What are AMSI and AppLocker bypasses?

This is a Windows Machine that might have some security features that might be preventing the reverse shell from running on the machine itself. We can assume that AppLocker is in use inside the machine which also leads to AMSI might be active on the machine. Therefore, it might be hard to execute a reverse shell on the machine and we should be looking for another alternative to retrieve a reverse shell on the machine.

After having done some research on the Internet, we found those two resources that we can use for this activity

  1. MinatoTW/CLMBypassBlogpost: This code was used for the blogpost on secjuice. (github.com)
  2. Powershell CLM Bypass Using Runspaces (secjuice.com)

Demonstration of Attack method

The full writeup can be found here for those who want to see how to solve the Sekhmet Machine

For this activity purpose, i will open my Windows with Visual Studio 2022 which is shown in the screenshot above. We should modify the command which sits on LINE 49. For safety purposes, we should be using a single character with the file extension (.ps1)

By default, we can compile the program that we modify by using the command above.

The file should be the same as shown in the screenshot above.

We should start our normal nc as shown above.

Also, we should be starting the python HTTP server

LDAP enumeration with RCE on the Sekhmet machine

Firstly, we should execute some ldif files that we can use as above.

Next, we should be able to upload the file extension of exe into the victim’s machine under c:\windows\debug\wia

As a result, we can update the server by running the ldapmodify

By default, we should be getting the response of d.ps1 should be successfully uploaded into the victim’s machine

It should look something as shown above

Leave a Reply

Your email address will not be published. Required fields are marked *