Starting Point: Shield, JuicyPotato and netcat

HTB Content Machines
, ,
5

As promised, here’s the full explanation!

In order to try the JuicyPotato step again, I had to get to that step. So I have followed the walkthrough with some alterations:

  1. Metasploit step.
    In the walktrhough it asks to change local directory with the lcd command. It also asks to navigate to uploads, which didn’t work for me, so I decided to do it using a relative path instead. It’s easy to overlook, but the exploit puts you in C:\inetpub\wwwroot\wordpress\wp-content\plugins\mdkjhoOtDL instead of uploads 
cd ../../uploads

  1. PrivEsc step, shell.bat
    The walkthrough asks you to echo the location of the netcat executable, specified as follows: C:\inetpub\wwwroot\wordpress\wp-content\uploads\nc.exe
    If you try and open the generated file using vim or any other editor you’ll see that all the backslashes got eaten! This is because a backslash is an escape character and at the stage where it has been transferred into the file all backslashes have dissappeared! There are two ways to solve it:
    a. Copy-paste the command into the text editor instead of using echo
    b. Or instead of using a single backslash use double! E.g. C:\inetpub\ becomes C:\\inetpub\\. This way you will get the path displayed correctly.

  2. Referencing the shell.bat on the remote machine when executing JuicyPotato.
    The walkthrough, again, specifies a full path here. That didn’t work for me. So I remembered that I have uploaded the netcat executable to the same folder as shell.bat, so I have tweaked the command to:

js.exe -t * -p .\shell.bat -l 1337

By the way, the port at the end of there does not get used for anything during this walkthrough. The listener opens on the port that you specify in the shell.bat, in the walkthrough it’s 1111.

This way I had 3 terminals open:

  • metasploit
  • wwwroot directory that I have opened from metasploit
  • admin shell that has been opened from running shell.bat

Also, for the post exploitation step, you’re supposed to run a 64-bit version of mimikatz from the admin shell, it took me some time to figure out!

In summary:

  • The admin port should be obtained on port 1111 in the walkthrough (in my case it was port 6427)
  • The output of JuicyPotato failed because the path was not specified correctly, see above, so it couldn’t find the right files.

I hope this will help anyone who has been stuck for quite some time!