Notepad.exe Session

[Rosangela Pinkard]

Whenyou use Invoke-command, the commands you enter (either in the script block or script you send) are sent to the WSgps MPROVHOST process on the remote machine. Effectively, this is a copy of PowerShell running on that system. When you run a GUI program, like Notepad, there is, in effect, nowhere for the GUI to be displayed. The local console can only display data that is sent (via SOAP) tohe client. You can launch notepad if you run it from within a remote PS Session (Enter-PSSESSION). Running notepad makes the notepad.exe process visible if you look at it via Get-Process. But that notepad process is incomplete - eg it lacks a value for properties like MainModule.

The InitialAutoRunScript option will execute the specified Meterpreter script as soon as a session is established. The migrate script is located in /path/to/metasploit/msf3/scripts/meterpreter/migrate.rb. The -f option opens a new process (notepad.exe) and migrates your Meterpreter session to it.

Edit this script to force many parts of Cobalt Strike and the Metasploit Framework to migrate Meterpreter to something other than notepad.exe. Try an alternative, like rundll32.exe. As of this writing, lines 42-54 of this file contain the code you need to change.

Note: these modules are the same thing. As of this writing, the Metasploit Framework is still in a transition porting post modules that accept a PAYLOAD to windows/local exploit modules. I expect that post modules with equivalent local exploits will eventually go away.

I have a batch script that I use to launch a program, such as notepad.exe. When I double click on this batch file, notepad starts normally, but the black window of the cmd who launched notepad.exe remains in the background. What do I have to do in order to launch notepad.exe and make the cmd window disappear?

This was cause by Notepad running in same command prompt (process). The command prompt will close AFTER notepad is closed. To avoid that, we can use the start command to start a separate process like this.

However running this command would just start another blank command prompt. Why? If you lookup to the start /?, the start command will recognize the argument between the " as the title of the new command prompt it is going to launch. So, to solve that, we have the command like this:

So I figured out I need to have an environment variable called EDITOR. No problem. I set it to point to Notepad. That worked, almost. The default commit message opens in Notepad. But Notepad doesn't support bare line feeds. I went out and got Notepad++, but I can't figure out how to get Notepad++ set up as the %EDITOR% in such a way that it works with Git as expected.

By configuring git config core.editor notepad, users can now use notepad.exe as their default editor.

Configuring git config format.commitMessageColumns 72 will be picked up by the notepad wrapper and line-wrap the commit message after the user edits it.

And Git 2.16 (Q1 2018) will show a message to tell the user that it is waiting for the user to finish editing when spawning an editor, in case the editoropens to a hidden window or somewhere obscure and the user getslost.

When a graphical GIT_EDITOR is spawned by a Git command that opens and waits for user input (e.g. "git rebase -i"), then the editor window might be obscured by other windows.

The user might be left staring at the original Git terminal window without even realizing that s/he needs to interact with another window before Git can proceed. To this user Git appears hanging.

It just works from the DOS session, but not from the git shell.

(not that with the core.editor configuration mechanism, a script with "start /WAIT..." in it would not work, but only open a new DOS window)

Bennett's answer mentions the possibility to avoid adding a script, but to reference directly the program itself between simple quotes. Note the direction of the slashes! Use / NOT \ to separate folders in the path name!

With that setting, I can do 'git config --global --edit' from DOS or Git Shell, or I can do 'git rebase -i ...' from DOS or Git Shell.

Bot commands will trigger a new instance of notepad++ (hence the -multiInst' option), and wait for that instance to be closed before going on.

The fact that the notepad++ wrapper is called .bat is not important.

It would be better to name it 'npp.sh' and to put it in the [git]\cmd directory though (or in any directory referenced by your PATH environment variable).

Cygwin (which I believe is the underlying platform for Git's Bash) on the other hand likes both ' and "; you can specify a CMD-like paths, using / instead of \, so long as the string is quoted i.e. in this instance, using single-quotes.

The problem you are encountering using Notepad++ is related to how Git is launching the editor executable. My solution to this is to set environment variable EDITOR to a batch file, rather than the actual editor executable, that does the following:

/WAIT tells the command line session to halt until the application exits, thus you will be able to edit to your heart's content while Git happily waits for you. %* passes all arguments to the batch file through to Notepad++.

