This seems to be a never ending story but, believe me, there are so many ways to achieve the same result! This time we are going to use another simple technique for running our powershell scripts without invoking powershell.exe. Introducing MSBuild.exe... MSBuild is a tool included in .Net frameworks for automating the processes of creating…
In your pentesting activities, there are many circumstances where you need to “migrate” your Windows working process, typically a shell,to a different process and some scenarios can be: You have an unstable shell and need to move to a more robust process on the victim's machine (typically explorer.exe which will live until the victim doesn't…
This is the third part of my "powershell-less" series: howto execute powershell scripts without using powershell.exe In part 2 I used DotNetToJscript in order to circumvent AppLocker policy. Now let's try to use another technique. The problem is always the same: we cannot run executable files outside windows directories and we can't run powershell.exe. Never heard…
In my previous post I showed you how to bypass policy restrictions which won't let you execute powershell.exe. Now let's move on to a more complicated (but realistic) scenario: you can't run exe files located outside the "classic" Windows directories because there is an App Locker policy which won't permit it Say bye-bye to powershell?…
Please don't misunderstand me, you really need Powershell and all it's magic if you are a pentester, don't you? But what can you do if some policy is blocking access to powershell.exe? Yes, this is a well known problem and there are many solutions. In my article I just want to focus on a quick…
Article can be found here: From pass the hash to pass the ticket!
In this article we will try to bypass the ASLR (Address Space Layout Randomization) and NX (non execute bit) techniques. So we got this 32 bit binary "overflow" without source code and root suid bit turned on! $ ls -al overflow -rwsr-sr-x 1 root root 7377 Jun 15 21:17 overflow All we know is…
This article, written with my friend Giuseppe, is published here: http://resources.infosecinstitute.com/apk-golden-ticket-owning-android-smartphone-gaining-domain-admin-rights/
Remember my last post, the "SYSTEM" challenge? Now let's modify the scenario.... Imagine you've got the xp_cmdshell running under this account: os-shell> whoami do you want to retrieve the command standard output? [Y/n/a] y [21:52:27] [INFO] theQL query used returns 1 entries [21:52:27] [INFO] retrieved: dummydomain\\andrew command standard output [1]: [*] dummydomain\andrew Oh! This…
This is a brief "writeup" of a challenge which I created for my friends of "SNADO" team. I will write this article from the "pentester" perspective, just to be more clear and realistic 🙂 The mission was to get windows "SYSTEM" privileges, starting from a vulnerable webapp. There were several ways to get the result,…
