Windows utilities
Windows utilities that can be used to bypass restrictions
Notepad
We can try and create a file a new text file and save at as file.bat with the content of cmd.exe , double click on the file and a cmd will open.
Cortana
McAfee uncovered and documented the security flaws in a lengthy blog post, with one simple issue being the fact that you could trigger the voice assistant from the lock screen (assuming Cortana is enabled in this respect, on default settings), and bring up a contextual Windows 10 menu simply by typing while Cortana is listening to a query.
simply typing while Cortana starts to listen to a query on a locked device will bring up a Windows contextual menu, as shown below
Task Scheduler
An interesting weakness, where some systems prevent access to cmd.exe, however it can still be scheduled to run via Task Scheduler. This can be done either via the command line scheduler (at.exe) or the GUI (taskschd.msc). A basic task can be created to run cmd.exe at a specific time (i.e. 1 minute in the future) or upon certain events such as when a user logs on.
We can use it to make it run powershell from the path:
%SystemRoot%\system32\WindowsPowerShell\v1.0\powershell.exe
When a user logout and log back in
Task Manager
Task Manager: CTRL+SHIFT+ESC -> File -> Run New Task
Printer
Right-click anywhere -> Print -> Find Printer -> browse to cmd.exe
Internet Explorer
Get a cmd shell in Internet Explorer:
Address Bar
Enter in address bar:
file://C:\Windows\System32\cmd.exe
Developer Tools
Developer Tools: Press F12 -> Performance Tab -> Press on 3rd icon "Importing Profile Session"
Excel
Get a cmd.exe shell using Excel:
Place this in a cell and press enter:
=cmd|' /k cmd.exe'!'A1'
Windows Search
Get a cmd.exe or Powershell shell using Windows search:
press Windows key and enter search. Note that admins frequently block cmd.exe and Powershell but forget to block Powershell ISE.
Shortcuts
Try shortcuts:
Shift * 5 = 5 sticky key
Alt + F4 = shutdown computer
Win + R = run
Ctrl + Shift + esc = task manager
Ctrl + alt + delete = help menu (task manager, change password , etc)
Control Panel
Generating a simple x64 reverse shell in a .cpl format:
Invoking the shellcode via control.exe:
control.exe .\FlashPlayerCPLApp.cpl
# or
rundll32.exe shell32.dll,Control_RunDLL file.cpl
# or
rundll32.exe shell32.dll,Control_RunDLLAsUser file.cpl
Paint
An unusual, yet effective method of gaining a shell by creating a shortcut to cmd.exe by drawing certain colours in Microsoft Paint. Due to the encoding algorithm used to write BMP files, it is possible to dictate ASCII data written into a file by carefully selecting certain RGB colours.
Open MSPaint.exe and set the canvas size to: Width=6 and Height=1 pixels
Zoom in to make the following tasks easier
Using the colour picker, set pixels values to (from left to right):
Save it as 24-bit Bitmap (*.bmp;*.dib)
Change its extension from bmp to bat and run.
Last updated