https://tahadraidia.com/tags/powershell/Recent content in Powershell on Taha DraidiaHugo -- gohugo.ioen-usFri, 03 Dec 2021 09:48:14 +0000https://tahadraidia.com/posts/identify-weak-service-configuration-with-oneliner-of-powershell/Fri, 03 Dec 2021 09:48:14 +0000https://tahadraidia.com/posts/identify-weak-service-configuration-with-oneliner-of-powershell/One of the features of PEN300 MSF script is lazy privilege escalation, it checks for few common excessive permissions and lack of configuration in certain component of the box. The missing part was how to identify weak service configuration? the approach was already known, however how to achieve it using MSF Ruby API or Win32 API seemed doomed. MSF Windows Services class relies on sc_manager, this won’t work with low privileged user.https://tahadraidia.com/posts/automate-the-reconnaissance-phase/Thu, 02 Dec 2021 07:43:03 +0000https://tahadraidia.com/posts/automate-the-reconnaissance-phase/If you have been reading my OSEP (PEN300) post series, you know that I love automating things, reconnaissance phase is one of the repetitive tasks that you do for each machine you compromise right. In this post, I am going to share with you how I took advantage of the existing scripts and tools to create let’s say a reconnaissance script bundle. The script is written into Powershell, the language has a rich API and special when it allow us to load .https://tahadraidia.com/posts/make-sharprdp-a-loadable-dot-net-assembly/Mon, 29 Nov 2021 07:21:19 +0000https://tahadraidia.com/posts/make-sharprdp-a-loadable-dot-net-assembly/SharpRDP in a neat tool when it comes to get a command execution via RDP protocol, The project is written in C# .NET, which makes perfect to leverage .NET Assembly, however, in order to load an assembly the binary needs to expose the API and in this case SharpRDP is build in away that it can only be in traditional way. If we look at the source code of the project on github, we can clearly see that Program class has internal attributes and the two methods have private attribute.https://tahadraidia.com/posts/write-a-class-helper-for-metasploit-powershell-extension/Sun, 28 Nov 2021 15:43:16 +0000https://tahadraidia.com/posts/write-a-class-helper-for-metasploit-powershell-extension/Three weeks ago or so I started writing a MSF script that automates repeated tasks such running reconnaissance scripts, dumping credentials, listing tokens that could be impersonated and so on. The current script does all what I have listed above among other things, however, some part of the code generates Powershell cradles and executes Powershell commands, I would say that this is not an elegant way to do it. For instance, here are two examples where I run Powershell commands:https://tahadraidia.com/posts/build-an-atomic-windows-lab/Thu, 25 Nov 2021 15:32:12 +0000https://tahadraidia.com/posts/build-an-atomic-windows-lab/I have decided to build a Windows virtual machine to run some test scenarios with the goal to automate the repetitive tasks we encounter during an engagement. In the nutshell we are going to build a vulnerable Non-Domain Windows machine with different escalation paths including weak configuration service and Always Install Elevated enabled with some defenses on such as Windows Defender (LOL) and Powershell restricted language to make a bit challenging, or should I say interesting.