> For the complete documentation index, see [llms.txt](https://0xss0rz.gitbook.io/0xss0rz/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://0xss0rz.gitbook.io/0xss0rz/pentest/internal-pentest/basic-windows-commands.md).

# Basic Windows Commands

[![ko-fi](https://ko-fi.com/img/githubbutton_sm.svg)](https://ko-fi.com/Y8Y41FQ2GA)

{% content-ref url="/pages/r8R7Ae6z3VSZUr1kogqn" %}
[LOL Bins](/0xss0rz/pentest/internal-pentest/lol-bins.md)
{% endcontent-ref %}

## Basic enum commands

{% content-ref url="/pages/0b9LbphYqdbfM7CTUrJZ" %}
[Enumeration from Windows Host](/0xss0rz/pentest/internal-pentest/reconaissance/enumeration-from-windows-host.md)
{% endcontent-ref %}

| **Command**                                             | **Result**                                                                                 |
| ------------------------------------------------------- | ------------------------------------------------------------------------------------------ |
| `hostname`                                              | Prints the PC's Name                                                                       |
| `[System.Environment]::OSVersion.Version`               | Prints out the OS version and revision level                                               |
| `wmic qfe get Caption,Description,HotFixID,InstalledOn` | Prints the patches and hotfixes applied to the host                                        |
| `ipconfig /all`                                         | Prints out network adapter state and configurations                                        |
| `set`                                                   | Displays a list of environment variables for the current session (ran from CMD-prompt)     |
| `echo %USERDOMAIN%`                                     | Displays the domain name to which the host belongs (ran from CMD-prompt)                   |
| `echo %logonserver%`                                    | Prints out the name of the Domain controller the host checks in with (ran from CMD-prompt) |

## List Local Admins

cmd

```
net localgroup Administrators
```

powershell

```
PS C:\Windows\system32> Get-LocalGroupMember -Group "Administrators"
```

## Privileges

1. `net localgroup`

Once connected, we can check to see what privileges `bwilliamson` has. We can start with looking at the local group membership using the command:

```shell-session
*Evil-WinRM* PS C:\> net localgroup

Aliases for \\DC01

-------------------------------------------------------------------------------
*Access Control Assistance Operators
*Account Operators
*Administrators
*Allowed RODC Password Replication Group
*Backup Operators
*Cert Publishers
*Certificate Service DCOM Access
*Cryptographic Operators
*Denied RODC Password Replication Group
*Distributed COM Users
*DnsAdmins
*Event Log Readers
*Guests
*Hyper-V Administrators
*IIS_IUSRS
*Incoming Forest Trust Builders
*Network Configuration Operators
*Performance Log Users
*Performance Monitor Users
*Pre-Windows 2000 Compatible Access
*Print Operators
*RAS and IAS Servers
*RDS Endpoint Servers
*RDS Management Servers
*RDS Remote Access Servers
*Remote Desktop Users
*Remote Management Users
*Replicator
*Server Operators
*Storage Replica Administrators
*Terminal Server License Servers
*Users
*Windows Authorization Access Group
The command completed successfully.
```

2. `net user username` - Checking User Account Privileges including Domain

```shell-session
*Evil-WinRM* PS C:\> net user bwilliamson

User name                    bwilliamson
Full Name                    Ben Williamson
Comment
User's comment
Country/region code          000 (System Default)
Account active               Yes
Account expires              Never

Password last set            1/13/2022 12:48:58 PM
Password expires             Never
Password changeable          1/14/2022 12:48:58 PM
Password required            Yes
User may change password     Yes

Workstations allowed         All
Logon script
User profile
Home directory
Last logon                   1/14/2022 2:07:49 PM

Logon hours allowed          All

Local Group Memberships
Global Group memberships     *Domain Users         *Domain Admins
The command completed successfully.
```

3. `whoami /priv`&#x20;

{% content-ref url="/pages/vN6ysRMiPVWSiJfOWNUo" %}
[Windows](/0xss0rz/pentest/privilege-escalation/windows.md)
{% endcontent-ref %}

## Add user to admin local group

```
net user <username> <password> /add
net localgroup administrators <username> /add
```

`net user mark Password123 /add && net localgroup administrators mark /add`

{% hint style="warning" %}
*Use a "complex" password - If not, the user will not be created*
{% endhint %}

```
PS C:\xampp\htdocs\dev> net user 0xss0rz 0xss0rz /add # The User is not created
PS C:\xampp\htdocs\dev> net user user password /add # The User is not created :(

PS C:\xampp\htdocs\dev> net user 0xss0rz password123! /add
The command completed successfully.                    # The User is created !!!!!

PS C:\xampp\htdocs\dev> net user 0xss0rz
User name                    0xss0rz
Full Name                    
Comment                      
User's comment               
Country/region code          000 (System Default)
Account active               Yes
Account expires              Never

Password last set            1/26/2025 10:07:36 AM
Password expires             3/9/2025 10:07:36 AM
Password changeable          1/27/2025 10:07:36 AM
Password required            Yes
User may change password     Yes

Workstations allowed         All
Logon script                 
User profile                 
Home directory               
Last logon                   Never

Logon hours allowed          All

Local Group Memberships      
Global Group memberships     *Domain Users         
The command completed successfully.

PS C:\xampp\htdocs\dev> net localgroup administrators 0xss0rz /add
The command completed successfully.
PS C:\xampp\htdocs\dev> net localgroup administrators
Alias name     administrators
Comment        Administrators have complete and unrestricted access to the computer/domain

Members

-------------------------------------------------------------------------------
0xss0rz
Administrator
Domain Admins
TRUSTED\Enterprise Admins
The command completed successfully.
```

## RunAsC

*RunasCs* is an utility to run specific processes with different permissions than the user's current logon provides using explicit credentials

{% embed url="<https://github.com/antonioCoco/RunasCs>" %}

```
.\RunasCs.exe administrator password123! "cmd.exe /c type c:\Users\Administrator\Desktop\root.txt"
```

## Read encrypted file

Find encrypted files

```
c:\Users\Administrator\Desktop>cipher /u /n

Encrypted File(s) on your system:

C:\Users\Administrator\Desktop\root.txt

```

If you don't know the user password, change it. You have to know the user plaintext password to decipher and read the file in the user context

```
Evil-WinRM* PS C:\Users\Administrator\Desktop> net user administrator "password123!"
The command completed successfully.

*Evil-WinRM* PS C:\Users\Administrator\Documents> .\RunasCs.exe administrator password123! "cmd.exe /c type c:\Users\Administrator\Desktop\root.txt"
```

## Mount SMB share

{% content-ref url="/pages/3jW53CaRXMUs4f8szugL" %}
[SMB (445, 139) / RPC](/0xss0rz/pentest/protocols/smb-445-139-rpc.md)
{% endcontent-ref %}
