# Windows | **Command** | **Description** | | -------------------------------------------------------------- | ----------------------------------------------------------------------- | | `xfreerdp /v: /u:htb-student /p:` | RDP to lab target | | `Get-WmiObject -Class win32_OperatingSystem` | Get information about the operating system | | `dir c:\ /a` | View all files and directories in the c:\ root directory | | `tree ` | Graphically displaying the directory structure of a path | | `tree c:\ /f \| more` | Walk through results of the `tree` command page by page | | `icacls ` | View the permissions set on a directory | | `icacls c:\users /grant joe:f` | Grant a user full permissions to a directory | | `icacls c:\users /remove joe` | Remove a users' permissions on a directory | | `Get-Service` | `PowerShell` cmdlet to view running services | | `help ` | Display the help menu for a specific command | | `get-alias` | List `PowerShell` aliases | | `New-Alias -Name "Show-Files" Get-ChildItem` | Create a new `PowerShell` alias | | `Get-Module \| select Name,ExportedCommands \| fl` | View imported `PowerShell` modules and their associated commands | | `Get-ExecutionPolicy -List` | View the `PowerShell` execution policy | | `Set-ExecutionPolicy Bypass -Scope Process` | Set the `PowerShell` execution policy to bypass for the current session | | `wmic os list brief` | Get information about the operating system with `wmic` | | `Invoke-WmiMethod` | Call methods of `WMI` objects | | `whoami /user` | View the current users' SID | | `reg query ` | View information about a registry key | | `Get-MpComputerStatus` | Check which `Defender` protection settings are enabled | | `sconfig` | Load Server Configuration menu in Windows Server Core | *** ## Introduction to Windows Command Line *** ## Admin Commands | **Command** | **Description** | | ------------------------------------------------- | --------------------------------------------------------------------------------------------------------------------------------- | | `xfreerdp /v: /u: /p:` | Initiate a RDP connection with the target host. | | `ssh @` | Connect to target host via SSH. | | `` | When you see `` specified in the commands below, it is saying to use the Pipe key (shift+backslash on US Keyboard layouts). | *** ## General Commands | **Command** | **Description** | | --------------------- | --------------------------------------------------------------------------------------- | | `help ` | Provides help information for Windows commands. | | `Get-Help ` | Displays help about Windows PowerShell cmdlets and concepts. | | `Update-Help` | Downloads and installs the most up-to-date help files for Windows PowerShell. | | `CTRL-C` | Interrupts a currently running process. | | `Get-Module` | View the modules loaded into your PowerShell session. | | `Import-Module` | Import a module into your PowerShell session. | | `Get-Command` | View all commands, cmdlets, functions, and aliases loaded into your PowerShell session. | | `Set-Location ` | Changes our location in the filesystem. Same as using CD. | | `Get-Content ` | View the contents of an object. Similar to type or cat. | | `systeminfo` | Displays operating system configuration information for a local or remote machine. | | `hostname` | Displays the name of the current host. | | `ver` | Displays the current Windows version. | *** ## Terminal History | **Command/Key** | **Description** | | ----------------- | --------------------------------------------------------------------------------------------------------------------------- | | `doskey /history` | Prints out the session's command history to the terminal or output it to a file when specified. | | `page up` | Places the first command in our session history to the prompt. | | `page down` | Places the last command in history to the prompt. | | `⇧` | Scrolls up through our command history to view previously run commands. | | `⇩` | Scrolls down to our most recent commands run. | | `⇨` | Types the previous command to prompt one character at a time. | | `F3` | Retypes the entire previous entry to our prompt. | | `F5` | Pressing F5 multiple times allows us to cycle through previous commands. | | `F7` | Opens an interactive list of previous commands. | | `F9` | Enters a command to our prompt based on the number specified. The number corresponds to the command's place in our history. | *** ## File & Directory Commands **CMD.exe** | **Command** | **Description** | | ------------------------------------------------ | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | `dir` | Lists directory contents. | | `dir /A ` | List directory contents with the specified attributes. | | `dir /A:H` | List hidden files in the current directory. | | `dir /A:R` | List read-only files in the current directory. | | `cd` | Prints current working directory. | | `chdir` | Prints current working directory. Alternate command. | | `cd ` | Changes the directory. | | `chdir ` | Changes the directory. Alternate command. | | `tree ` | Graphically displays the directory structure from the specified path. | | `tree /F ` | Graphically displays the directory structure from the specified path, including files within the directory | | `cls` | Clears the terminal. | | `mkdir ` | Creates a directory in the current working directory(or specified directory) with the specified name. | | `md ` | Creates a directory in the current working directory(or specified directory) with the specified name. Alias of mkdir. | | `rmdir ` | Removes a directory in the current working directory(or specified directory) with the specified name. | | `rd ` | Removes a directory in the current working directory(or specified directory) with the specified name. Alias of rmdir | | `rmdir /S ` | Recursively removes all directories and files in the specified directory. | | `move [source] [destination]` | Move file(s) from the source folder to the destination folder. | | `copy [source] [destination]` | Copy file(s) from the source folder to the destination folder. Only works with files and not folders. | | `copy [source] [destination] /V` | Copy file(s) from the source folder to the destination folder. Validates that the file or files are copied correctly. | | `xcopy [source] [destination]` | Copy file(s) and folder(s) from the source folder to the destination folder. Replaced by Robocopy and currently deprecated. | | `xcopy /E [source] [destination]` | Copy file(s) and folder(s) from the source folder to the destination folder, including empty directories. | | `xcopy /K [source] [destination]` | Copy file(s) and folder(s) from the source folder to the destination folder. Retains the current attributes of the copied files. | | `robocopy [source] [destination]` | Copy files(s) and folder(s) from the source folder to the destination folder. It has a more robust feature set compared to xcopy. | | `robocopy /E /MIR /A-:SH [source] [destination]` | Copy files(s) and folder(s) from the source folder to the destination folder. Mirrors the destination directory to the source and clears any additional attributes using the `/A-:SH` parameter. | | `more ` | Displays the output of a file or command one screen at a time. | | `more /S ` | Displays the output of a file or command one screen at a time. Compresses multiple blank lines into a single line. | | ` more` | Displays the output of a command through a to `more`. | | `type ` | Displays the contents of a file. | | `fsutil file createNew ` | Creates a new file with a specified file name and length. | | `echo "example string" > ` | Writes the contents provided into a new or existing file with the specified filename. If the file does not exist, a new one will be created; otherwise, the previous file's contents will be overwritten. | | `echo "example string" >> ` | Appends the provided contents to an existing file. | | `ren ` | Renames a file. | | `del ` | Deletes a file or files. | | `del /A:R ` | Deletes a file or files with the read-only attribute set. | | `del /A:H ` | Deletes a file or files with the hidden attribute set. | | `erase ` | Deletes a file or files. Interchangeable with `del` command. | **PowerShell** | **Command** | **Alias** | **Description** | | -------------------------------------------------- | ------------------------------------------- | ------------------------------------------------------------------------------------------------------- | | `Get-Item` | gi | Retrieve an object (could be a file, folder, registry object, etc.) | | `Get-ChildItem` | ls / dir / gci | Lists out the content of a folder or registry hive. | | `New-Item` | md / mkdir / ni | Create new objects. ( can be files, folders, symlinks, registry entries and more) | | `new-item -name "Name" -ItemType ` | Specify the new items name and object type. | | | `Set-Item` | si | Modify the property values of an object. | | `Copy-Item` | copy / cp / ci | Make a duplicate of the item. | | `Rename-Item` | ren / rni | Changes the object name. | | `Rename-Item .