Differences

This shows you the differences between two versions of the page.

--- method_5_post-exploitation [2023/01/12 00:02] – [SUDO] gman
+++ method_5_post-exploitation [2023/01/12 00:31] (current) – [First Thing] gman
@@ Line 33: / Line 33: @@
     * Concealment
     * Retain Access
+----
+===== First Thing =====
+After you've compromised a system, one of the //**first things**// you want to try is acquiring the local credential store (passwords).
+**Windows:** The go-to tool is ''mimikatz'' (it can read hashes directly from memory).
+**Linux:** The ''creddump'' package contains...
+  - ''cachedump'': dumps cashed credentials
+  - ''lsadump'': dumps LSA Secrets
+  - ''pwdump'': dumps password hashes
+Linux passwords are usually found in ''/etc/shadow''.
+  * You can simply copy that file to your attack machine and crack offline (if you have root).
+  * Therefore, priv esc is a key part of acquiring credentials.
 ----
@@ Line 93: / Line 110: @@
 ====== Privilege Escalation ======
-===== SUDO =====
+===== Linux =====
+==== SUDO ====
 ''sudo'' is the "super user do" command.
@@ Line 109: / Line 128: @@
 ----
-===== SUID =====
+==== SUID ====
 **SUID:** Set User ID.  **SGID:** Set Group ID
@@ Line 130: / Line 149: @@
 ----
-===== udevd =====
+==== udevd ====
 If you get a user/daemon shell, you need to escalate your privileges to root. Check udevd...
@@ Line 212: / Line 231: @@
 ----
+===== Windoze =====
+==== LSA Secrets Registry ====
+The **LSA Secrets Registry** contains the password of the currently logged-in user in an encrypted form.
+  * You can find the LSA Secrets Registry here: ''HKEY_LOCAL_MACHINE/Security/Policy/Secrets''
+  * You can find the encryption key to the user's password in the parent directory: ''HKEY_LOCAL_MACHINE/Security/Policy''
+So, if you have admin access to the Windows Registry, you can recover the encrypted password and its key fairly easily.