Simple Bypass for PowerShell Constrained Language Mode

Edit – I just had this pointed out to me that on Friday 17th March Lee Holmes wrote about this very attack on his blog here – http://www.leeholmes.com/blog/2017/03/17/detecting-and-preventing-powershell-downgrade-attacks/. This is a pure coincidence and I was not aware of this blog post by Lee at the time.

We all know that Microsoft has added some nice features to PowerShell v5 to help out the Blue teams, Constrained Language Mode, Deep Scriptblock logging, system wide transcripts and AMSI to name a few.
This blog is not a lesson on each of the features mentioned above, for more information this is a great place to start – Microsoft PowerShell Blue team.
This blog is also not about the awesome bypasses highlighted by Casey Smith, aka @SubTee, again detailed info can be found here – @SubTee Blog.

What I’ve found is probably not even new, but I can’t find anything written about it. This is a very simple and almost too easy a way to bypass Constrained Language Mode. I still can’t believe it myself.

Continue reading “Simple Bypass for PowerShell Constrained Language Mode”

Advertisements

Active Directory KungFu – Messing With Users & Computers

Recently on an internal Pentest, I needed to get a new user into the Domain Admins group, which I couldn’t manage to accomplish with the usual net localgroup group username /add /domain command, I had managed to add a user to the domain – daveisahacker – using net user daveisahacker Password123 /add /domain.

I really need to get a user into Domain Admin, and as I had a token impersonation of domain admin, but couldn’t sign on to a DC because I had no password.

So I thinks what about the Directory services commands – DSQUERY, DSMOD, and all of the other DS commands, I might be able to add a user to the Domain Admins group that way.

DSQUERY Command @ Technet

http://technet.microsoft.com/en-us/library/cc732952(WS.10).aspx

DSMOD Command @ Technet

http://technet.microsoft.com/en-us/library/cc732406(WS.10).aspx

So, OK lets have a look at these command and what to do with them.

Continue reading “Active Directory KungFu – Messing With Users & Computers”

Re Think On Pentest Lab – We Go Totally Open Source

Having played around with my previous Virtual Pentest Lab and found it more than up to the job, Citrix’s Xenserver is after all the best Virtualisation system around and for not very much money or free if you don’t need the fancy extra’s – I have a 2 node Xenserver system with an OPenFiler SAN at the office without the essentials licence and it makes life sooooo easy.

Anyways we digress, back to my home Pentest lab, well I go back to the day job, because another virtualisation system I have setup at the office is a fantastic product created by the guys at Proxmox – http://www.proxmox.com/products/proxmox-ve

Continue reading “Re Think On Pentest Lab – We Go Totally Open Source”