\Object-1.md -NewName Object-2.md` | Rename object-1 to object-2. | | | `Remove-Item` | rm / del / rmdir | Deletes the object. | | `Get-Content` | cat / type | Displays the content within a file or object. | | `Add-Content "Content to add"` | ac | Append content to a file. | | `Set-Content` | sc | overwrite any content in a file with new data. | | `Clear-Content` | clc | Clear the content of the files without deleting the file itself. | | `Compare-Object` | diff / compare | Compare two or more objects against each other. This includes the object itself and the content within. | *** ## Input/Output Operators | **Operator** | **Description** | | ------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | | `[command] > [file]` | Redirects the output from a command into a file. Overwrites the specified files' contents. | | `[command] >> [file]` | Redirects the output from a command into a file. Appends additional output without overwriting the file's original contents. | | `[command] < [file]` | Redirects the output of the file and passes it into the command. | | \`\[command] | \[command2]\` | | `[command] & [command2]` | Executes both commands in succession. It does not perform checks to see if either command passes or fails. | | `[command] && [command2]` | Checks to see if the first command executes successfully and then executes the second command. If the first command fails, the current command execution halts and the second command is not executed. | | \`\[command] | | *** ## Find & Filter Content **CMD.exe** | **Command** | **Description** | | ------------------------------------- | --------------------------------------------------------------------------------------------------------------- | | `where ` | Displays the location of file(s) provided. | | `where /R ` | Recursively searches for the file(s) provided starting from the specified directory. | | `find "example string" ` | Searches for a string of text in a file or files, and displays lines of text that contain the specified string. | | `findstr` | Searches for patterns of text in files. Similar to `grep` on Unix/Linux. | | `comp ` | Compares the contents of two files or sets of files byte-by-byte. | | `fc ` | Compares two files or sets of files and displays the differences between them. | | `sort` | Reads input, sorts data, and writes the results to the screen, a file, or another device. | **PowerShell** | **Command** | **Description** | | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------- | | `Get-Item get-member` | Use Get-Item to select an object and then Get-Member to view the object's properties. | | `Get-Item Select-Object -Property *` | Select an object and then view its Property values. | | `Get-Item * Select-Object -Property Name,PasswordLastSet` | Select objects and then filter to view specific properties. | | `Get-Item * Sort-Object -Property Name Group-Object -property Enabled` | Sort and view Objects by a specific property setting. | | `Get-ChildItem -Path C:\Users\MTanaka\ -File -Recurse` | List all File objects in the directory specified. | | `Get-Childitem -Path C:\Users\MTanaka\ -File -Recurse -ErrorAction SilentlyContinue where {($_.Name -like "*.txt")}` | Search for all objects with the '.txt' file extension. | | `Get-Childitem –Path C:\Users\MTanaka\ -File -Recurse -ErrorAction SilentlyContinue where {($_.Name -like "*.txt" -or $_.Name -like "*.py" -or $_.Name -like "*.ps1" -or $_.Name -like "*.md" -or $_.Name -like "*.csv")}` | Search for objects matching a list of different file extensions. | | `Get-ChildItem -Path C:\Users\MTanaka\ -Filter "*.txt" -Recurse -File sls "Password","credential","key"` | Searching for keywords within an object's content. | *** ## User Commands **CMD.exe** | **Commands** | **Description** | | ---------------- | --------------------------------------------------------------------------------------------------------------------------------- | | `whoami` | Displays the username of the currently logged-on user. | | `whoami /priv` | Displays the security privileges of the current user. | | `whoami /groups` | Displays the user groups that the current user belongs to. | | `whoami /all` | Displays all information about the current user, including username, security identifiers (SID), privileges, and groups. | | `net user` | Displays a list of the user accounts on the computer | | `net localgroup` | Displays the name of the server and the names of local groups on the computer. | | `net group` | Displays