Clone of . For those who would prefer to not be tracked by MS.
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

20 KiB

##Privilege Escalation & Post-Exploitation


Learn how to hide your trojans, backdoors, etc from anti virus.

No one expect command execution!

Abusing Kerberos


  • AD PowerShell Recon Scripts

Group Policy Preferences trick

Article Explaining what the KRBTGT account in AD is:

###General Privilege Escalation

Execute ShellCode Using Python

  • In this article I am going to show you, how can we use python and its "ctypes" library to execute a "calc.exe" shell code or any other shell code.

###Privilege Escalation - Linux

Using the docker command to root the host (totally not a security issue)

  • It is possible to do a few more things more with docker besides working with containers, such as creating a root shell on the host, overwriting system configuration files, reading restricted stuff, etc.


  • Linux Exploit Suggester; based on operating system release number. This program run without arguments will perform a 'uname -r' to grab the Linux Operating Systems release version, and return a suggestive list of possible exploits. Nothing fancy, so a patched/back-ported patch may fool this script. Additionally possible to provide '-k' flag to manually enter the Kernel Version/Operating System Release Version.

Basic Linux Privilege Escalation - g0tmi1k

  • Not so much a script as a resource, g0tmi1k’s blog post here has led to so many privilege escalations on Linux system’s it’s not funny. Would definitely recommend trying out everything on this post for enumerating systems. LinEnum
  • This tool is great at running through a heap of things you should check on a Linux system in the post exploit process. This include file permissions, cron jobs if visible, weak credentials etc. The first thing I run on a newly compromised system. LinuxPrivChecker
  • This is a great tool for once again checking a lot of standard things like file permissions etc. The real gem of this script is the recommended privilege escalation exploits given at the conclusion of the script. This is a great starting point for escalation. Unix Privilege Escalation Checker
  • Unix-privesc-checker is a script that runs on Unix systems (tested on Solaris 9, HPUX 11, Various Linuxes, FreeBSD 6.2). It tries to find misconfigurations that could allow local unprivileged users to escalate privileges to other users or to access local apps (e.g. databases). It is written as a single shell script so it can be easily uploaded and run (as opposed to un-tarred, compiled and installed). It can run either as a normal user or as root (obviously it does a better job when running as root because it can read more files).

###Privilege Escalation - Windows

Windows Privilege Escalation Fundamentals

Windows Exploit Suggester

Some forum posts on Win Priv Esc

PowerUp * PowerUp is a powershell tool to assist with local privilege escalation on Windows systems. It contains several methods to identify and abuse vulnerable services, as well as DLL hijacking opportunities, vulnerable registry settings, and escalation opportunities.

Windows Privilege Escalation Cheat Sheet/Tricks

How to own any windows network with group policy hijacking attacks

Hacking windows through the WIndows API; delves into windows api, how it can break itself

Analyzing local privilege escalations in win32k

  • This paper analyzes three vulnerabilities that were found in win32k.sys that allow kernel-mode code execution. The win32k.sys driver is a major component of the GUI subsystem in the Windows operating system. These vulnerabilities have been reported by the author and patched in MS08-025. The first vulnerability is a kernel pool overflow with an old communication mechanism called the Dynamic Data Exchange (DDE) protocol. The second vulnerability involves improper use of the ProbeForWrite function within string management functions. The third vulnerability concerns how win32k handles system menu functions. Their discovery and exploitation are covered.

Exploiting Windows 2008 Group Policy Preferences

Extreme Privelege Escalataion on Windows8 UEFI Systems

  • Slides
  • Summary by stormehh from reddit: “In this whitepaper (and accompanying Defcon/Blackhat presentations), the authors demonstrate vulnerabilities in the UEFI "Runtime Service" interface accessible by a privileged userland process on Windows 8. This paper steps through the exploitation process in great detail and demonstrates the ability to obtain code execution in SMM and maintain persistence by means of overwriting SPI flash” Old Privilege Escalation Techniques PyKEK
  • PyKEK (Python Kerberos Exploitation Kit), a python library to manipulate KRB5-related data. (Still in development)

All roads lead to SYSTEM Dump Windows password hashes efficiently - Part 1

###Privilege Escalation - OS X

Hidden backdoor API to root privileges in Apple OS X

  • Works on 10.7 -> 10.10.2

Mac OS X local privilege escalation (IOBluetoothFamily)

Privilege Escalation on OS X below 10.0

###General Post-Exploitation

File Server Triage on Red Team Engagements

Finding your external IP: Simply curl any of the following addresses:, or

Egress Buster Reverse Shell

  • Egress Buster Reverse Shell – Brute force egress ports until one if found and execute a reverse shell(from trustedsec)

Determine Public IP from CLI


  • PyBuild is a tool for automating the pyinstaller method for compiling python code into an executable. This works on Windows, Linux, and OSX (pe and elf formats)(From trustedsec)

###Post-Exploitation Linux [More on Using Bash's Built-in /dev/tcp File (TCP/IP)]( More on Using Bash's Built-in /dev/tcp File (TCP/IP))

###Post-Exploitation Windows

Dumping user passwords in plaintext on Windows 8.1 and Server 2012

PShell Script: Extract All GPO Set Passwords From Domain

  • This script parses the domain’s Policies folder looking for Group.xml files. These files contain either a username change, password setting, or both. This gives you the raw data for local accounts and/or passwords enforced using Group Policy Preferences. Microsoft chose to use a static AES key for encrypting this password. How awesome is that!

Client Side attacks using Powershell

I Hunt Sysadmins 2.0

  • It covers various ways to hunt for users in Windows domains, including using PowerView.

Abusing Active Directory in Post-Exploitation - Carlos Perez - Derbycon 2014

  • Windows APIs are often a blackbox with poor documentation, taking input and spewing output with little visibility on what actually happens in the background. By reverse engineering (and abusing) some of these seemingly benign APIs, we can effectively manipulate Windows into performing stealthy custom attacks using previously unknown persistent and injection techniques. In this talk, we’ll get Windows to play with itself nonstop while revealing 0day persistence, previously unknown DLL injection techniques, and Windows API tips and tricks. To top it all off, a custom HTTP beaconing backdoor will be released leveraging the newly released persistence and injection techniques. So much Windows abuse, so little time.

15 Ways to bypass Powershell execution-policy settings

  • Does what it says on the tin. Overall, its clear that execution-policy was not meant as a security method. Or if it was, someone was drinking a bit too much.

Post-Exploitation on Windows using ActiveX Controls

WMI Shell Tool

  • The WMI shell tool that we have developed allows us to execute commands and get their output using only the WMI infrastructure, without any help from other services, like the SMB server. With the wmi-shell tool we can execute commands, upload files and recover Windows passwords remotely using only the WMI service available on port 135.

Dirty Powershell Webserver

####Grabbing Goodies

[Dumping Windows Credentials](

Dumping hashes from Active Directory for cracking

NTDSXtract - Active Directory Forensics Framework* Description from the page: This framework was developed by the author in order to provide the community with a solution to extract forensically important information from the main database of Microsoft Active Directory (NTDS.DIT).

Post exploitation trick - Phish users for creds on domains, from their own box

####Gaining Awarness Veil-PowerView

  • Veil-PowerView is a powershell tool to gain network situational awareness on Windows domains. It contains a set of pure-powershell replacements for various windows "net *" commands, which utilize powershell AD hooks and underlying Win32 API functions to perform useful Windows domain functionality.

Egress Testing using PowerShell

Domain Trusts: Why You Should Care

###Persistence Techniques

Using Alternate Data Streams to Persist on a Compromised Machine An Introduction to Backdooring Operating Systems for Fun and trolling - Defcon22 Windows Event Log Driven Backdoors List of low-level attacks/persistence techniques. HIGHLY RECOMMENDED!


Windows Registry Persistence, Part 1: Introduction, Attack Phases and Windows Services

Temporal Persistence with bitsadmin and schtasks

Windows Event Log Driven Back Doors

COM Object hijacking: the discreet way of persistence

Thousand ways to backdoor a Windows domain (forest)

Windows Firewall Hook Enumeration

  • We’re going to look in detail at Microsoft Windows Firewall Hook drivers from Windows 2000, XP and 2003. This functionality was leveraged by the Derusbi family of malicious code to implement port-knocking like functionality. We’re going to discuss the problem we faced, the required reverse engineering to understand how these hooks could be identified and finally how the enumeration tool was developed.

NTFS Alternate Data Streams for pentesters (part 1)

Windows task scheduler

How to start a hidden process? Start-Process -WindowStyle hidden -FilePath “path-to-exe-to-be-hidden”

Windows Startup Application Database

Startup folder on Win8

  • C:\Users\YOURUSER\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup

###Linux Linux cron tab

###OS X What's the easiest way to have a script run at boot time in OS X? - Stack Overflow

Userland Persistence On Mac Os X "It Just Works" - Shmoocon 2015

  • Got root on OSX? Do you want to persist between reboots and have access whenever you need it? You do not need plists, new binaries, scripts, or other easily noticeable techniques. Kext programming and kernel patching can be troublesome! Leverage already running daemon processes to guarantee your access. As the presentation will show, if given userland administrative access (read: root), how easy it is to persist between reboots without plists, non-native binaries, scripting, and kexts or kernel patching using the Backdoor Factory.


Socat Cheatsheet


  • socat is a relay for bidirectional data transfer between two independent data channels. Each of these data channels may be a file, pipe, device (serial line etc. or a pseudo terminal), a socket (UNIX, IP4, IP6 - raw, UDP, TCP), an SSL socket, proxy CONNECT connection, a file descriptor (stdin etc.), the GNU line editor (readline), a program, or a combination of two of these. These modes include generation of "listening" sockets, named pipes, and pseudo terminals.
  • Examples of use

Pivoting Ssh Reverse Tunnel Gateway

Portfwd - Pivot from within meterpreter

SSH Gymnastics and Tunneling with ProxyChains

SSH Cheat Sheet - pentestmonkey

Pivoting into a network using PLINK and FPipe

Reverse SSL backdoor with socat and metasploit (and proxies)

####Pass-The-Hash Pass-the-Hash is Dead: Long Live Pass-the-Hash

Still Passing the Hash 15 Years Later

pth-toolkit I.e Portable pass the hash toolkit

The Evolution of Protected Processes Part 1: Pass-the-Hash Mitigations in Windows 8.1

Et tu Kerberos - Christopher Campbell

PsExec and the Nasty Things It Can Do

  • An overview of what PsExec is and what its capabilities are from an administrative standpoint.