Starting Point: Markup, job.bat and getting the admin shell

edited May 2020 in Machines

Hi everyone! It's me again :) I've been stuck on Markup for weeks at this point, trying to get the last step.

The method

  1. I upload the renamed nc executable to daniel's account.
  2. I write to job.bat
    Running the commands
  3. I get a regular user shell on the port I listen on.
  4. I exit the regular shell, using something like Ctrl+C or Ctrl+D
  5. I try running the command again (writing to job.bat), and I get the error message that the process is already in use. (The screenshot shows PowerShell, but do note that for regular cmd the error message has a similar meaning - process is in use)
    Error message
    You will also note that I have tried both 32 and 64 bit versions of the executable.
  6. I can't use my executable anymore with any port - new or old. Deleting the nc.exe (pancake-nc.exe) and reuploading it still produces the same error message. As daniel, I do not have the priviledges to access the runninng job list and physically killing all instances of my nc.
  7. I wait until the machines get reset and then I get another shot at it.

The research

So, I do monitor Starting Point for new questions, and these two caught my eye:

The question(s)

So, as far as I have understood, I just need to wait for the job to run to get an admin shell, it runs about every 30 seconds. But, there is the following that I do not understand:

  1. Is it the existing shell that gets upgraded or do I need to run the job at the right timing to get an admin shell instead of a regular daniel shell?
  2. If it's the latter, how do I know when to run, given I only get one shot at it?
  3. If anyone knows any alternative ways how I can kill my own running jobs in this box, please let me know! The waiting until machines get reset and not being able to do anything is very frustrating!

Thank you in advance :)

tasidonya

Comments

  • Hello world

    I'm blocked on the last action, the upload does'nt work probelly :(

    How can i solve this ?

    ====================================================

    [email protected]:~/impacket/examples$ ./psexec.py [email protected]
    Impacket v0.9.22.dev1+20200513.101403.9a4b3f52 - Copyright 2020 SecureAuth Corporation

    Password:
    [] Requesting shares on 10.10.10.27.....
    [] Found writable share ADMIN$
    [*] Uploading file UgmBhFGY.exe
    [-] Error uploading file UgmBhFGY.exe, aborting.....
    [-] Error performing the installation, cleaning up: [Errno 32] Broken pipe

    =======================================================

    Best regards

  • @Ak47S0un Hello! While I am very happy that you are asking questions, please don't hijack other people's threads with your issue, stick to relevant discussions - your issue is with Archetype, the first Starting Point box (yes, there will be more to come after you solve this one :) ), so please do post only in threads that discuss it, or I have noticed you have already created a topic with your issue. This will help keep discussions relevant.

    tasidonya

  • @tasidonya I just rooted this box by using a Windows version of netcat rather than just copying netcat from my Kali box. I downloaded the file from https://eternallybored.org/misc/netcat/ and then followed the guide...worked perfectly for me.
    P.S. Thanks for your post on puttygen that helped me alot!

  • @quinnlaup Thank you for replying :) I will give this a try!
    P.S. Glad I could help! :)

    tasidonya

  • edited May 2020

    Progress update, no solution.

    (Please excuse command screenshots, HTB didn't like my plaintext commands, so I did it this way instead)

    First of all, to address my "one executable - one attempt" question (question 3 in the original post):
    To be able to reuse the same port and same executable press Ctrl+C in your listener tab, not the opened daniel shell with the pipe to job.bat. This way the > job.bat command will terminate itself and no issues with running processes should occur.

    So I have followed @quinnlaup's advice and downloaded a fresh zip file of nc for Windows. This time I have decided to work from the Temp directory.
    C:\Users\daniel\AppData\Local\Temp\tasidonya
    I have uploaded the nc.exe there. I know it's a functioning executable because when I have ran

    Regular nc command

    I got a regular shell in my listener tab. I decided to work from PowerShell because I prefer it to regular cmd.

    So, first, I tried to run the command from the walktrhough without alterations:

    Same command into job.bat

    (okay, there was a small alteration that the screenshot does not show, that is .\nc.exe instead of nc.exe because I am in PowerShell)
    Every time I ran this command I instantly got a regular daniel shell on my listener tab. I have tried many times, with stopwatch and without to time the intervals at which the job.bat gets written to.

    But then I thought, since the purpose of this command is to merely write to a bat file, not to open a shell straight away, I decided to tweak this command slightly:

    Trying to log my output
    view larger
    (The tweak consists of surrounding the nc command by single quotation marks, so it becomes a string and doesn't get executed)

    So, this command, according to my assumptions, should have created a connection, piping whether a command succeeded or failed to a log file in my temp dir. The contents of C:\Log-Management\job.bat (obtained via type C:\Log-Management\job.bat) at this point was:

    job.bat content
    view larger

    I do not know if it will work without a bat file, because when I did try to run it, I have rather carelessly left a new line in there, which has caused chaos in my shell.

    After this command did not work, I tried to alter the command slightly again, but this one I did try outside the bat file, and it worked on its own:

    Trying to send myself a message via nc
    view larger

    but inside job.bat I have timed it and the job has ran, but I didn't get back my 1 in the listener tab (I did make sure it was running and was listening on the right port). So now I am stuck. Either I did not get the purpose of the writing to job.bat command correctly or I am missing something.

    tasidonya

  • Hello ! I won't give the answer you are almost there...
    My advice is that you search what a job is. In Linux or OSX, it is called cronjob. After that you'll understand what you have to do. You might need to learn how to write one..

Sign In to comment.