PowerShell Remoting

PS Remoting

PSRemoting uses Windows Remote Management (WinRM). It is enabled by default on Server 2012 onwards with a firewall exception.

It is a high integrity process which means that we always get an elevated shell.

Note: This is why we need admin privileges while running PSRemotingLocalAccess to hunt admin users. Unless it is an admin user, we won't be able to use PSRemoting and hence the test.

To get a shell of another computer using PS Remoting

#Enable PowerShell Remoting on current Machine (Needs Admin Access)
Enable-PSRemoting

#Entering or Starting a new PSSession (Needs Admin Access)
Enter-PSSession -ComputerName <Name> 

#OR

$sess = New-PSSession -ComputerName <Name>
Enter-PSSession -Sessions <SessionName>

Remote Code Execution with PS Credentials

$SecPassword = ConvertTo-SecureString '<Wtver>' -AsPlainText -Force
$Cred = New-Object System.Management.Automation.PSCredential('htb.local\<WtverUser>', $SecPassword)
Invoke-Command -ComputerName <WtverMachine> -Credential $Cred -ScriptBlock {whoami}

Invoke PowerShell Module & Execute Remotely

Remote Code Execution on Multiple Servers using a Target File

WinRS Executable instead of PSRemoting for Stealth