Starting Point: Reverse Shell

Hello,
I’m pretty new to pen-testing and stuff like that. So I started with the starting-point.
My problem is, that I don’t get a reverse shell. Instead, the sql-client just says “null”. When I try to do it once again, I get an operation time out.

Screenshots:
Imgur
Imgur
Imgur

The shell.ps1 contains my htb-ip-address.
The python web-server was started inside the folder, where shell.ps1 is.
I tried to restart ufw and set the firewall-rule up again, got the message “skipping existing rule”.

I don’t know what I’m doing wrong and would appreciate any hint!
Thanks in advance

Shorty

Have you started http.server on port 443? Since it returns “null” it appears to me there might be nothing on that port. Also it’s likely that netcat wouldn’t allow you to open a listener on this port if it was already used by other service. If you followed the exact commands from the tutorial and opened a server on 80, try connecting to this port instead.

Thanks for the response!
Unfortunately, it didn’t work either. Now it just stucks after I hit the enter-button.
I tried the normal way again and encountered the same problem: It just stucks. (I can abort it though)

  • the first “null” returned, when I aborted the python-server to make a good screenshot of what’s happening - so it actually stays like this.

Thanks in advance!

did you change what needed to be changed in shell.ps1?

I guess you’re talking about the ip-address? In that case: Yea, I changed it to mine but did not change anything else.

Thanks in advance!

I’m having the same problem. I’ll let you know if I figure out what’s wrong!

Did you enable ufw?

Yea I double checked ufw!

start typing the next command in your netcat window, does it do anything? this is were i got stuck for ages waiting on a response from the sql window…

thanks worked now

Thanks a lot, @WolveRyan !
After hitting the Enter-Button a few times, a “#” came in front of it.
And after that ‘#’, you can type in commands as like “powershell” which will return “C:.…”. From now on, you can go further with the tutorial!

Thanks a lot again to everyone!

@WolveRyan many thanks! Stuck at this point for a couple of days. Huge help!

Hello, I am stuck at nearly the same point.
My SQL powershell command gives me an error. It says that my machine actively refused the connection, but the script is downloaded, I see a Get request in my http server. Furthermore I get a # when I hit Enter in the netcat window. Maybe one of you can help me. I can attach screenshots if needed.

NVM. Thanks @WolveRyan

and then how to find root flag

Hey guys,

Stuck at same point. This is first time trying to use PoweShell exploit like this. I can the server is sending a get request for the IP address but wondering if anything in the PS script provided needed to be changed outside of the IP address? the listener seems to be working, the server seems to be working and im not getting any errors on the SQL cmdshell but im not getting the # and just nothing seems to happen. Any advice or push in the right direction would be greatly appreciated.

For me the # was missing, too. I have just typed a command in and once it was executed, the command line had the right symbol.

Hello world

I’m blocked on the last action, the upload does’nt work probelly :frowning:

How can i solve this ?

====================================================

kali@kali:~/impacket/examples$ ./psexec.py administrator@10.10.10.27
Impacket v0.9.22.dev1+20200513.101403.9a4b3f52 - Copyright 2020 SecureAuth Corporation

Password:
[] Requesting shares on 10.10.10.27…
[] Found writable share ADMIN$
[*] Uploading file UgmBhFGY.exe
[-] Error uploading file UgmBhFGY.exe, aborting…
[-] Error performing the installation, cleaning up: [Errno 32] Broken pipe

=======================================================

Best regards

@WolveRyan Heart for you. I too spent ages for any response. Tried a loads. But at last you came as angel . Thank you so much.

@Ak47S0un in "psexec.py administrator@10.10.10.27 "
what’s the password for this?