Evenin’
I’m new to this game. I’m reskilling myself so I can get out of my current career. I’ve done a couple of online courses and played with the Metasploitable VM and fiddled my way onto this thing.
I’m on ARCHETYPE and everything I do results in Powershell reverse shells being detected by AV. I’ve tried different reverse shells from various places, I’ve tried modifying them (which is mostly chimp+typewriter stuff), and I’ve tried swearing at it. I’ve even copied the walkthrough shell, checked it character by character, and this gets detected.
Anyone have any ideas? It says the Starting Point machines should be done in order and I’ve spent far too long beating my head against this wall. I’ve even tried doing it (mostly) sober. I can’t imagine obfuscating this from AV is part of an easy tutorial machine? It seems strange that the walkthrough shell is being detected. I’ve tried sticking to the walkthrough entirely and the only way I am deviating is I’ve been setting up my webserver using “service apache2 start” and sticking my shell in /var/www/html/. I can’t see this being an issue as it is clearly downloading the shell onto the target machine in order for AV to spit repeatedly in my face.
Is it something that has changed with the machine? Or is this so simple, I should give up now and go back to my pacemakers and ultrasound machines?
Cheers,
A. N. Idiot
Hey, there is no AV for the Lab as I remember. There are two Points I can think -besides typos, happening to anyone.
- Have you replaced the IP in the reverse Shell with your Machine (tun0) IP?
- Is the Port open in the Firewall of your Machine -pwnbox has no Firewall I think-?
Cheers
AND dont copypaste directly from the pdf file
Cheers for the replies, I have tried all of the above suggestions.
I tried several reverse shell scripts, definitely using the right IP (I routinely have a terminator window with ifconfig sat there as I’m a forgetful idiot and I’m using tun0) and several different ports. The output (from the impacket mssql script) when I get the machine to execute the script hosted on my webserver is something like “your AV software has identified the script as malicious”. I’ve checked for firewall issues on my end but it seems as though the script isn’t executing at all.
As for copy-pasting, I found that one out the hard way. I went through it character by character, replacing missing spaces, etc but I’ve also tried several other shells from github and pen testing cheatsheets.
I’ve looked around the internet for other walkthroughs and I’ve still found nothing that works. There are a lot of forum threads on this machine, but I expect that’s a feature of it being the first tutorial machine and it’s where n00bs like myself realise this is harder than it looks…
I am thinking I need to just move on and come back to it.
Hi, in your powershell reverse shell script where it says “PS ’ + (pwd).Path +”, remove the “.Path” so it is as follows: “PS ’ + (pwd) +”.