the name of a server and the names of groups on the server. Only able to be used if the machine is joined to the domain. | **PowerShell** | **Commands** | **Description** | | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | --------------------------------------------------------------------------------------------- | | `Get-LocalGroup` | View all groups specific to the host only. | | `Get-LocalUser` | View all local users. Similar to net user. | | `New-LocalUser -Name "username" -NoPassword` | Create a new Local user. | | `Set-LocalUser -Name "username" -Password $Password -Description "users description"` | Modify a local user's settings. | | `Get-LocalGroupMember -Name "Group Name"` | Check Group membership. | | `AddLocalGroupMember -Group "Group Name" -Member "User-To-Add"` | Add a user to a local group. | | \`Get-WindowsCapability -Name RSAT\* -Online | Add-WindowsCapability -Online\` | | `Get-Module -Name ActiveDirectory -ListAvailable` | Locate the Active Directory module. | | `Get-ADUser -FIlter *` | List all domain users. | | `Get-ADUser -Identity ` | Show a specific domain user and its properties. | | `Get-ADUser -Filter {EmailAddress -like '*greenhorn.corp'}` | Filter domain users based on the EmailAddress property. | | `New-ADUser -Name "UserName" -Surname "Last Name" -GivenName "First Name" -Office "Security" -OtherAttributes @{'title'="Sensei";'mail'="UserName@greenhorn.corp"} -Accountpassword (Read-Host -AsSecureString "AccountPassword") -Enabled $true` | Create a New Domain user and set its properties such as name, password, and other attributes. | | `Set-ADUser -Identity -Description " Information we want in the description field"` | Modify the property settings of a domain user. | *** ## Networking Commands **CMD.exe** | **Command** | **Description** | | ------------------ | --------------------------------------------------------------------------------------------------- | | `ipconfig` | View basic networking configurations. | | `ipconfig /?` | Displays help and usage information for `ipconfig`. | | `ipconfig /all` | View detailed networking configuration information. | | `net` | CLI utility containing multiple commands to manage and configure network resources. | | `net share` | Displays info about all of the resources that are shared on the local computer. | | `net view` | Displays a list of domains, computers, or resources being shared by the specified computer. | | `arp` | Displays and manages the contents and entries within the `Address Resolution Protocol` (ARP) cache. | | `arp /a` | Displays the contents and entries contained within the `Address Resolution Protocol` (ARP) cache. | | `netstat -an` | Display current network connections. | | `nslookup ` | Query DNS for a name or address. | **PowerShell** | **Command** | **Description** | | ------------------------------------------------------------------------------------------------ | --------------------------------------------------------------------------------------------------------- | | `Get-NetIPInterface -ifIndex <#>` | Retrieve network adapter `properties` of the interface listed as ifIndex #. | | `Get-NetIPAddress` | Retrieves the `IP configurations` of each adapter. Similar to `IPConfig`. | | `Get-NetNeighbor` | Retrieves the `neighbor entries` from the cache. Similar to `arp -a`. | | `Get-Netroute` | Will print the current `route table`. Similar to `IPRoute`. | | `Set-NetAdapter` | Set basic adapter properties at the `Layer-2` level, such as VLAN id, description, and MAC-Address. | | `Set-NetIPInterface` | Modifies the `settings` of an `interface` to include DHCP status, MTU, and other metrics. | | `Set-NetIPAddress` | Modifies the `configuration` of a network adapter. | | `Disable-NetAdapter` | Used to `disable` network adapter interfaces. | | `Enable-NetAdapter` | Used to turn network adapters back on and `allow` network connections. | | `Restart-NetAdapter` | Used to restart an adapter. It can be useful to help push `changes` made to adapter `settings`. | | `test-NetConnection` | Allows for `diagnostic` checks to be run on a connection. It supports ping, tcp, route tracing, and more. | | `Get-WindowsCapability -Online Where-Object Name -like 'OpenSSH*'` | List Windows packages for OpenSSH. | | `Add-WindowsCapability -Online -Name OpenSSH.Client~~~~0.0.1.0` | Install the SSH package to the host. | | `ssh @` | Basic SSH connect string. | | `ssh-keygen` | Generate SSH keys for the user you run the command as. This enables the use