Search for any file from a Windows cmd prompt – and read it from cmd prompt too

I was playing CTF game and was looking for a file called flag1.txt. Due to me only having shell access I found the following method to search for the file across the entire system. You can use wildcards (*) to widen the search: dir flag* /s /r You can play around with the search term,… Continue reading Search for any file from a Windows cmd prompt – and read it from cmd prompt too

Get the WIFI password on a Win 10 machine using CMD

Right-click on Command Prompt and select Run As Administrator. Type the following command line and hit Enter: NETSH WLAN SHOW PROFILE Type the following command and replace “WIFI” with the network name. NETSH WLAN SHOW PROFILE WIFI KEY=CLEAR Reference: https://helpdeskgeek.com/how-to/find-the-wifi-password-in-windows-10-using-cmd/

MS: The content type text/html; charset=utf-8 of the response message does not match the content type of the binding error

This problem is because the .Net Framework was installed after IIS. You can correct it by registering .net in IIS again. From an administrative command prompt type the following: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regiis.exe -ir Source: https://social.technet.microsoft.com/Forums/office/en-US/4e11483c-e910-476f-897c-381d365f06ec/wac-server-getofficewebappsfarm-the-content-type-texthtml-charsetutf8-of-the-response-message?forum=officesetupdeploy

MS: Grant yourself admin access to a local SQL Server instance

After inheriting an SQL server with an already revoked SQL administrator account I needed to take ownership of the DB that the previous SQL admin had access to. So I had admin access to the server, but I needed sysadmin access to the SQL Management tool and the databases within it. Step 1: Stop the… Continue reading MS: Grant yourself admin access to a local SQL Server instance

NSLOOKUP for DNS Queries

Some good ways to query DNS records: nslookup domain.domain Name: domainserver.domain100.net Address: 216.20.23.500 (This is the most basic method of requesting DNS information and will provide you with the IP address - OR if you used the IP address will provide you with an A record) nslookup -query=mx domain.domain domain.domain          mail… Continue reading NSLOOKUP for DNS Queries

Getting Windows info to help escalate privileges

So you've got a shell back onto a Windows system, but you have limited privileges - here are some tips to try in getting information that might assist in escalating privilege: Query Windows for scheduled tasks: schtasks /query /fo LIST /v To manually view tasks check these locations: c:\windows\tasks c:\windows\system32\tasks Find strings that have the… Continue reading Getting Windows info to help escalate privileges

MS: Recover private keys using certutil

First off - you need to be in possession of a KRA cert, this will allow you to recover another user's pvt key. Secondly - you need to know what the thumbprint of the corresponding public key is for the pvt key you are trying to retrieve. On the server which archives the end user's pvt… Continue reading MS: Recover private keys using certutil

MS: Find and disconnect currently logged RDP sessions

As admin from an administrative mode PowerShell session: QUERY session /SERVER:remoteservername Find the session name or sessionID and then run: LOGOFF [sessionname | sessionid] [/SERVER:servername] [/V] [/VM]

MS: PowerShell and Excel to find passwords >= 180 days

This might be a longer process, I'm open to any FREE and better suggestions 😉 , but I'm using this process to find users in the domain with passwords older than 180 days. Get-ADUser -filter * -properties passwordlastset, passwordneverexpires | sort-object name | select-object Name, passwordlastset, passwordneverexpires | Export-csv -path c:\temp\user-password-info.csv In excel I filter… Continue reading MS: PowerShell and Excel to find passwords >= 180 days

MS: Find the owner of a file using PowerShell

We recently had to assist a user who lost a manually added drive mapping after her machine was reloaded. I found this useful command to tell me who the owner/creator of the files are on the server she claimed the files were stored on: Get-ChildItem d:\ -recurse | ForEach-Object {Get-Acl $_.FullName} And to filter for… Continue reading MS: Find the owner of a file using PowerShell