Powershell tools have become a must-have for security professionals in recent years. A few notable tools to mention are PowerSploit, Veil-PowerView, PowerUp and Nishang among others. These tools have each provided value to the Penetration Tester’s arsenal but, they require the tester to utilize some manual practices to employ them on target systems. It is one of my goals make Powershell tools a bit more automated and easier to use during penetration tests by utilizing the power of Cortana and Metasploit. As a result, I have created POSH-Commander to start bringing Powershell tools into the Armitage/Cobalt-Strike interface to improve speed and efficiency on engagements. There is an included Metasploit module remote_powershell.rb that may also be run independently to execute your remotely-hosted Powershell scripts.
In this scenario we are targeting a Windows 7 client connected to a Windows Server 2008 domain controller running Active Directory. The user is a standard domain user with no Administrative privileges. Once we have popped a Meterpreter shell, right-clicking on the host will present a POSH-Commander menu to select Veil-PowerView, PowerUp or a custom script.
For this demonstration, I am going to select PowerUp to see if we have any available options for privilege escalation.
With all modules, you will be presented with a text prompt if you would like to add additional arguments to the command. Please consult the directions in each script for possible arguments to use with each function. Here, I have selected to run the “Invoke-AllChecks” function with no additional arguments.
Once the results return, we see that we have permissions to write to the service-binary of the VMTools service. With this information, I can utilize the “Invoke-ServiceUserAdd” function in PowerUp to manipulate the service to add a local user in the Administrative group for us. This function stops the service, modifies it to create a user, starts the modified service to create our user, stops it again and restores it back to original. Pretty sweet huh?
We right-click the host again and select the PowerUp menu. You’ll notice, you’re provided a new tab for these results so that your previous results stay in their own tab. This time I opt to add arguments to the command as I need to specify the service to manipulate and click “OK” to run the module.
Success! The module has returned “True” telling me that the command has completed successfully and added the script’s default user “John” to the local Administrator’s group. Let’s check.
Interacting with a shell prompt, I run “net user” to check the local users on the target. You can see that “john” has been added to the local users.
This is just one of many possibilities utilizing Cortana/Metasploit and some very handy Powershell scripts. For more information on the scripts mentioned in this post, please visit the links below.