Json

why not use powershell in memory payloads #empire?

Sorry for my last message… it seems i can’t delete it…
So,
I’m just a step before gomeznap i guess: I’ve managed to execute dos command and ping my IP with the help of ys*t. and… that’s all.
I can’t manage to execute powershell (and, by the way i know, can’t upload/download file).
Did I miss something ?
I’ve tried to launch powershell with “-c”, doesn’t seems to work. I’ve even tried to modifiy ys
t in order to execute powershell in place of cmd.
Well i’m bit lost.

Does anyone has a clue to where i can search/test further ? PM

Type your comment> @gomeznap said:

Type your comment> @x000 said:

@gomeznap said:
I was able to get command execution on the target but I’m not too familiar with Windows boxes and not sure how to spawn a reverse shell. Anyone have any suggestions or resources to look at?

Edit: For reference I was able to ping my local IP from the target and download a file, but not get a shell.

Try Meterpreter!

Thanks for the comment!

I tried a couple different meterpreter payloads and they never connect back to the exploit handler. Is the anything special I have to do on a windows machine to run the executable once its dropped on there or should I just be able to run it with a command like “payload.exe”?

sometimes, especially with blind RCE like this box, it helps to create some random folder somewhere on the remote machine to save it to in order to make sure that you have correct permissions. I tried my payload several times from typical directories and it wouldn’t work until i created a newC:\tmp folder with a mkdir command before sending the file. I think it was preventing me from outputting into the directory but without a shell you can’t see the errors or if the file is created.

You should be able to run it by just sending the full path as a command. for example C:\tmp\payload.exe

If anyone rooted the box via FTP decipher method please PM me.i an able to root via this potato method only.
If anyone need assistance let me know.i will be happy to help .

WOW Excelent Box. I Really enjoied

my hints

  1. User: Play with headers and read the forum
  2. Root: I did with a clasic windows explotation. Couldn’t take the other way, I don’t know why

Love it

Rooted. I did what seemed like the “easier” priv esc… I need to go back and try the other. Wonder if the former was intended.

If anyone needs a nudge, feel free to PM me.

Type your comment> @offsecin said:

If anyone rooted the box via FTP decipher method please PM me.i an able to root via this potato method only.
If anyone need assistance let me know.i will be happy to help .

Same here. I’d like to know if it was possible or just a rabbit hole. I used the more straightforward method after a lot of time trying the other option.

Root was nice, really liked the f** part

Anyone rooted using ****zilla? Need a little nudge with the xml file

Anyone has a hint for me, how to use this tool? Don’t know where to start with it…
Found the mentioned webpage and parameters.

Please PM me.

get at me if you want to talk about the heath ledger stuff.
happy to help because on arkham and this lesser beast it was ‘A Real Thing’ to deal with.
and also it’s pretty, uh, pretty good.
#BlessUp

as my username suggests, I would like to learn what I need to do for this box. Can anyone suggest some reading materials or something similar to this? thanks

anyone help me with this box i am not able to get initial foothold, i am missing some thing here in the box any hint please.

Rooted. What a pain in the ■■■ this box was. Did anyone manage “NOT” to use a separate VM windows box for that “yso” tool?? I had more problems setting up a VM than I did rooting this box. If you manage to create a payload without windows machine, please let me know. Thank you

Type your comment> @johnnyz187 said:

Rooted. What a pain in the ■■■ this box was. Did anyone manage “NOT” to use a separate VM windows box for that “yso” tool?? I had more problems setting up a VM than I did rooting this box. If you manage to create a payload without windows machine, please let me know. Thank you

I used vi with payload by adjusting array item, encoding output and pasted into burp. What was odd was the final payload I needed to add an extra white space at the beginning for it to execute ie after /c . No idea why the double white space worked but single failed every time.
No windows required just create a bash script with above

really good box, went smooth. I liked it !

I hate you.
But also, +1
May have some Qs for you.

Type your comment> @sbridgens said:

I used vi with payload by adjusting array item, encoding output and pasted into burp. What was odd was the final payload I needed to add an extra white space at the beginning for it to execute ie after /c . No idea why the double white space worked but single failed every time.
No windows required just create a bash script with above

I know how to generate the payload and where to send it. However due to extreme windows unfamiliarity syndrome, I’m not sure what command to send XD some nudge would be appreciated…

edit: nevermind, got user :slight_smile: now onto root…

edit2: and yes, you don’t really need the VM if you found the page for y************ and know what you’re doing.

edit3: and easy root the vegetable way… but I don’t understand how the vegetable works :frowning: so need to keep spending more time on this

tried 620k usernames without success. is it worth brute forcing more?
EDIT: got it.

@an0n said:

tried 620k usernames without success. is it worth brute forcing more?

Nope. It’s a default user/pass