Infrastructure penetration testing notes
  • Initial page
  • Table Of Content
  • Infrastructure testing
    • Enumeration
      • Packet Capture
      • Host Discovery
      • Services / Ports
        • 21 - FTP
        • 22 - SSH
        • 25 - SMTP
        • 53 - DNS
        • 67 - DHCP
        • 69 - TFTP
        • 79 - Finger
        • 88 - Kerberos
        • 111 - RPC
        • 113 - ident
        • 135 - MSRPC
        • 137 - Netbios
        • 139/445 - SMB
        • 161 - SNMP
        • 177 - XDMCP
        • 363 - LDAP
        • 443 - HTTPS
        • 500 - IKE (IPSEC)
        • 512/513/514 - R Services
        • 623 - IPMI
        • 873 - RSYNC
        • 1099 - Java RMI
        • 1433 - Microsoft SQL
        • 1521 - Oracle DB
        • 2049 - NFS
        • 3306 - MySQL
        • 3389 - RDP
        • 5432 - PostgresSQL
        • 5900 - VNC
        • 5985 - WinRM
        • 6000 - X11
        • 6379 - Redis
        • 8080 - Jenkins
        • 11211 - Memcached
        • RDS
        • SQLite
        • Docker
      • IPV6
        • Scanning
        • Enumeration
        • Transfering files
        • Pivoting and routes
        • THC IPv6
    • Gaining Access
      • IP Forwarding
      • VLAN Information
      • Psexec
      • Upgrading shell
      • Reverse Shells One-Liners
      • Bruteforce
      • MITM cleartext protocols
      • Null session
      • LLMNR / NBT NS Spoofing
      • Port knocking
      • Downloading/Transfer files
      • Remote Desktop
      • NAC Bypass
      • Pass-The-Hash
    • Exploitation
      • Solaris
      • IPv6
      • Windows
        • Compiling Code
        • SMB Vulnerabilities
        • Kerberos Attacks
    • Privilege Escalation
      • Situational Awareness
        • Linux
        • Windows
          • Registry
          • PowerView
          • FSMO Roles
      • Windows
        • Disable Apps and Firewall
        • Add user script
        • UAC Bypass
        • icacls
        • Running services
        • Common Exploits
      • Linux
        • SUID Shell script
        • CVE-2019-14287
        • Kernel exploit
      • Solaris
      • FreeBSD
      • Automated tools
      • Metasploit Modules
      • Password Dumping
    • Breakout
      • LOLBas
      • powershell constrained language byass
      • Alternatives to command prompt
      • Windows utilities
      • Applocker
      • Restricted shells
      • Environmental Variables / Bypassing Path Restrictions
      • Docker escape
      • Just Enough Administration (JEA)
    • Presistance
      • Windows
    • Pivoting
      • Adding routes
    • Password Cracking
      • Hashcat
      • John
      • Cisco Passwords
      • Passwords Lists
      • Generating wordlist
    • Tools
      • Nishang
      • UACME
      • Bypass-UAC
      • MSBuildAPICaller
      • Impacket
      • SharpPersist
      • Terminals
      • IP Calculation
      • pwsh
      • psTools / Sysinternals
      • Unlock applocker
      • enum4linux
      • Bloodhound
        • aclpwn
      • mitm6
      • Enyx
      • nfsshell
      • PowerUpSQL
      • Metasploit
        • msfvenom
    • Others
Powered by GitBook
On this page
  • Methodology
  • Gaining shell access
  • Once a shell was obtained

Was this helpful?

  1. Infrastructure testing

Breakout

Gained access to a lockdown host and need to find way to escape the restrict shell?

PreviousPassword DumpingNextLOLBas

Last updated 5 years ago

Was this helpful?

Methodology

Gaining shell access

  1. Check what software's you can access

    1. Try common such as cmd, powershell, powershell_ise, ftp and etc

    2. Try to use alternatives to powershell and cmd such as PowerShdll and

    3. Try explorer bar commands

  2. Try to create a new file (Use the malicious) or a new shortcut and point it to a executable

  3. Windows 10 - try

  4. Try and to copy powershell.exe or cmd.exe and change it to a different name and then run it

  5. Try and access \\127.0.0.1\c$

Once a shell was obtained

    1. If it's powershell try and download reverse shell and run it, if it's version 4 check if you can downgrade to powershell v2

    2. Try to use Powershell alternatives (nps, powershelld and etc)

  1. Test if you can execute commands via

  2. Attempt to gain administrative privileges

Check if you can access internet explorer, paint, excel, file explorer and etc
Load files via a SMB share and execute them
Bypassing powershell restrictions
LOLBAS
UAC Bypass
Check keyboard shortcuts
Cortana exploit
HTA file