One of the first things to attempt when conducting a breakout assessment of a windows desktop is to gain access to either command prompt or PowerShell. This is because these are built in windows programs that allow us to conduct a range of actions such as

· Create files

· Read data

· Enumerate device information

· Enumeration environment information

If it is not possible to open the command prompt or PowerShell through the start menu, it may be worth attempting to use a batch file.

The steps to create a batch file are as follows:

· Open notepad

· Type “cmd.exe”

· Save file as cmd.bat

· Execute file

This batch file will attempt to execute the command cmd.exe which launches the command prompt.

If system administrators have locked down access to the command prompt it will only be possible to access this interface when using a batch file as above.

In this instance, creating a batch file with the /k flag will allow the execution of a command before the restrictions are applied.

A batch file such as “cmd.exe /k ipconfig” will produce the following

Output such as this indicates that while we are being restricted from accessing the command prompt program, the underlying capability is available to us (We simply have to identify a method of executing the commands we want)

It may therefore be possible to use the locked down command prompt to call PowerShell and thereby get an interactive shell. The batch file to achieve this would be

“cmd.exe /k powershell”

‍