# PowerShell Remoting ## PS Remoting PSRemoting uses Windows Remote Management (WinRM). It is enabled by default on Server 2012 onwards with a firewall exception. It is a high integrity process which means that we always get an elevated shell. **Note:** This is why we need admin privileges while running PSRemotingLocalAccess to hunt admin users. Unless it is an admin user, we won't be able to use PSRemoting and hence the test. **To get a shell of another computer using PS Remoting** ```powershell #Enable PowerShell Remoting on current Machine (Needs Admin Access) Enable-PSRemoting #Entering or Starting a new PSSession (Needs Admin Access) Enter-PSSession -ComputerName #OR $sess = New-PSSession -ComputerName Enter-PSSession -Sessions ``` ### Remote Code Execution with PS Credentials {% code overflow="wrap" %} ```powershell $SecPassword = ConvertTo-SecureString '' -AsPlainText -Force $Cred = New-Object System.Management.Automation.PSCredential('htb.local\', $SecPassword) Invoke-Command -ComputerName -Credential $Cred -ScriptBlock {whoami} ``` {% endcode %} ### Invoke PowerShell Module & Execute Remotely {% code overflow="wrap" %} ```powershell #Execute the command and start a session Invoke-Command -Credential $cred -ComputerName -FilePath c:\FilePath\file.ps1 -Session $sess #Interact with the session Enter-PSSession -Session $sess ``` {% endcode %} ### Remote Code Execution on Multiple Servers using a Target File {% code overflow="wrap" %} ```powershell Invoke-Command -Scriptblock {Get-Process} -ComputerName (Get-Content ) Invoke-Command -Scriptblock {Get-Process} -ComputerName (Get-Content ) ``` {% endcode %} ### WinRS Executable instead of PSRemoting for Stealth {% code overflow="wrap" %} ```powershell winrs -remote:server1 -u:server1\administrator -p:Pass@1234 hostname ``` {% endcode %}