Skip to content

Instantly share code, notes, and snippets.

@davidlares
Last active July 28, 2022 05:08
Show Gist options
  • Save davidlares/bd22097ea37ced2e32591ec5c9bf186d to your computer and use it in GitHub Desktop.
Save davidlares/bd22097ea37ced2e32591ec5c9bf186d to your computer and use it in GitHub Desktop.
Powershell script for editing local DNS (hosts file) on Windows (contain priv. escalation)

File: setup.ps1

(Scaling privileges and local DNS edit)

This script is adapted to perform a privilege escalation and a custom edition of the local DNS hosts file on Windows machines, located in the C:\Windows\system32\drivers\etc\ directory.

Execution

  1. Changing the default's Restricted ExecutionPolicy to Bypass for the CurrentUser Scope.

powershell Set-ExecutionPolicy Bypass -Scope CurrentUser -Force

  1. Running the command using the action flag, along with the ip and the hostname to edit.

powershell -File ${file} -action ${action} -ip ${ip} -hostname ${hostname}

Here:

  1. file: as setup.ps1
  2. action: activate for adding, deactivate for deletion
  3. IP: as the IP address
  4. Hostname: as the hostname for that particular IP
# entry point (param validation from pipeline)
param(
[Parameter(Mandatory = $True, ValueFromPipeline = $True)] [string] $action,
[Parameter(Mandatory = $True, ValueFromPipeline = $True)] [string] $ip,
[Parameter(Mandatory = $True, ValueFromPipeline = $True)] [string] $hostname,
[switch]$elevated)
# variables
$DNSFile = "$($env:windir)\system32\Drivers\etc\hosts"
# testing validation
function Test-Admin {
$user = New-Object Security.Principal.WindowsPrincipal $([Security.Principal.WindowsIdentity])::GetCurrent()
$user.IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)
}
# removing host
function Remove-Hostname {
param([Parameter(Mandatory = $True, Position = 1)] $ip, [Parameter(Mandatory = $True, Position = 2)] $hostname)
$content = Get-Content -Path $DNSFile
$escaped = [Regex]::Escape($hostname)
if(($content) -match ".*\s+$escaped.*") {
$content -notmatch ".*\s+$escaped.*" | Out-File $DNSFile
}
}
# admin verification + OS build number verification
if ([int](Get-CimInstance -Class Win32_OperatingSystem | Select-Object -ExpandProperty BuildNumber) -ge 6000) {
if((Test-Admin) -eq $False) {
if (-not $elevated) {
Start-Process powershell.exe -Verb RunAs -WindowStyle Hidden -Wait -ArgumentList ('-NoExit -NoProfile -File "{0}" -action "{1}" -ip "{2}" -hostname "{3}" -elevated' -f ($MyInvocation.MyCommand.Definition, $action, $ip, $hostname))
}
exit
}
}
# getting record
$exists = Get-Content -Path $DNSFile | Select-String $hostname
# DNS client address validation
if(($action -like 'activate') -and ($exists.length -eq 0)) {
Add-Content -Path $DNSFile -Value "`r$ip $hostname"
} elseif($action -like 'deactivate') {
Remove-Hostname $ip $hostname | Out-Null
}
# sleep
Sleep 1
# finish script
Stop-Process -Name "powershell"
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment