COMMAND SHELL

Question 1

recursive where command

Question 1

where command

Question 2

find command

Question 3

commands for finding files and directories and filtering

Answer 3

where
where /R
find
findstr
comp
fc
sort

Question 4

local access to command prompt

Answer 4

Using the Windows key + r to bring up the run prompt, and then typing in cmd.

OR

Accessing the executable from the drive path C:\Windows\System32\cmd.exe

Question 5

remote access to command prompt

Question 6

command shell general commands

Answer 6

help
Get-help
Update-help
Ctrl-C
Get-Module
Import-Module
Get-Command
Set-Location <path>
Get-content <file>
systeminfo
hostname
ver</file></path>

Question 7

help <command></command>

Answer 7

provides help information for windows commands

Question 8

get-help <cmdlet></cmdlet>

Answer 8

displays help about Windows Powershell cmdlets and concepts

Question 9

update-help

Answer 9

downloads and installs the most up to date help files for windows powershell

Question 10

get-module

Answer 10

view the modules loaded into your powershell session

Question 10

ctrl-c

Answer 10

interrupts the currently running process

Question 11

import-module

Answer 11

import a module into your powershell session

Question 12

get-command

Answer 12

view all commands,cmdlets,functions and aliases loaded into your powershell environment

Question 13

set-location <path></path>

Answer 13

changes our location in the filesystem. same as using CD

Question 14

get-content <file></file>

Answer 14

view the contents of an object. similar to type or cat

Question 15

systeminfo

Answer 15

displays the operating system configuration information for a local or remote machine

Question 16

hostname

Answer 16

Displays name of the current host

Question 17

Terminal History Commands

Answer 17

doskey /history
page up
page down
f3
f7
f9

Question 17

ver

Answer 17

Displays the current Windows version

Question 18

Admin Commands

Answer 18

xfreerdp /v:<target> /u:<user> /p:<password>
ssh <user>@<target></target></user></password></user></target>

<PIPE>
</PIPE>

Question 19

xfreerdp /v:<target> /u:<user> /p:<password></password></user></target>

Answer 19

Initiate a RDP connection with the target host.

Question 20

Command Description
xfreerdp /v:<target> /u:<user> /p:<password> Initiate a RDP connection with the target host.
ssh <user>@<target></target></user></password></user></target>

Answer 20

Connect to a target host via SSH

Question 21

<PIPE>
</PIPE>

Answer 21

When you see <PIPE> specified in the commands below, it is saying to use the Pipe key (shift+backslash on US Keyboard layouts).</PIPE>

Question 22

File & Directory Commands
CMD.exe

Answer 22

dir
cd

Question 23

cls

Question 24

dir

Question 25

dir /A

Question 26

dir /A:H

Question 27

dir /A:R

Question 28

cd

Question 29

chdir

Question 30

tree

Question 31

tree /F

Question 32

mkdir

Question 33

md

Question 34

rmdir

Question 35

rd

Question 36

rmdir /S

Question 37

move

Question 38

xcopy

Question 39

copy

Question 40

xcopy /E

Question 41

robocopy

Question 41

xcopy /K

Question 42

robocopy /E /MIR /A-:SH

Question 43

more

Question 44

more /S

Question 45

fsutil file createNew

Question 46

type

Question 47

echo

Question 48

ren

Question 49

del

Question 50

del /A:R

Question 51

del /A:H

Question 52

[command 1] > [file]

Answer 52

Redirects the output from a command into a file. Overwrites the specified files’ contents.

Question 53

erase

Question 54

[command 1] &raquo_space; [file]

Answer 54

Redirects the output from a command into a file. Appends additional output without overwriting the file’s original contents.

Question 54

[command 1] < [file]

Answer 54

redirects the output of the file and passes it into the command.

Question 55

<command 1> | <command 2>

Answer 55

Redirects the output of the first command into a <PIPE> and provides it to the second command.</PIPE>

Question 56

<command 1> || <command 2>

Answer 56

Checks to see if the first command fails to execute successfully and, if so, proceeds to execute the second command.

Question 57

<command 1> & <command 2>

Answer 57

Executes both commands in succession. It does not perform checks to see if either command passes or fails.

Question 58

where <file></file>

Answer 58

Displays the location of file(s) provided.

Question 59

<command 1> && <command 2>

Answer 59

Checks to see if the first command executes successfully and then executes the second command. If the first command fails, the current command execution halts and the second command is not executed.

Question 59

Input/Output Operators

Question 59

find “example string” <file></file>

Answer 59

Searches for a string of text in a file or files, and displays lines of text that contain the specified string.

Question 60

where /R <working> <file></file></working>

Answer 60

Recursively searches for the file(s) provided starting from the specified directory.

Question 61

findstr

Answer 61

Searches for patterns of text in files
similar to grep command

Question 62

comp <file1><file2></file2></file1>

Answer 62

Compares the contents of two files or sets of files byte-by-byte.

Question 63

fc <file1><file2></file2></file1>

Answer 63

Compares two files or sets of files and displays the differences between them.

Question 64

sort

Answer 64

Reads input, sorts data, and writes the results to the screen, a file, or another device.

Question 65

user commands
cmd.exe

Answer 65

whoami
whoami /priv
whoami /groups
whoami /all
net user
net local groups
net group

Question 66

whoami

Answer 66

Displays the username of the currently logged-on user.

Question 67

whoami /priv

Answer 67

Displays the security privileges of the current user.

Question 68

whoami /groups

Answer 68

Displays the user groups that the current user belongs to.

Question 69

whoami /all

Answer 69

Displays all information about the current user, including username, security identifiers (SID), privileges, and groups.

Question 69

net user

Answer 69

Displays a list of the user accounts on the computer

Question 70

net localgroup

Answer 70

Displays the name of the server and the names of local groups on the computer.

Question 71

netshare

Answer 71

Displays info about all of the resources that are shared on the local computer.

Question 71

ipconfig

Answer 71

View basic networking configurations.

Question 72

ipconfig /?

Answer 72

Displays help and usage information for ipconfig.

Question 72

net group

Answer 72

Displays the name of a server and the names of groups on the server. Only able to be used if the machine is joined to the domain.

Question 73

ipconfig /all

Answer 73

View detailed networking configuration information.

Question 74

net

Answer 74

CLI utility containing multiple commands to manage and configure network resources.

Question 75

net view

Answer 75

Displays a list of domains, computers, or resources being shared by the specified computer.

Question 76

arp

Answer 76

Displays and manages the contents and entries within the Address Resolution Protocol (ARP) cache.

Question 77

arp /a

Answer 77

Displays the contents and entries contained within the Address Resolution Protocol (ARP) cache.

Question 78

netstat -an

Answer 78

Display current network connections.

Question 79

nslookup <query></query>

Answer 79

Query DNS for a name or address.

Question 80

sc query <Name></Name>

Answer 80

Lists details about a specific service by name.

Question 80

Services Commands
CMD.exe

Answer 80

sc query
sc query <Name>
sc start <Name>
sc stop <Name>
sc config <Name> start = disabled
tasklist /svc
net start
wmic service list brief</Name></Name></Name></Name>

Question 80

sc query

Answer 80

Lists all running services and provides additional information for each service.

Question 81

sc start <Name></Name>

Answer 81

Start a service by name.

Question 82

sc stop <Name></Name>

Answer 82

Stop a service by name.

Question 83

sc config <Name> start = disabled</Name>

Answer 83

Change settings of the service specified.

Question 84

tasklist /svc

Answer 84

Provide a list of services running under each process on the system.

Question 85

net start

Answer 85

List all running services.

Question 86

wmic service list brief

Answer 86

List all services on the system using WMIC. Includes information such as: ExitCode, Name, ProcessID, StartMode, State, and Status.

Question 87

Address Resolution Protocol (ARP)

Question 88

Scheduled Tasks
Commands

Answer 88

schtasks
schtasks /query
schtasks /query /V /FO list
schtasks /create
schtasks /create /sc <Schedule> /tn <Task> /tr <Program>
schtasks /change
schtasks /change /tn <Task> /ru <Username> /rp <Password>
schtasks /delete
schtasks /delete /tn <task></task></Password></Username></Task></Program></Task></Schedule>

Question 89

schtasks

Answer 89

Displays all tasks scheduled on the local machine.

Question 90

schtasks /query

Answer 90

Displays all tasks scheduled on the local machine. Interchangeable with schtasks command.

Question 91

schtasks /query /V /FO list

Answer 91

Displays all scheduled tasks with verbose information in a list format.

Question 92

schtasks /create

Answer 92

Allows for the creation of scheduled tasks.

Question 93

schtasks /delete

Answer 93

Allows for the deletion of scheduled tasks.

Question 93

schtasks /change

Answer 93

Allows for modification of an existing scheduled task.

Question 94

schtasks /delete /tn <task></task>

Answer 94

Deletes a scheduled task with the matching name.

Question 95

schtasks /change /tn <task> /ru <username> /rp <password></password></username></task>

Answer 95

Modifies a scheduled task with a specified name to run under the permissions of the user account using the provided password for authentication.

Question 96

schtasks /create /sc <Schedule> /tn <Task> /tr <Program></Program></Task></Schedule>

Answer 96

Creates a new scheduled task based on a select schedule, with a provided name, and a program specified to run when the task starts.

Question 97

Invoke-WebRequest -Uri “https://website-to-visit” -Method GET

Question 98

Invoke-WebRequest -Uri “https://website-to-visit.html” -Method GET <PIPE> fl Images</PIPE>

Question 98

Invoke-WebRequest -Uri “https://website-to-visit\file.ps1” -OutFile “C:<filename>”

Question 99

(New-Object Net.WebClient).DownloadFile(“https://website-to-visit\tools.zip”, “Tools.zip”)

Question 100

Event Log
Commands

Question 101

wevtutil el

Answer 101

Uses the Windows Events Commandline utility to enumerate all log sources.

Question 102

wevtutil qe <name> /c:5 /rd:true /f:text</name>

Answer 102

Query a log for events

Question 102

wevtutil epl <Name> C:\system_export.evtx</Name>

Answer 102

Export a log

Question 102

wevtutil gl “name”

Answer 102

Will gather config information about the log specified.

Question 103

Get-Winevent -listlog *

Answer 103

List all logging facilities using Powershell cmdlets

Question 103

Get-WinEvent -LogName ‘Name’ -MaxEvents 5 <PIPE> Select-Object -ExpandProperty Message</PIPE>

Answer 103

View the messages of a specific log

Question 104

Get-WinEvent -FilterHashTable @{LogName=’Security’;ID=’4625 ‘}

Answer 104

Query a specific log by eventID

Question 105

Registry Hives

Question 106

HKEY_CURRENT_CONFIG (HKCC)

Answer 106

This section contains records for the host’s current hardware profile. (shows the variance between current and default setups) Think of this as a redirection of the HKLM CurrentControlSet profile key.

Question 107

HKEY_CLASSES_ROOT (HKCR)

Answer 107

Filetype information, UI extensions, and backward compatibility settings are defined here.

Question 108

HKEY_USERS (HKU)

Answer 108

The local computer’s default User profile and current user configuration settings are defined under HKU.

Question 108

HKEY_CURRENT_USER (HKCU)

Answer 108

Value entries here define each user’s specific OS and software settings. Roaming profile settings, including user preferences, are stored under HKCU.

Question 109

HKEY_LOCAL_MACHINE (HKLM)

Answer 109

This subtree contains information about the computer’s physical state, such as hardware and operating system data, bus types, memory, device drivers, and more.

Question 110

Registry Commands

Question 111

Get-ChildItem -Path <HIVE>:\Path-to-key -Recurse</HIVE>

Answer 111

Recursively search through a Key and all subkeys.

Question 112

Get-Item -Path Registry::<HIVE>\Path-to-key\ <PIPE> Select-Object -ExpandProperty Property</PIPE></HIVE>

Answer 112

See the sub-keys and properties of a registry key.

Question 113

Get-ItemProperty -Path Registry::<HIVE>\Path-to-key\key</HIVE>

Answer 113

View the properties and values of a specific key.

Question 114

REG QUERY <HIVE>\PATH\KEY</HIVE>

Answer 114

Use reg.exe to query the registry.

Question 115

REG QUERY <HIVE> /F "Password" /t REG_SZ /S /K</HIVE>

Answer 115

Search for specific strings within the Registry hive.

Question 116

New-Item -Path <HIVE>:\PATH\ -Name KeyName</HIVE>

Answer 116

Create a new Registry Key.

Question 117

New-ItemProperty -Path <HIVE>:\PATH\KEY -Name "ValueName" -PropertyType String -Value "C:\Users\htb-student\Downloads\payload.exe"</HIVE>

Answer 117

Set a new Value pair within a registry Key.

Question 118

REG add “<HIVE>\PATH\KEY" /v access /t REG_SZ /d "C:\Users\htb-student\Downloads\payload.exe"</HIVE>

Answer 118

Use Reg.exe to create a new key/value pair.

Question 119

Remove-ItemProperty -Path <HIVE>:\PATH\KEY -Name "name"</HIVE>

Answer 119

Delete a key/value from the registry.