Skip to main content
  1. Hacking/

Windows

Disclaimer: These are my personal notes, published "as-is" without warranty or guarantee of any kind. Use at your own risk. Licensed CC BY-NC-SA 4.0.

Commands #

General #

Get Windows version:

Get-WmiObject -Class win32_OperatingSystem | select Version,BuildNumber

Walk through all files in the C drive, one screen at a time:

tree c:\ /f | more

List all subdirectories contents within another subdir:

Get-ChildItem -Path C:\Users\Administrator\Downloads -Recurse

List permissions of a specific directory. See the icacls reference for output including other options like grant:

icacls c:\windows

List running services:

Get-Service | ? {$_.Status -eq "Running"}
Get-Service | ? {$_.Status -eq "Running"} | fl # shows extra info

Manage a service named wuauserv. sdshow output is in SDDL:

sc qc wuauserv # query
sc stop wuauserv # stop (needs elevated privs)
sc sdshow wuauserv # view service perms

Show service permissions:

Get-ACL -Path HKLM:\System\CurrentControlSet\Services\wuauserv | Format-List

Enable WSL:

Enable-WindowsOptionalFeature -Online -FeatureName Microsoft-Windows-Subsystem-Linux

Query registry key:

reg query HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run

AD get user attributes/privs (ref):

Get-ADUser -Identity htb-student # specific user
whoami /priv # current user

AD list domain admins:

Get-ADGroup -Identity "Domain Admins" -Properties * | select DistinguishedName,GroupCategory,GroupScope,Name,Members

NTLM Hash Cracking #

Use [[Responder]] to get the NTLM hash then crack it with John.

echo "Administrator::RESPONDER:81c52155620d80d0:47825D3134646498212FAB22A2AD671A:0101000000000000804556E0679ED8014716E858CCE2CFFA00000000020008003800510058004E0001001E00570049004E002D0043005A0030004A00360039004D004F004B0046004D0004003400570049004E002D0043005A0030004A00360039004D004F004B0046004D002E003800510058004E002E004C004F00430041004C00030014003800510058004E002E004C004F00430041004C00050014003800510058004E002E004C004F00430041004C0007000800804556E0679ED801060004000200000008003000300000000000000001000000002000006324F7C1510A87EC0E2018FD19F16F33670CCF4EAA7FE82ECAF9D8C3B518653C0A001000000000000000000000000000000000000900200063006900660073002F00310030002E00310030002E00310034002E00330036000000000000000000" > hash.txt
john -w=/usr/share/wordlists/rockyou.txt hash.txt

Notes #

Authentication #

  • Part of workgroup = auth via local Windows database.
  • Part of a domain = auth via Active Directory.

LFI #

  • LFI Payloads e.g. ../../../../../../../../windows/system32/drivers/etc/hosts

WinRM Session #

evil-winrm -i $IP -u administrator -p password

Other pages #