Post Exploitation (후속공격)
All you need to know about basic host-based post exploitation for OSCP
Last updated
All you need to know about basic host-based post exploitation for OSCP
Last updated
JuicyPotato is an automation PE script to escalate privilege from a Windows Service Accounts to NT AUTHORITY\SYSTEM.
First, you need to check the OS information of the victim Windows Host by
You need a unique CLSID for different Windows OS. You can pick CLSID from https://github.com/ohpe/juicy-potato/blob/master/CLSID/README.md
Check if the victim is vulnearble to JuicyPotato PE script. SeImpersonatePrivilege should be enabled.
Download nc.exe and juicypotato.exe to the victim host , then simply upload both to a writable directoy. I normall just write to a temp folder under \appdata\local\temp\.
If powershell isn't working, try with certutil command.
Then create a rev.bat ( reverse shell bash ) file to get a reverseshell
Then run Juicy with the correct clsid.
On the attacker host, start the listener with some uncommon port
You can try calcs command to see if you are able to grant root permission to the current/specific user.
To check the permission of the root.txt, use icals
Only Administrator can access root.txt
However, Alfred owns the root.txt. The ownership of each file in a directory can be checked by
/q - to show ownership.
/a: to all in the directory.
Since the user Alfred owns the root.txt, Alfred has the ability to grant users access to it regardless of anything else.
You can grant alfred read permssion to read the root.txt
where
/t -recursively apply
/e - edit permissions
/g -grant
alfred:r
to give alfread read control of the file
We see C:\SVCcheck\SVCcheck.bat will be executed every 5 mins... Check the file permission
Everyone has the full rights.
Now spawn your reverse shell to SVCcheck.bat by echo
Then just simply wait for 5 mins you'll get the reverse shell.
You can check if administrator needs no password by
Then you can simply make ncat reverse shell by runas
If you already got the administrator password, you can simply try psexec by running cmd as Administrator and get a shell.
Powershell run as different user and get the reverse shell
Microsoft Windows [Version 6.1.7601] (i.e. Win 7 SP1)
https://www.exploit-db.com/exploits/40564/ (MS11-046)
Original code:
Modified code to add admin user:
Impacket contains several tools for remote service execution, Kerberos manipulation, Windows credential dumping, packet sniffing.
Remote code Execution : atexec.py, dcomexec.py, psexec.py, smbexec.py and wmiexec.py
SMB/MSRPC : getArch.py, ifmap.py, lookupsid.py, samrdump.py, services.py, netview.py, smbclient.py, opdump.py, rpcdump.py and reg.py
Kerberos: GetST.py, GetPac.py, GetUserSPNs.py, GetNPUsers.py, ticketer.py and raiseChild.py
Windows Secret: mimikatz.py
Server Tools/MiTM Attacks: karmaSMB.py and smbserver.py
WMI: wmipersist.py
Known Vulnerabilities: sambaPipe.py and sambaPipe.py
MSSQL / TDS: mssqlclient.py
File Formats: ntfs-read.py and registry-read.py.
Others: mqtt_check.py, rdp_check.py, sniffer.py, ping.py, and ping6.py
This script allows you to bruteforce the Windows SID through [MS-LSAT] MSRPC.
You can use windows-privesc-checker by pentestmonkey
Or try with PowerUp.ps1 to find some hidden hints
PowerShell script to quickly find missing software patches for local privilege escalation vulnerabilities.
Linux Privilege Escalation is not as complex as Windows. I'd recommend running the known automation scripts before you start exploiting.