The gMan nixWiki

Because the mind is made of Teflon...

User Tools

Site Tools

You are here: start » method_5_post-exploitation
method_5_post-exploitation

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision		Previous revision
method_5_post-exploitation [2022/11/20 19:44] – [Privilege Escalation] gmanmethod_5_post-exploitation [2023/01/12 00:31] (current) – [First Thing] gman
Line 33: Line 33:
     * Concealment     * Concealment
     * Retain Access     * Retain Access
 +
 +----
 +
 +===== First Thing =====
 +
 +After you've compromised a system, one of the //**first things**// you want to try is acquiring the local credential store (passwords).
 +
 +**Windows:** The go-to tool is ''mimikatz'' (it can read hashes directly from memory).
 +
 +**Linux:** The ''creddump'' package contains...
 +  - ''cachedump'': dumps cashed credentials
 +  - ''lsadump'': dumps LSA Secrets
 +  - ''pwdump'': dumps password hashes
 +
 +Linux passwords are usually found in ''/etc/shadow''.
 +  * You can simply copy that file to your attack machine and crack offline (if you have root).
 +  * Therefore, priv esc is a key part of acquiring credentials.
  
 ---- ----
Line 45: Line 62:
  
 <code> <code>
-# cmd.exe, regular user: +## from cmd.exe, regular user:  
 + 
 +# Print OS name and version:
 systeminfo | findstr /B /C:"OS Name" /C:"OS Version" systeminfo | findstr /B /C:"OS Name" /C:"OS Version"
 +
 +# Display user accounts
 +net users
 +
 +# Display info on particular user
 +net user Guest
 +
 +# Network interface info: 
 +ipconfig
 +
 +# Routing information 
 +route print
 +
 +# IP/MAC mapping information
 +arp -a
 +
 +# More...
 +netsh firewall show state  # check firewall state
 +netsh firewall show config # check firewall settings
 +tasklist /SVC              # check tasks & services
 +net start
 +DRIVEQUERY
 +
 +# Find low-hanging fruit:
 +wmic qfe get Caption,Description,HotFixID,InstalledOn
 +
 </code> </code>
 +
 +**Note:** The Windows Management Instrumentation Command line (WMIC) is a software utility that allows users to performs Windows Management Instrumentation (WMI) operations with a command prompt.
  
 ===== Linux ===== ===== Linux =====
  
-more to come...+**Common Attack Vectors:** 
 +  * SUID/SGID files 
 +  * Cron jobs 
 +  * The kernel 
 +  * Check to see if ''/etc/passwd'' and ''/etc/shadow'' and readable and/or writable by world. 
 +  * Check sudo: ''sudo -l'' (if it hangs, it's waiting for a password; kill & reconnect) 
 +  * You can also ''find'' backup files (.bak; might have login creds in them) and files owned by root but world readable and/or writable. 
 + 
 +----
  
 ====== Privilege Escalation ====== ====== Privilege Escalation ======
  
-===== udevd =====+===== Linux ===== 
 + 
 +==== SUDO ==== 
 + 
 +''sudo'' is the "super user do" command.  
 +  * It allows users to escalate their privileges based on settings in the ''/etc/sudoers'' file. 
 +  * When the ''sudo'' command is called, the ''sudoers'' file is checked and rights are granted if they are permitted.  
 + 
 +Therefore, //**always**// review the ''sudoers'' file after you gain access to a machine. 
 +  * Figure out which accounts you want to target based on the rights they have. 
 +  * Try to compromise accounts with sudo privilege. 
 + 
 +One of the first commands you want to execute in order to abuse sudoer rights: ''sudo -l'' 
 +  * This will list ("-l" is for "list") the sudoers. 
 +  * This shows you the user account names and privileges they have within the sudo environment. 
 + 
 +---- 
 + 
 +==== SUID ==== 
 + 
 +**SUID:** Set User ID.  **SGID:** Set Group ID 
 +  * These are special bits of a file that tell Linux to run the executable as the owner (SUID) or as the group (SGID) of the file, not as the user who launched it.  
 + 
 +To find all the files on a system that have the SUID bit set:  
 + 
 +<code> 
 +find / -perm -4000 
 +# or 
 +find / -perm /4000 
 + 
 +# To see all the details: 
 +find / -perm -u=s -type f 2>/dev/null 
 +# or 
 +find / -user root -perm -4000 -exec ls -ldb {} \; 
 +# note: you need a space between {} and \; 
 +</code> 
 + 
 +---- 
 + 
 +==== udevd ====
  
 If you get a user/daemon shell, you need to escalate your privileges to root. Check udevd... If you get a user/daemon shell, you need to escalate your privileges to root. Check udevd...
Line 137: Line 231:
 ---- ----
  
 +===== Windoze =====
 +
 +==== LSA Secrets Registry ====
 +
 +The **LSA Secrets Registry** contains the password of the currently logged-in user in an encrypted form.
 +  * You can find the LSA Secrets Registry here: ''HKEY_LOCAL_MACHINE/Security/Policy/Secrets''
 +  * You can find the encryption key to the user's password in the parent directory: ''HKEY_LOCAL_MACHINE/Security/Policy''
 +
 +So, if you have admin access to the Windows Registry, you can recover the encrypted password and its key fairly easily. 
method_5_post-exploitation.1668973475.txt.gz · Last modified: by gman