Simple Bypass for PowerShell Constrained Language Mode

Edit – I just had this pointed out to me that on Friday 17th March Lee Holmes wrote about this very attack on his blog here – This is a pure coincidence and I was not aware of this blog post by Lee at the time.

We all know that Microsoft has added some nice features to PowerShell v5 to help out the Blue teams, Constrained Language Mode, Deep Scriptblock logging, system wide transcripts and AMSI to name a few.
This blog is not a lesson on each of the features mentioned above, for more information this is a great place to start – Microsoft PowerShell Blue team.
This blog is also not about the awesome bypasses highlighted by Casey Smith, aka @SubTee, again detailed info can be found here – @SubTee Blog.

What I’ve found is probably not even new, but I can’t find anything written about it. This is a very simple and almost too easy a way to bypass Constrained Language Mode. I still can’t believe it myself.

Continue reading “Simple Bypass for PowerShell Constrained Language Mode”


PoshC2 – New Payloads, New Folder Layout

Since the release of PoshC2 we’ve been hard at work to improve the tool and we’ve recently added some more payloads to the tool.



In addition to the original payloads we’ve added new weaponised Excel, Word and PowerPoint documents. These are blank documents that have the implant embedded into them, ready for you to add content to.

We’ve added a payload that exploits the MS16-051 Internet Explorer – vbscript_godmode vulnerability. Credit goes to – for the exploit. The html payload can be copied directly to a webserver were victims can be directed to in a Red Team or social Engineering attack.

As can be seen above there is a revised layout to the engagement folders,  a much cleaner layout.

Further work to improve the whole tool are ongoing and further new features are planned.

Get PoshC2 here –,  also checkout the wiki for detailed information on features and usage po PoshC2.

PowerShell PSRemoting Pwnage


You have obtained some level of admin creds, (local, domain or otherwise) to a windows server/domain, there is no RDP. There is however the WinRM service, PSRemoting to give it its other name, this allows an admin to create a remote PowerShell session to the server and run commands or scripts, very much like the ssh service used on Linux systems.
The admin level creds you have will allow you to connect to the remote server(s) via PSRemoting, and you will want to run hacker PowerShell tools in the remote session to further infiltrate the server or systems, however, given the lack of RDP and the locked down state of the network and services, you may struggle to get the likes of PowerSploit onto the remote system.

So for instance we might want to run Invoke-Mimikatz on the remote server to extract clear text credentials stored on the server. Lets explore PSRemoting in a liitle more depth.

Continue reading “PowerShell PSRemoting Pwnage”

PoshC2 – Powershell C2

PoshC2 is a proxy aware C2 framework written completely in PowerShell to aid penetration testers with red teaming, post-exploitation and lateral movement. The tools and modules were developed off the back of our successful PowerShell sessions and payload types for the Metasploit Framework. PowerShell was chosen as the base language as it provides all of the functionality and rich features required without needing to introduce multiple languages to the framework.

More information on: 

HTTP Security Headers Script

I wrote this little PowerShell script to quickly test for HTTP Security Headers.

It still needs improvements, but it’s mostly there.

Hope you find it useful, if you find any issues, please let me know via Github and I’ll try to fix them ASAP


I’ve added logging functionality to write all of the script output to a file.




Also forgot to mention this script requires PowerShell 3.0.

Update to Metasploit Framework v4.10.1-dev – Changes needed.

The recent update to Metasploit Framework 4.10.1-dev, brought in some changes, but some stuff stopped working for me.
Firstly the new changes required me to copy my database.yml file into a newly created folder in the frameworks directory.
This is fixed simply by copying the existing database.yml file in to the new folder

cp /opt/framework/database.yml /opt/framework/config/database.yml

Another change simply stopped my custom msfconsole.rc file being loaded. I use the file to automatically load the pentest and nessus plugins by Carlos Perez ;

And to change the prompt in the console so it tells me my local ip address and how many sessions and jobs are running.

load pentest
load nessus
load history
set PROMPT %blu%T %redS:%S %yelJ:%J %redIP:%L %grn msf

Anyway the way to make this load at run time is done by the following command;

msfconsole -r /root/.msf4/msfconsole.rc

Another issue has come to light today, which I’m not affected by, unless I just run

msfconsole or ./msfconsole

the newer version of metasploit requires a database to be setup and be running, you can bypass the error if you don’t want to have a database setup by running;


or as I do, use a small shell scriptlocated in /usr/local/bin, which takes care of starting and stopping thepostgresql server as required.


systemctl start postgresql
cd /opt/framework&lt
./msfconsole -y database.yml -r /root/.msf4/msfconsole.rc
systemctl stop postgresq

This should make things work as they previously did.
If your file and folder locations for the framework are different make sure you substitute them into the the commands.

Finding Exposed Http(s) Admin Pages

This post is a kinda fix for a really great series of posts by Chris Gates (@carnalownage), he wrote a blog post about finding exposed web admin pages on a network using Metasploit’s database, Firefox and a plugin called Linky, read it here

Since the article was written Rapid7/Metasploit devs chose to change the way web services are listed in the database of Metasploit, they changed them from ‘http’, ‘https’ to just plain ‘www’.

Oops edit the http and https labels have reappeared ! The script still should work just alter the services command to include http and https

I was on an internal network test this week and wanted to look for exposed web admin pages so I had to modify the ruby script that Chris wrote, not rocket science but the thing works now.

Continue reading “Finding Exposed Http(s) Admin Pages”

Installing Metasploit Framework GIT version

Recently with the release of Metasploit 4.5 the developers changed they way the framework is updated, previously it used to be done via ‘svn’, but due to various reasons it has been changed to be updated via ‘git’.

Also the developers chose to change the ‘Community’ version somewhat, they removed a large chunk of code that was kinda duplicated, this and other changes has altered the update frequency of the framework. The Community version now only receives updated modules etc on a weekly basis as the updates are QA’ed in the same way the Pro version is. The Community version also has to be activated to allow it to be updated also.

There is a way still to allow developers, pentesters or guys who just want the latest version. It follows the the ‘old way’ were the framework shipped without the database, but with support to connect to one.

I’ll show you here how to set up the git version of the framework, I did this on my pentesting laptop which runs Arch Linux, but as the framework is written in ‘ruby’ it should follow the same for any distro.

First off we need to install git, if you don’t already have it installed

sudo pacman -S git

Continue reading “Installing Metasploit Framework GIT version”