Starting Point: Markup, job.bat and getting the admin shell

HTB Content Machines
,
6

Progress update, no solution.

(Please excuse command screenshots, HTB didn’t like my plaintext commands, so I did it this way instead)

First of all, to address my “one executable - one attempt” question (question 3 in the original post):
To be able to reuse the same port and same executable press Ctrl+C in your listener tab, not the opened daniel shell with the pipe to job.bat. This way the > job.bat command will terminate itself and no issues with running processes should occur.

So I have followed @quinnlaup’s advice and downloaded a fresh zip file of nc for Windows. This time I have decided to work from the Temp directory.
C:\Users\daniel\AppData\Local\Temp\tasidonya
I have uploaded the nc.exe there. I know it’s a functioning executable because when I have ran

Regular nc command

I got a regular shell in my listener tab. I decided to work from PowerShell because I prefer it to regular cmd.

So, first, I tried to run the command from the walktrhough without alterations:

Same command into job.bat

(okay, there was a small alteration that the screenshot does not show, that is .\nc.exe instead of nc.exe because I am in PowerShell)
Every time I ran this command I instantly got a regular daniel shell on my listener tab. I have tried many times, with stopwatch and without to time the intervals at which the job.bat gets written to.

But then I thought, since the purpose of this command is to merely write to a bat file, not to open a shell straight away, I decided to tweak this command slightly:

Trying to log my output
Trying to log my output1588×37 10.1 KB

view larger
(The tweak consists of surrounding the nc command by single quotation marks, so it becomes a string and doesn’t get executed)

So, this command, according to my assumptions, should have created a connection, piping whether a command succeeded or failed to a log file in my temp dir. The contents of C:\Log-Management\job.bat (obtained via type C:\Log-Management\job.bat) at this point was:

job.bat content
job.bat content1303×33 8.57 KB

view larger

I do not know if it will work without a bat file, because when I did try to run it, I have rather carelessly left a new line in there, which has caused chaos in my shell.

After this command did not work, I tried to alter the command slightly again, but this one I did try outside the bat file, and it worked on its own:

Trying to send myself a message via nc
Trying to send myself a message via nc999×32 7.05 KB

view larger

but inside job.bat I have timed it and the job has ran, but I didn’t get back my 1 in the listener tab (I did make sure it was running and was listening on the right port). So now I am stuck. Either I did not get the purpose of the writing to job.bat command correctly or I am missing something.