mirror of
https://github.com/swisskyrepo/PayloadsAllTheThings.git
synced 2024-12-18 18:36:10 +00:00
3.8 KiB
3.8 KiB
Application Escape and Breakout
Summary
Gaining a command shell
- Shortcut
- [Window] + [R] -> cmd
- [CTRL] + [ALT] + [SHIFT] -> Task Manager
- [CTRL] + [ALT] + [DELETE] -> Task Manager
- Access through file browser: Browsing to the folder containing the binary (i.e.
C:\windows\system32\
), we can simply right click andopen
it - Drag-and-drop: dragging and dropping any file onto the cmd.exe
- Hyperlink:
file:///c:/Windows/System32/cmd.exe
- Task Manager:
File
>New Task (Run...)
>cmd
- MSPAINT.exe
- Open MSPaint.exe and set the canvas size to: Width=6 and Height=1 pixels
- Zoom in to make the following tasks easier
- Using the colour picker, set pixels values to (from left to right):
- 1st: R: 10, G: 0, B: 0
- 2nd: R: 13, G: 10, B: 13
- 3rd: R: 100, G: 109, B: 99
- 4th: R: 120, G: 101, B: 46
- 5th: R: 0, G: 0, B: 101
- 6th: R: 0, G: 0, B: 0
- Save it as 24-bit Bitmap (.bmp;.dib)
- Change its extension from bmp to bat and run
Sticky Keys
- Spawn the sticky keys dialog
- Via Shell URI :
shell:::{20D04FE0-3AEA-1069-A2D8-08002B30309D}
- Hit 5 times [SHIFT]
- Via Shell URI :
- Visit "Ease of Access Center"
- You land on "Setup Sticky Keys", move up a level on "Ease of Access Center"
- Start the OSK (On-Screen-Keyboard)
- You can now use the keyboard shortcut (CTRL+N)
Dialog Boxes
Creating new files
- Batch files – Right click > New > Text File > rename to .BAT (or .CMD) > edit > open
- Shortcuts – Right click > New > Shortcut >
%WINDIR%\system32
Open a new Windows Explorer instance
- Right click any folder > select
Open in new window
Exploring Context Menus
- Right click any file/folder and explore context menus
- Clicking
Properties
, especially on shortcuts, can yield further access viaOpen File Location
Save as
- "Save as" / "Open as" option
- "Print" feature – selecting "print to file" option (XPS/PDF/etc)
\\127.0.0.1\c$\Windows\System32\
and executecmd.exe
Input Boxes
Many input boxes accept file paths; try all inputs with UNC paths such as //attacker–pc/
or //127.0.0.1/c$
or C:\
Bypass file restrictions
Enter . or *.exe or similar in File name
box
Internet Explorer
Download and Run/Open
- Text files -> opened by Notepad
Menus
- The address bar
- Search menus
- Help menus
- Print menus
- All other menus that provide dialog boxes
Shell URI Handlers
- shell:DocumentsLibrary
- shell:Librariesshell:UserProfiles
- shell:Personal
- shell:SearchHomeFolder
- shell:System shell:NetworkPlacesFolder
- shell:SendTo
- shell:Common Administrative Tools
- shell:MyComputerFolder
- shell:InternetFolder