of the user for remote login. | | `winrm quickconfig` | Enable WinRM. | | `Test-WSMan -ComputerName "10.129.224.248"` | Test if the host specified has WinRM running. | | `Enter-PSSession -ComputerName 10.129.224.248 -Credential htb-student -Authentication Negotiate` | Start a remote PowerShell session with the host specified. | *** ## Environment Variables | **Command** | **Description** | | -------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------- | | `%EXAMPLE_VARIABLE%` | Example format for an environment variable. | | `set` | Prints all available environment variables on the system. | | `set <%VARIABLE_NAME%>` | Prints out the value of the environment variable specified. It can also be used to set the variable's value. | | `echo <%VARIABLE_NAME%>` | Prints out the value of the environment variable specified. It cannot make any edits to variables and will only print out the values to the console. | | `set <%VARIABLE_NAME%>=` | Creates a new environment variable or modifies an existing one and sets the value for the current command line session. | | `setx <%VARIABLE_NAME%> ` | Creates a new environment variable or modifies an existing one and sets the value globally by making changes to the registry. | | `set <%VARIABLE_NAME%>=` | Removes the environment variable with the specified name for the current command line session. | | `setx <%VARIABLE_NAME%> ""` | Removes the environment variable with the specified name globally. | *** ## Services **CMD.exe** | **Command** | **Description** | | ---------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------ | | `sc query` | Lists all `running` services and provides additional information for each service. | | `sc query ` | Lists details about a specific service by name. | | `sc start ` | Start a service by name. | | `sc stop ` | Stop a service by name. | | `sc config start= disabled` | Change settings of the service specified. | | `tasklist /svc` | Provide a list of services running under each process on the system. | | `net start` | List all `running` services. | | `wmic service list brief` | List all services on the system using `WMIC`. Includes information such as: `ExitCode`, `Name`, `ProcessID`, `StartMode`, `State`, and `Status`. | **PowerShell** | **Command** | **Description** | | ---------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------- | | `Get-service` | List all services | | `Get-Service ft DisplayName,Status` | List all services and format their information by DisplayName and Status. | | `Get-Service where DisplayName -like '*Name*' ft DisplayName,ServiceName,Status` | Query for a specific service whose name matches '*name*'. | | `Start-Service ` | Start a service by name. | | `Stop-Service ` | Stop a service by name. | | `Set-Service -Name -StartType Disabled` | Change settings of the service specified. | | `Get-service -ComputerName ACADEMY-ICL-DC` | Remote query of a hosts services. | | \`Get-Service -ComputerName ACADEMY-ICL-DC | Where-Object {$\_.Status -eq "Running"}\` | | `Invoke-command -ComputerName ACADEMY-ICL-DC,LOCALHOST -ScriptBlock {Get-Service -Name 'windefend'}` | Issue the Get-Service command on a list of hosts. | *** ## Scheduled Tasks | **Command** | **Description** | | ------------------------------------------------------------------------------ | -------------------------------------------------------------------------------------------------------------------------------------------------------- | | `schtasks` | Displays all tasks scheduled on the local machine. | | `schtasks /query` | Displays all tasks scheduled on the local machine. Interchangeable with `schtasks` command. | | `schtasks /query /V /FO list` | Displays all scheduled tasks with `verbose` information in a `list` format. | | `schtasks /create` | Allows for the creation of scheduled tasks. | | `schtasks /create /sc /tn /tr ` | Creates a new scheduled task based on a select `schedule`, with a provided `name`, and a `program` specified to run when the task starts. | | `schtasks /change` | Allows for modification of an existing scheduled task. | | `schtasks /change /tn /ru /rp ` | Modifies a scheduled task with a specified `name` to run under the `permissions` of the `user account` using the provided `password` for authentication. | | `schtasks /delete` | Allows for the deletion of scheduled tasks. | | `schtasks /delete /tn ` | Deletes a scheduled task with the matching name. | *** ## Interacting With The Web | **Command** | **Description** | | -------------------------------------------------------------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------- | | `Invoke-WebRequest -Uri "https://website-to-visit" -Method GET` | Utilizes Invoke-WebRequest to browse to a website and issue a GET request. | | `Invoke-WebRequest -Uri "https://website-to-visit.html" -Method GET fl Images` | Issues a GET request to the site specified and then pipes the output to format a list of all image files listed in the site. | | `Invoke-WebRequest -Uri "https://website-to-visit\file.ps1" -OutFile "C:\"` | Downloads a file from the website and writes it to disk with -Outfile. | | `(New-Object Net.WebClient).DownloadFile("https://website-to-visit\tools.zip", "Tools.zip")` | Uses the .NET string Net.WebClient to download a file from the URL specified. | *** ## Event Log | **Command** | **Description** | | ---------------------------------------------------------------------------------------- | ------------------------------------------------------------------------- | | `wevtutil el` | Uses the Windows Events Commandline utility to enumerate all log sources. | | `wevtutil gl "name"` | Will gather config information about the log specified. | | `wevtutil qe /c:5 /rd:true /f:text` | Query a log for events. | | `wevtutil epl C:\system_export.evtx` | Export a Log. | | `Get-WinEvent -ListLog *` | List all logging facilities using PowerShell cmdlets. | | `Get-WinEvent -LogName 'Name' -MaxEvents 5 Select-Object -ExpandProperty Message` | View the messages of a specific log. | | `Get-WinEvent -FilterHashTable @{LogName='Security';ID='4625 '}` | Query for a specific log by eventID. | *** ## Windows Registry **Registry Hives** | **Hives** | **Description** | | ------------------------------ | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | `HKEY_LOCAL_MACHINE` (`HKLM`) | This subtree contains information about the computer's physical state, such as hardware and operating system data, bus types, memory, device drivers, and more. | | `HKEY_CURRENT_CONFIG` (`HKCC`) | This section contains records for the host's current hardware profile. (shows the variance between current and default setups) Think of this as a redirection of the HKLM CurrentControlSet profile key. | | `HKEY_CLASSES_ROOT` (`HKCR`) | Filetype information, UI extensions, and backward compatibility settings are defined here. | | `HKEY_CURRENT_USER` (`HKCU`) | Value entries here define each user's specific OS and software settings. Roaming profile settings, including user preferences, are stored under HKCU. | | `HKEY_USERS` (`HKU`) | The local computer's default User profile and current user configuration settings are defined under HKU. | **Registry Commands** | **Command** | **Description** | | ------------------------------------------------------------------------------------------------------------------------------------ | ----------------------------------------------------- | | `Get-Item -Path Registry::\Path-to-key\ Select-Object -ExpandProperty Property` | See the sub-keys and properties of a registry key. | | `Get-ChildItem -Path :\Path-to-key -Recurse` | Recursively search through a Key and all subkeys. | | `Get-ItemProperty -Path Registry::\Path-to-key\key` | View the properties and values of a specific key. | | `REG QUERY \PATH\KEY` | Use reg.exe to query the registry. | | `REG QUERY /F "Password" /t REG_SZ /S /K` | Search for specific strings within the Registry hive. | | `New-Item -Path :\PATH\ -Name KeyName` | Create a new Registry Key. | | `New-ItemProperty -Path :\PATH\KEY -Name "ValueName" -PropertyType String -Value "C:\Users\htb-student\Downloads\payload.exe"` | Set a new Value pair within a registry Key. | | `REG add "\PATH\KEY" /v access /t REG_SZ /d "C:\Users\htb-student\Downloads\payload.exe"` | Use Reg.exe to create a new key/value pair. | | `Remove-ItemProperty -Path :\PATH\KEY -Name "name"` | Delete a key/value from the registry. | *** ## PowerShell Scripting **PowerShell Extensions** | **Extension** | **Description** | | ------------- | ------------------------------------------------------------------------------------------------------------------------------ | | `PS1` | The \*.ps1 file extension represents executable PowerShell scripts. | | `PSM1` | The \*.psm1 file extension represents a PowerShell module file. It defines what the module is and what is contained within it. | | `PSD1` | The \*.psd1 is a PowerShell data file detailing the contents of a PowerShell module in a table of key/value pairs. |