✒️
Pentesting Cheatsheet
  • Introduction
  • Basics
  • Information Gathering | OSINT
  • Penetration Testing
    • Scanning and Enumeration
    • HTTP and HTTPS
    • SMB | Windows Domain Enumeration
    • NFS
    • SMTP
    • Reverse Shells
    • Buffer Overflow | Buf Exploitation
    • Linux Privilege Escalation
    • Miscellaneous
    • Redis
  • Active Directory
    • AD Extras
    • Attack Vectors
    • Post Compromise Enumeration
    • Post Compromise Attacks
  • Pivoting
  • Windows Privesc
    • Window Tools/Resources
    • Meterpreter Privesc
    • Powershell Scripting
  • Vulnhub/ PG/ THM/ HTB
  • Apache Log4j
  • Linux Forensics Cheatsheet
Powered by GitBook
On this page

Was this helpful?

  1. Windows Privesc

Powershell Scripting

PreviousMeterpreter PrivescNextVulnhub/ PG/ THM/ HTB

Last updated 2 years ago

Was this helpful?

Powershell is the Windows Scripting Language and shell environment that is built using the .NET framework.

This also allows Powershell to execute .NET functions directly from its shell. Most Powershell commands, called cmdlets, are written in .NET. Unlike other scripting languages and shell environments, the output of these cmdlets are objects - making Powershell somewhat object oriented. This also means that running cmdlets allows you to perform actions on the output object(which makes it convenient to pass output from one cmdlet to another). The normal format of a cmdlet is represented using Verb-Noun; for example the cmdlet to list commands is called Get-Command.

Common verbs to use include:

  • Get

  • Start

  • Stop

  • Read

  • Write

  • New

  • Out

Using Get-Help

Get-Help displays information about a cmdlet. To get help about a particular command, run the following:

Get-Help Command-Name

You can also understand how exactly to use the command by passing in the -examples flag. This would return output like the following:

Using Get-Command

Get-Command gets all the cmdlets installed on the current Computer. The great thing about this cmdlet is that it allows for pattern matching like the following

Get-Command Verb-* or Get-Command *-Noun

Running Get-Command New-* to view all the cmdlets for the verb new displays the following:

Object Manipulation

In the previous task, we saw how the output of every cmdlet is an object. If we want to actually manipulate the output, we need to figure out a few things:

  • passing output to other cmdlets

  • using specific object cmdlets to extract information

The Pipeline(|) is used to pass output from one cmdlet to another. A major difference compared to other shells is that instead of passing text or string to the command after the pipe, powershell passes an object to the next cmdlet. Like every object in object oriented frameworks, an object will contain methods and properties. You can think of methods as functions that can be applied to output from the cmdlet and you can think of properties as variables in the output from a cmdlet. To view these details, pass the output of a cmdlet to the Get-Member cmdlet

Verb-Noun | Get-Member

An example of running this to view the members for Get-Command is:

Get-Command | Get-Member -MemberType Method

From the above flag in the command, you can see that you can also select between methods and properties.

Creating Objects From Previous cmdlets

One way of manipulating objects is pulling out the properties from the output of a cmdlet and creating a new object. This is done using the Select-Object cmdlet.

Here's an example of listing the directories and just selecting the mode and the name:

You can also use the following flags to select particular information:

  • first - gets the first x object

  • last - gets the last x object

  • unique - shows the unique objects

  • skip - skips x objects

Filtering Objects

When retrieving output objects, you may want to select objects that match a very specific value. You can do this using the Where-Object to filter based on the value of properties.

The general format of the using this cmdlet is

Verb-Noun | Where-Object -Property PropertyName -operator Value

Verb-Noun | Where-Object {$_.PropertyName -operator Value}

The second version uses the $_ operator to iterate through every object passed to the Where-Object cmdlet.

Powershell is quite sensitive so make sure you don't put quotes around the command!

Where -operator is a list of the following operators:

  • -Contains: if any item in the property value is an exact match for the specified value

  • -EQ: if the property value is the same as the specified value

  • -GT: if the property value is greater than the specified value

Here's an example of checking the stopped processes:

Sort Object

When a cmdlet outputs a lot of information, you may need to sort it to extract the information more efficiently. You do this by pipe lining the output of a cmdlet to the Sort-Object cmdlet.

The format of the command would be

Verb-Noun | Sort-Object

Here's an example of sort the list of directories:

Powershell Commands

Recursively Locate File

Get-ChildItem -Path C:\ -Include *file.txt* -File -Recurse -ErrorAction SilentlyContinue

Get-Content

Get-Content "C:\Program Files\interesting-file.txt"

MD5 Hash

Get-FileHash -Path "C:\Program Files\interesting-file.txt" -Algorithm MD5

Base 64 Decode

certutil -decode "C:\Users\Administrator\Desktop\b64.txt" decode.txt

Local users in System

Get-LocalUser

IP Address Info

Get-NetIPAddress
GEt-NetTCPConnection

Get Processes

Get-Process

Find API_KEY in strings

Get-ChildItem C:\* -Recurse | Select-String -pattern API_KEY

For a full list of operators, use link.

this
Learn X in Y Minutes: Scenic Programming Language Tours
Logo
Approved Verbs for PowerShell Commands - PowerShelldocsmsft
Logo