[AHK] Automatic update 👽

SUMMARY.md

@@ -102,6 +102,7 @@
   - [NFS](pentest/infrastructure/nfs.md)
   - [Persistence](pentest/infrastructure/persistence.md)
   - [Pivoting](pentest/infrastructure/pivoting.md)
+  - [Post Exploitation](pentest/infrastructure/post-exploitation.md)
   - [SNMP](pentest/infrastructure/snmp.md)
   - [TFTP](pentest/infrastructure/tftp.md)
   - [VNC](pentest/infrastructure/vnc.md)

pentest/infrastructure/ad/attack-trusts.md

@@ -25,7 +25,7 @@ Some trust types:
 
 | **Trust Type**           | **Description**                                                                                                                                                 |
 |--------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------|
-| Parent-child             | Domains within the same forest. The child domain has a *bidirectional transitive* trust with the parent domain.                                                 |
+| Parent-child             | A trust between domains within the same forest. The child domain has a *bidirectional transitive* trust with the parent domain.                                 |
 | Cross-link (shortcut)    | A trust between child domains (used to speed up authentication).                                                                                                |
 | Tree-root (intra-forest) | A *bidirectional transitive* trust between a forest root domain and a new tree root domain. Created implicitly when a new domain tree is created in the forest. |
 | Forest                   | A *transitive* trust between two forest root domains. Enforces SID filtering.                                                                                   |

pentest/infrastructure/ad/post-exploitation.md

@@ -1,15 +1,15 @@
 ---
-description: AD Post Exploitation
+description: Post Exploitation in Active Directory
 ---
 
 # Post Exploitation
 
 
 
 
-## Reach a Locked Down Domain Computer
+## Reach a Locked-down Domain Computer
 
-If you find yourself in a situation when you're already a domain admin and you need to access a "locked down" domain computer (no RDP/WinRM, no SMB shares, no owned local admins, etc.), creating an evil GPO may help.
+If you find yourself in a situation when you're already a domain admin and you need to access a locked-down domain computer (no RDP/WinRM, no SMB shares, no owned local admins, etc.), creating an evil GPO may help.
 
 Identify the OU containing the VICTIM-PC object:
 

pentest/infrastructure/kiosk-breakout.md

@@ -1,5 +1,69 @@
 # Kiosk Breakout
 
+* [http://www.ikat.kronicd.net/](http://www.ikat.kronicd.net/)
+
+
+
+
+## Windows
+
 * [https://www.pentestpartners.com/security-blog/breaking-out-of-citrix-and-other-restricted-desktop-environments/](https://www.pentestpartners.com/security-blog/breaking-out-of-citrix-and-other-restricted-desktop-environments/)
 * [https://www.trustedsec.com/blog/kioskpos-breakout-keys-in-windows/](https://www.trustedsec.com/blog/kioskpos-breakout-keys-in-windows/)
 * [https://habr.com/ru/company/dsec/blog/505600/](https://habr.com/ru/company/dsec/blog/505600/)
+
+Navigating with environment variables and `shell` directive:
+
+| **ENV**                        | **Location**                                                     |
+|--------------------------------|------------------------------------------------------------------|
+| `%HOMEDRIVE%`, `%SystemDrive%` | "C:\\"                                                           |
+| `%WINDIR%`, `%SystemRoot%`     | "C:\\Windows"                                                    |
+| `%PROGRAMFILES%`               | "C:\\Program Files"                                              |
+| `%COMSPEC%`                    | "C:\\Windows\\System32\\cmd.exe"                                 |
+| `%COMMONPROGRAMFILES%`         | "C:\\Program Files\\Common Files"                                |
+| `%HOMEPATH%`, `%USERPROFILE%`  | "C:\\Documents and Settings\\Username"                           |
+| `%ALLUSERSPROFILE%`            | "C:\\Documents and Settings\\All Users"                          |
+| `%PROGRAMFILES(X86)%`          | "C:\\Program Files (x86)" (only in 64-bit version)               |
+| `%APPDATA%`                    | "C:\\Documents and Settings\\Username\\Application Data"         |
+| `%TEMP%`, `%TMP%`              | "C:\\Documents and Settings\\Username\\Local Settings\\Temp"     |
+| `%COMMONPROGRAMFILES(x86)%`    | "C:\\Program Files (x86)\\Common Files" (only in 64-bit version) |
+
+| **Command**            | **Location**                      |
+|------------------------|-----------------------------------|
+| shell:System           | "C:\\Windows\\System32"           |
+| shell:Downloads        | Current user's "Downloads" folder |
+| shell:MyComputerFolder | "This PC" window                  |
+
+
+
+
+## Linux
+
+### gtkdialog
+
+HTLM-based pseudo terminal emulator (useful when there's no other terminal apps available):
+
+{% code title="shell.html" %}
+```html
+<window>
+	<vbox>
+		<vbox scrollable="true" width="500" height="400">
+			<edit>
+				<variable>CMDOUTPUT</variable>
+				<input file>/tmp/termout.txt</input>
+			</edit>
+	</vbox>
+	<hbox>
+		<text><label>Command:</label></text>
+		<entry><variable>CMDTORUN</variable></entry>
+		<button>
+				<label>Run</label>
+				<action>$CMDTORUN > /tmp/termout.txt 2>&1</action>
+				<action>refresh:CMDOUTPUT</action>
+			</button>
+	</hbox>
+	</vbox>
+</window>
+```
+{% endcode %}
+
+The shell can be invoked with `/usr/bin/gtkdialog -f shell.html`

pentest/infrastructure/lpe.md

@@ -365,6 +365,8 @@ PS > Invoke-Seatbelt -Command "-group=all"
 
 ## Linux
 
+* [https://blog.g0tmi1k.com/2011/08/basic-linux-privilege-escalation/](https://blog.g0tmi1k.com/2011/08/basic-linux-privilege-escalation/)
+
 
 
 ### Filesystem