Bronze II
Bronze IIIHi!
I'm right where you are!: managing to execute several commands (not just ‘whoami’) but not the one needed to complete the lab :).
I think the key is to manage to code several *arguments* [0] in the exploit, not just one, getting ‘cmd’ [1] (for example) to read the necessary file.
Good luck!.
[0] https://docs.oracle.com/javase/7/docs/api/java/lang/ProcessBuilder.html
[1] https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/cmd
Bronze IIThanks for your suggestions Bluesman. This did lead me down some alternative paths from what I was trying. I have tried many variations, but the format of "cmd.exe"&arg1="/c"&arg2="type"&arg3="C:\token.txt" (url encoding each arg separately, but left in this form for readability) gets me the closest, in that I get a response that does appear to at least be from what would show in a cmd window, although the data I need is not presented. (this response takes many minutes, whereas cmd?whoami comes back in seconds).
Have you had any additional success?
Bronze IIIHello,
Unfortunately I have not been able to make much more progress; I can run several commands apart from ‘whoami’ (ex: 'help', 'systeminfo', etc) but I can't seem to hit the right one to read the token.
I've even tried via metasploit (I think you can search by the CVE or by ‘iView2’) and I can't get the session on the machine.
I will keep investigating, I think we are close :).
Bronze IIHi Bluesman I've enumerated the commands that I believe are available in system32 thinking that maybe there was another that would be used to access file contents, but I don't think so...either a 500 error when they don't exist, a proper response, or response hangs, indicating to me that they are waiting for additional arguments.
I have been in touch with support and they provided a parameter query, but it does not work, the entire cmd being passed just keeps being interpreted as the file to find, not a file with arguments. I will keep you posted on my progress.
