@d4gd4 said:
Hi
I guess I’m trying not to have any spoilers here for still active boxes, so apologies if this is too vague or lacks enough detail.
So I’ve been doing a windows box that came out relatively recently, and, having got a shell that I wanted to upgrade, I decided to upload nc.exe onto the box. I did this, and found that the file would not execute… at least, it appeared that nothing happened when executed. I also uploaded a different program as exe, which then DID work. This immediately contradicted my theory that AV was blocking me from running exe files. So I tried a couple more different ‘versions’ of nc.exe I had lying around (from different sources), and then one of them just worked. I don’t know what the difference is between these executables, but I would absolutely love to know. If someone has any info on this, it would be much appreciated. I have yet to examine the files closely, as I am not quite sure how to go about that yet. Thanks for reading.
I never tested this, as the first version I used just worked and I only became aware that a problem existed from the forums.
At a GUESS, I’d say that it is likely to be:
- Signature based AV on the machine has the hashes for some but not all of the versions you tried. Try md5sum on all the versions you have and see if they differ.
- Some versions are broken
- Other people were messing with things the same time as you were and it caused problems and, by chance, they stopped the same time you tested a version.
If you are curious, it’s worth trying some tests:
-
Upload one version which previously failed, try it and then try the version which worked, then try a different version which failed. If the same ones consistently fail, then you can eliminate option 3.
-
Run file against all the versions you have to see if they are still intact
-
use powershell to check the MD5s of the files you’ve uploaded to make sure they didn’t break in transit.