I'm happy using Vim, but since I'm trying to introduce Git to the company I wanted something that we'd all have, and found that WordPad seems to work okay (i.e. Git does wait until you're finished editing and close the window).

Thanks to the Stack Overflow community ... and a little research I was able to get my favorite editor, EditPad Pro, to work as the core editor with msysgit 1.7.5.GIT and TortoiseGit v1.7.3.0 over Windows XP SP3...

However, after several failed attempts at the above mentioned solutions ... I was finally able to get this working. Per EditPad Pro's documentation, adding the '/newinstance' flag would allow the shell to wait for the editor input...

This is the one symptom of greater issues. Notably that you have something setting TERM=dumb. Other things that don't work properly are the less command which says you don't have a fully functional terminal.

It seems like this is most commonly caused by having TERM set to something in your global Windows environment variables. For me, the issue came up when I installed Strawberry Perl some information about this is on the msysgit bug for this problem as well as several solutions.

The other solution, which ultimately is what I did because I don't care about Strawberry Perl's reasons for adding TERM=dumb to my environment settings, is to go and remove the TERM=dumb as directed in this comment on the msysgit bug report.

Control Panel/System/Advanced/Environment Variables... (or similar, depending on your version of Windows) is where sticky environment variables are set on Windows. By default, TERM is not set. If TERM is set in there, then you (or one of the programs you have installed - e.g. Strawberry Perl) has set it. Delete that setting, and you should be fine.

Of course, all the other solutions are correct in that you can use git config --global core.editor $MYFAVORITEEDITOR to make sure that Git uses your favorite editor when it needs to launch one for you.

Modify the shortcut to launch the Git Bash shell to run as administrator, and then use that to launch the Git Bash shell. I was guessing that the context menu entry "Git Bash here" was not launching Notepad++ with the required permissions.

I had PortableGit 1.6 working fine, but after upgrading to the PortableGit 1.7 Windows release, I had problems. Some of the Git commands opens up the Notepad++.exe fine, but some don't, especially Git rebase behaves differently.

The problem is some commands run the Windows cmd process and some use the Unix cmd process. I want to give startup attributes to Notepad++ editor, so I need to have a customized script. My solution is this.

I use Git on multiple platforms, and I like to use the same Git settings on all of them. (In fact, I have all my configuration files under release control with Git, and put a Git repository clone on each machine.) The solution I came up with is this:

Symbolic links are handled by every operating system I know of, though they may use different commands. For Linux, you use ln -s. For Windows, you use the cmd built-in mklink. They have different syntaxes (which you should look up), but it all works the same way, really.

This lets me edit files from the command line with ec , and having VISUAL set means most unixy programs pick it up too. Git seems to search the path differently to my other commands though - when I looked at a git commit in Process Monitor I saw it look in every folder on the path for ec and for ec.exe, but not for ec.bat. I added another environment variable (GIT_EDITOR=ec.bat) and all was fine.

We notice some curious processes for a remote server, specifically notepad.exe running as NT AUTHORITY\SYSTEM. Now anyone familiar with meterpreter knows that notepad.exe is a favorite process to spin up as a host for the meterpreter session. Given the SYSTEM level access, it is likely that another hackthebox user has performed successful exploitation and is enjoying their new privileges. Just as a bit of a joke, I decided to try to receive some ill-gotten gains:

The notepad process is spawned with PROCESS_ALL_ACCESS designation. In the Windows Documentation on Process Security and Access Rights, we can see that this flag, when passed to CreateProcess gives the new process object all possible access rights. This means that the any processes running on the system can use the new process to create new processes and threads, duplicate its handle, query information about the process such as tokens and access codes, set information about the process, read and write to its memory, perform an operation on its address space, and do basically whatever it likes with the new process.

I have read many questions on this forum about this problem, unfortunately unsolved.When executing "paexec.exe \HOST -u localadmin -p password -i -d c:windowssystem32notepad.exe" you get no gui of notepad.exe because it is launched on session 0.The same command with PsExec works fine, notepad window is visible and started in logged in user session.

3a8082e126