We don’t need powershell.exe – 4 –

This seems to be  a never ending story but, believe me, there  are so many ways to achieve the same result! This time we are going to use another simple technique for running our powershell scripts without invoking powershell.exe. Introducing MSBuild.exe... MSBuild is a tool included in .Net frameworks for automating the processes of creating…

Advertisements

“Poor man’s process migration”

In your pentesting activities, there are many circumstances where you need to “migrate” your Windows working process, typically a shell,to a different process and some scenarios can be: You have an unstable shell and need to move to a more robust process on the victim's machine (typically explorer.exe which will live until the victim doesn't…

We don’t need powershell.exe -part 3-

This is the third part of my "powershell-less" series: howto execute powershell scripts without using powershell.exe In part 2 I used  DotNetToJscript  in order to circumvent AppLocker policy. Now let's try to use another technique.  The problem is always the same: we cannot run executable files outside windows directories and  we can't run powershell.exe. Never heard…

We don’t need powershell.exe – part 2 –

In my previous post I showed you how to bypass policy restrictions which won't let you execute powershell.exe. Now let's move on to a more complicated (but realistic) scenario: you can't run exe files located outside the "classic" Windows directories because there is an App Locker policy which won't permit it Say bye-bye to powershell?…

We don’t need powershell.exe

Please don't misunderstand me, you really need Powershell and all it's magic if you are a pentester, don't you? But what can you do if some policy is blocking  access to powershell.exe?  Yes, this is a well known problem and there are many solutions. In my article I just want to focus on a quick…

The road to “silver”

Remember my last post, the "SYSTEM" challenge? Now let's modify the scenario.... Imagine you've got the xp_cmdshell running under this account: os-shell> whoami do you want to retrieve the command standard output? [Y/n/a] y [21:52:27] [INFO] theQL query used returns 1 entries [21:52:27] [INFO] retrieved: dummydomain\\andrew command standard output [1]: [*] dummydomain\andrew   Oh! This…

The “SYSTEM” challenge

This is a brief "writeup" of a challenge which I created for my friends of "SNADO" team. I will write this article from the "pentester" perspective, just to be more clear and realistic 🙂 The mission was to get windows "SYSTEM" privileges, starting from a vulnerable webapp. There were several ways to get the result,…