone from GitHub (or check `/usr/share/laudanum` if on Pwnbox).    | You need a local copy to modify.                                                                          |
| 2. Copy         | `cp /usr/share/laudanum/aspx/shell.aspx /home/tester/demo.aspx`     | Never edit the original template. Always work on a copy.                                                  |
| 3. Configure IP | Edit the file and update the `allowedIps` variable (e.g., line 59). | Security feature: The shell will only accept commands from your specified attacker IP.                    |
| 4. Evade AV     | Strip out ASCII art and extensive comments.                         | Defenders and basic Antivirus often use these static strings as signatures to flag the file as malicious. |

#### 3. Deployment & Execution Strategy

When attacking an upload feature, pay close attention to how the application handles your file.

* The Upload: Use the vulnerable application feature to upload your weaponized `demo.aspx`.
* Find the Path: Watch the application's response closely. It will often reveal the upload directory (e.g., `\files\demo.aspx`).
  * *Note:* Watch out for path routing quirks. Sometimes an app requires backslashes (`\`) in the URL request to traverse to the file, which the browser will automatically correct to forward slashes (`/`).
* Execute: Navigate to the uploaded file's URL in your browser (e.g., `status.inlanefreight.local//files/demo.aspx`). You now have a web interface to pass commands (like `systeminfo`) directly to the underlying OS.

\
<https://github.com/jbarcia/Web-Shells/tree/master/laudanum>


---

# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.

## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter:

```
GET https://capcap-1.gitbook.io/capcap/readme/ctf-modules/vulnerability-assessment/shells-and-payloads/web-shells/laudanum.md?ask=<question>&goal=<endgoal>
```

`ask` is the immediate question: it should be specific, self-contained, and written in natural language.
`goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal.

The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.
