# Breakout

## Methodology

### Gaining shell access

1. Check what software's you can access&#x20;
   1. Try common such as cmd, powershell, powershell\_ise, ftp and etc
   2. Try  to use alternatives to powershell and cmd such as PowerShdll and&#x20;
   3. Try explorer bar commands&#x20;
   4. [Check if you can access internet explorer, paint, excel, file explorer and etc ](/infrastructure-testing/breakout/windows-utilities.md)
2. [Check keyboard shortcuts ](/infrastructure-testing/breakout/windows-utilities.md#shortcuts)
3. Try to create a new file (Use the malicious[ HTA file](/infrastructure-testing/breakout/alternatives-to-command-prompt.md#hta-shell)) or a new shortcut and point it to a executable&#x20;
4. [Load files via a SMB share and execute them](/infrastructure-testing/enumeration/ipv6/transfering-files.md)
5. Windows 10 - try[ Cortana exploit ](/infrastructure-testing/breakout/windows-utilities.md#cortana)
6. Try and to copy powershell.exe or cmd.exe and change it to a different name and then run it&#x20;
7. Try and access \\\127.0.0.1\c$

### Once a shell was obtained

1. [Bypassing powershell restrictions](/infrastructure-testing/breakout/powershell-constrained-language-byass.md)
   1. If it's powershell try and download reverse shell and run it, if it's version 4 check if you can downgrade to powershell v2&#x20;
   2. Try to use Powershell alternatives (nps, powershelld and etc)&#x20;
2. Test if you can execute commands via[ LOLBAS](/infrastructure-testing/breakout/lolbas.md)&#x20;
3. Attempt [UAC Bypass](/infrastructure-testing/privilege-esclation/windows/uac-bypass.md) to gain administrative privileges&#x20;


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://infra.newerasec.com/infrastructure-testing/breakout.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.