OSCP Playbook
Search
K
Comment on page

Post Exploitation methodology

Post-exploitation refers to any actions taken after a session is opened.
Some of the actions you can take in an open session include:
  • Collect System Information (Run script or manual find)
  • Pivot
  • Run Meterpreter Modules
  • Search the File System

Linux Privilege Escalation Checklist

  • Kernel Exploit (Use script)
  • Exploiting services which are running as root netstat -antup and ps -aux | grep root
  • Exploiting SUID Executables
  • Exploiting SUDO rights/user
  • Exploiting badly configured cron jobs
  • Exploiting users with ‘.’ in their PATH

Linux script

Windows script

windows-exploit-suggestor.py
windows_privesc_check.py
windows-privesc-check2.exe

See Linux Post exploitation command line

Things to look for

  • Miss-configured services (cronjobs)
  • any running as a privileged user?
  • Incorrect file permissions (exportfs, sudo)
  • Miss-configured environment ($PATH)
  • Binary with SUID bit
  • Software or OS with known vulnerabilities

SUDO

Can you su to root without a password?
su root
Are you a sudo user already? Do you have access to powerful commands like chown or chmod?
sudo su -
Log in as another user''
sudo -i -u <username>

Privilege Escalation using SUID Binaries

Grep hardcoded passwords

grep -i user [filename]
grep -i pass [filename]
grep -C 5 "password" [filename]
find . -name "*.php" -print0 | xargs -0 grep -i -n "var $password"