cool head picture

UNLE⛧SH THE BEAST ト何ゼ

Simple WinRM Shell | Evil WinRM

May 11, 2020 // echel0n

Here is a ruby snippet to get a shell through WinRM service with usage of known credentials.


  1. #!/usr/bin/env ruby

  2. 

  3. require 'winrm'

  4. 

  5. # Author: Alamot

  6. 

  7. conn = WinRM::Connection.new( 

  8.                              endpoint: 'http:/<REPLACE_ME>:5985/wsman',

  9.   transport: :ssl,

  10.   user: 'Administrator',

  11.   password: '<REPLACEME>',

  12.   :no_ssl_peer_verification => true

  13. )

  14. 

  15. command=""

  16. 

  17. conn.shell(:powershell) do |shell|

  18.     until command == "exit\n" do

  19.         output = shell.run("-join($id,'PS ',$(whoami),'@',$env:computername,' ',$((gi $pwd).Name),'> ')")

  20.         print(output.output.chomp)

  21.         command = gets        

  22.         output = shell.run(command) do |stdout, stderr|

  23.             STDOUT.print stdout

  24.             STDERR.print stderr

  25.         end

  26.     end    

  27.     puts "Exiting with code #{output.exitcode}"

  28. end