Devel - Powershell revshell

Hello !
This post contains huge spoilers about Devel so don’t go further if you’re still working on it and don’t wanna destroy the fun :slight_smile:

I just rooted Devel using JuicyPotato and netcat. Everything’s well, I got a shell under NT AUTHORITY\SYSTEM and took some time to practice my root dance.
But I was curious and wanted to try to get a shell without using netcat. All my attempts failed. I tried some scripts from the nishang repo (Invoke-PowerShellTcpOneLine.ps1, Invoke-PowerShellTcpOneLineBind.ps1 and Invoke-PowerShellTcp.ps1), I tried to pass args to powershell either as plaintext or through -EncodedCommand (yes, I did convert them to 16le), no matter my syntax, I just wasn’t able to pop a shell on my listener.
So I was wondering :

  • Is there a way to get a root shell without using netcat ? (and possibly without MSF)
  • If not, why ? What security system would prevent that and how could I check ?

I haven’t tried this and I’ve no idea if it works, but have you tried powercat?

There are countless ways to restrict and limit PowerShell on a Windows machine. For example, Constrained Language Mode can complicate things. But also specific configurations, Windows Defender’s AMSI etc.

I didn’t even know powercat was a thing. I’ll have a look at it, thanks :slight_smile: