The gMan nixWiki

Because the mind is made of Teflon...

User Tools

Site Tools

You are here: start » method_5_post-exploitation
method_5_post-exploitation

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision		Previous revision
method_5_post-exploitation [2023/01/12 00:02] gmanmethod_5_post-exploitation [2023/01/12 00:31] (current) – [First Thing] gman
Line 33: Line 33:
     * Concealment     * Concealment
     * Retain Access     * Retain Access
 +
 +----
 +
 +===== First Thing =====
 +
 +After you've compromised a system, one of the //**first things**// you want to try is acquiring the local credential store (passwords).
 +
 +**Windows:** The go-to tool is ''mimikatz'' (it can read hashes directly from memory).
 +
 +**Linux:** The ''creddump'' package contains...
 +  - ''cachedump'': dumps cashed credentials
 +  - ''lsadump'': dumps LSA Secrets
 +  - ''pwdump'': dumps password hashes
 +
 +Linux passwords are usually found in ''/etc/shadow''.
 +  * You can simply copy that file to your attack machine and crack offline (if you have root).
 +  * Therefore, priv esc is a key part of acquiring credentials.
  
 ---- ----
Line 93: Line 110:
 ====== Privilege Escalation ====== ====== Privilege Escalation ======
  
-===== SUDO =====+===== Linux ===== 
 + 
 +==== SUDO ====
  
 ''sudo'' is the "super user do" command.  ''sudo'' is the "super user do" command. 
Line 103: Line 122:
   * Try to compromise accounts with sudo privilege.   * Try to compromise accounts with sudo privilege.
  
-One of the first commands you want to execute in order to abuse ''sudoer'' rights: ''sudo -l''+One of the first commands you want to execute in order to abuse sudoer rights: ''sudo -l''
   * This will list ("-l" is for "list") the sudoers.   * This will list ("-l" is for "list") the sudoers.
   * This shows you the user account names and privileges they have within the sudo environment.   * This shows you the user account names and privileges they have within the sudo environment.
Line 109: Line 128:
 ---- ----
  
-===== SUID =====+==== SUID ====
  
 **SUID:** Set User ID.  **SGID:** Set Group ID **SUID:** Set User ID.  **SGID:** Set Group ID
Line 130: Line 149:
 ---- ----
  
-===== udevd =====+==== udevd ====
  
 If you get a user/daemon shell, you need to escalate your privileges to root. Check udevd... If you get a user/daemon shell, you need to escalate your privileges to root. Check udevd...
Line 212: Line 231:
 ---- ----
  
 +===== Windoze =====
 +
 +==== LSA Secrets Registry ====
 +
 +The **LSA Secrets Registry** contains the password of the currently logged-in user in an encrypted form.
 +  * You can find the LSA Secrets Registry here: ''HKEY_LOCAL_MACHINE/Security/Policy/Secrets''
 +  * You can find the encryption key to the user's password in the parent directory: ''HKEY_LOCAL_MACHINE/Security/Policy''
 +
 +So, if you have admin access to the Windows Registry, you can recover the encrypted password and its key fairly easily. 
method_5_post-exploitation.1673481746.txt.gz · Last modified: by gman