Jump to content

Powershell Scripts


Recommended Posts

Has anyone addressed or had problems with running scripts on PowerShell.

As the default on my windows 10 64bit all the lastest updates disables running of scripts, this can be changed with the Set-ExecutionPolicy but this needs Administrator access to change.

Am I missing something really simple!?

Link to post
Share on other sites

Script execution bypassed can also be achieved by running the script as a command or encoded command.

What a lot of people have learned to do here is build stagers and download cradles .

Just wanted to take a moment to say congrats to the Hak5 team.  With their inventions, people who get them and really want to use them are forced to learn techniques the bad guys use like learning to code your own stagers and cradles.

Back to the subject.  If your script extremely small and simple you can just open a powershell prompt with quack commands and type out what you want to do and exit when done.  If it is large you will see people build web servers on the bunny, SMB server or even serve it via USB storage from the bunny with maybe some obfuscation if it is a detectable script. 

From the command line they run powershell with all the parameters to hide it and end it with the "-c" and their code inline to download the script from their bunny and execute it.  Most are done that way.  You could also encode it and use the "-Enc" or any truncation of "-encodedcommand" .

Example, set your execution policy for restricted and try the below command.

powershell -C "$a='I Still Ran.';Write-Host $a;sleep -s 5"

The above should still run.

If you do a "powershell /?", you will see at the bottom of help how to make an encoded command. If you do that to a whole script you can run that script from the command line with that encoding and bypass the execution policy.  As long as it doesn't go longer than the commandline limit which is around 8k characters.  You could of course compress the script and include the decompression code with it and encode all that.  Powersploit has a script to do that.

So, if you look through everyone's payloads, you will see how it is getting bypassed.  Most of the payloads need to run as admin so some may have the bypass parameter but you will see a few that do not, like the powershell command to start the cmd process as admin using start-process all from the run box.

  • Upvote 1
Link to post
Share on other sites
11 hours ago, PoSHMagiC0de said:

Script execution bypassed can also be achieved by running the script as a command or encoded command.

What a lot of people have learned to do here is build stagers and download cradles .

Just wanted to take a moment to say congrats to the Hak5 team.  With their inventions, people who get them and really want to use them are forced to learn techniques the bad guys use like learning to code your own stagers and cradles.

Back to the subject.  If your script extremely small and simple you can just open a powershell prompt with quack commands and type out what you want to do and exit when done.  If it is large you will see people build web servers on the bunny, SMB server or even serve it via USB storage from the bunny with maybe some obfuscation if it is a detectable script. 

From the command line they run powershell with all the parameters to hide it and end it with the "-c" and their code inline to download the script from their bunny and execute it.  Most are done that way.  You could also encode it and use the "-Enc" or any truncation of "-encodedcommand" .

Example, set your execution policy for restricted and try the below command.


powershell -C "$a='I Still Ran.';Write-Host $a;sleep -s 5"

The above should still run.

If you do a "powershell /?", you will see at the bottom of help how to make an encoded command. If you do that to a whole script you can run that script from the command line with that encoding and bypass the execution policy.  As long as it doesn't go longer than the commandline limit which is around 8k characters.  You could of course compress the script and include the decompression code with it and encode all that.  Powersploit has a script to do that.

So, if you look through everyone's payloads, you will see how it is getting bypassed.  Most of the payloads need to run as admin so some may have the bypass parameter but you will see a few that do not, like the powershell command to start the cmd process as admin using start-process all from the run box.

Nice trick. Feel free to turn it into a tutorial and you can put it on the Doc/Tut Github. Going to release it publicly once I get a few more docs and tuts.

Link to post
Share on other sites
  • 1 year later...

Working at a big box store...PCMgr left and no one knows the wifi password...powershell and cmd are disabled on LT in demo mode...will bashbunny be able to pull wifi creds without access to powershell od cnd

Tia,

Zeek

Link to post
Share on other sites
  • 4 months later...
On 9/18/2017 at 10:25 AM, PoSHMagiC0de said:

Script execution bypassed can also be achieved by running the script as a command or encoded command.

What a lot of people have learned to do here is build stagers and download cradles .

Just wanted to take a moment to say congrats to the Hak5 team.  With their inventions, people who get them and really want to use them are forced to learn techniques the bad guys use like learning to code your own stagers and cradles.

Back to the subject.  If your script extremely small and simple you can just open a powershell prompt with quack commands and type out what you want to do and exit when done.  If it is large you will see people build web servers on the bunny, SMB server or even serve it via USB storage from the bunny with maybe some obfuscation if it is a detectable script. 

From the command line they run powershell with all the parameters to hide it and end it with the "-c" and their code inline to download the script from their bunny and execute it.  Most are done that way.  You could also encode it and use the "-Enc" or any truncation of "-encodedcommand" .

Example, set your execution policy for restricted and try the below command.


powershell -C "$a='I Still Ran.';Write-Host $a;sleep -s 5"

The above should still run.

If you do a "powershell /?", you will see at the bottom of help how to make an encoded command. If you do that to a whole script you can run that script from the command line with that encoding and bypass the execution policy.  As long as it doesn't go longer than the commandline limit which is around 8k characters.  You could of course compress the script and include the decompression code with it and encode all that.  Powersploit has a script to do that.

So, if you look through everyone's payloads, you will see how it is getting bypassed.  Most of the payloads need to run as admin so some may have the bypass parameter but you will see a few that do not, like the powershell command to start the cmd process as admin using start-process all from the run box.

hello, how can I say so join that example with my line of code

CODE: RUN WIN C:/Windows/System32/WindowsPowerShell/v1.0/powershell  -windowstyle hidden ".((gwmi win32_volume -f 'label=''BashBunny''').Name+'payloads//$SWITCH_POSITION\1.ps1')"

Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...