The gMan nixWiki

Because the mind is made of Teflon...

User Tools

Site Tools

You are here: start » method_5_post-exploitation
method_5_post-exploitation

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision		Previous revision
method_5_post-exploitation [2022/09/24 16:08] – [udevd] gmanmethod_5_post-exploitation [2023/01/12 00:31] (current) – [First Thing] gman
Line 1: Line 1:
 +====== Post-Exploitation ======
 +
 ===== Review ===== ===== Review =====
  
Line 8: Line 10:
   - Post-Exploitation   - Post-Exploitation
   - Post-Engagement: Report   - Post-Engagement: Report
 +
 +----
 +
  
 ===== Overview ===== ===== Overview =====
Line 28: Line 33:
     * Concealment     * Concealment
     * Retain Access     * Retain Access
 +
 +----
 +
 +===== First Thing =====
 +
 +After you've compromised a system, one of the //**first things**// you want to try is acquiring the local credential store (passwords).
 +
 +**Windows:** The go-to tool is ''mimikatz'' (it can read hashes directly from memory).
 +
 +**Linux:** The ''creddump'' package contains...
 +  - ''cachedump'': dumps cashed credentials
 +  - ''lsadump'': dumps LSA Secrets
 +  - ''pwdump'': dumps password hashes
 +
 +Linux passwords are usually found in ''/etc/shadow''.
 +  * You can simply copy that file to your attack machine and crack offline (if you have root).
 +  * Therefore, priv esc is a key part of acquiring credentials.
 +
 +----
 +
 +====== Local Enumeration ======
 +
 +Once you have gained access to a machine, you need to enumerate (additional recon) to explore opportunities for additional movement (lateral or vertical).
 +
 +===== Windows =====
 +
 +Local Windows enumeration is not as straightforward as Linux. Here are some examples...
 +
 +<code>
 +## from cmd.exe, regular user: 
 +
 +# Print OS name and version:
 +systeminfo | findstr /B /C:"OS Name" /C:"OS Version"
 +
 +# Display user accounts
 +net users
 +
 +# Display info on particular user
 +net user Guest
 +
 +# Network interface info: 
 +ipconfig
 +
 +# Routing information 
 +route print
 +
 +# IP/MAC mapping information
 +arp -a
 +
 +# More...
 +netsh firewall show state  # check firewall state
 +netsh firewall show config # check firewall settings
 +tasklist /SVC              # check tasks & services
 +net start
 +DRIVEQUERY
 +
 +# Find low-hanging fruit:
 +wmic qfe get Caption,Description,HotFixID,InstalledOn
 +
 +</code>
 +
 +**Note:** The Windows Management Instrumentation Command line (WMIC) is a software utility that allows users to performs Windows Management Instrumentation (WMI) operations with a command prompt.
 +
 +===== Linux =====
 +
 +**Common Attack Vectors:**
 +  * SUID/SGID files
 +  * Cron jobs
 +  * The kernel
 +  * Check to see if ''/etc/passwd'' and ''/etc/shadow'' and readable and/or writable by world.
 +  * Check sudo: ''sudo -l'' (if it hangs, it's waiting for a password; kill & reconnect)
 +  * You can also ''find'' backup files (.bak; might have login creds in them) and files owned by root but world readable and/or writable.
 +
 +----
  
 ====== Privilege Escalation ====== ====== Privilege Escalation ======
 +
 +===== Linux =====
 +
 +==== SUDO ====
 +
 +''sudo'' is the "super user do" command. 
 +  * It allows users to escalate their privileges based on settings in the ''/etc/sudoers'' file.
 +  * When the ''sudo'' command is called, the ''sudoers'' file is checked and rights are granted if they are permitted. 
 +
 +Therefore, //**always**// review the ''sudoers'' file after you gain access to a machine.
 +  * Figure out which accounts you want to target based on the rights they have.
 +  * Try to compromise accounts with sudo privilege.
 +
 +One of the first commands you want to execute in order to abuse sudoer rights: ''sudo -l''
 +  * This will list ("-l" is for "list") the sudoers.
 +  * This shows you the user account names and privileges they have within the sudo environment.
 +
 +----
 +
 +==== SUID ====
 +
 +**SUID:** Set User ID.  **SGID:** Set Group ID
 +  * These are special bits of a file that tell Linux to run the executable as the owner (SUID) or as the group (SGID) of the file, not as the user who launched it. 
 +
 +To find all the files on a system that have the SUID bit set: 
 +
 +<code>
 +find / -perm -4000
 +# or
 +find / -perm /4000
 +
 +# To see all the details:
 +find / -perm -u=s -type f 2>/dev/null
 +# or
 +find / -user root -perm -4000 -exec ls -ldb {} \;
 +# note: you need a space between {} and \;
 +</code>
 +
 +----
  
 ==== udevd ==== ==== udevd ====
Line 113: Line 231:
 ---- ----
  
 +===== Windoze =====
 +
 +==== LSA Secrets Registry ====
 +
 +The **LSA Secrets Registry** contains the password of the currently logged-in user in an encrypted form.
 +  * You can find the LSA Secrets Registry here: ''HKEY_LOCAL_MACHINE/Security/Policy/Secrets''
 +  * You can find the encryption key to the user's password in the parent directory: ''HKEY_LOCAL_MACHINE/Security/Policy''
 +
 +So, if you have admin access to the Windows Registry, you can recover the encrypted password and its key fairly easily. 
method_5_post-exploitation.1664035702.txt.gz · Last modified: by gman