This post contains huge spoilers about Devel so don’t go further if you’re still working on it and don’t wanna destroy the fun
I just rooted Devel using JuicyPotato and netcat. Everything’s well, I got a shell under NT AUTHORITY\SYSTEM and took some time to practice my root dance.
But I was curious and wanted to try to get a shell without using netcat. All my attempts failed. I tried some scripts from the nishang repo (Invoke-PowerShellTcpOneLine.ps1, Invoke-PowerShellTcpOneLineBind.ps1 and Invoke-PowerShellTcp.ps1), I tried to pass args to powershell either as plaintext or through -EncodedCommand (yes, I did convert them to 16le), no matter my syntax, I just wasn’t able to pop a shell on my listener.
So I was wondering :
- Is there a way to get a root shell without using netcat ? (and possibly without MSF)
- If not, why ? What security system would prevent that and how could I check ?