Overview

  • Once exploitation succeeds, access tends to be granted as least-privilege (ie, a locked-down service account specifically used for running the web app).
  • This stage essentially starts a new chapter for information gathering, as new recon is required to determine the best path forward into privilege escalation and/or lateral movement.
    • At the post-exploitation stage, pillaging is a new element for info gathering. This helps understand the role of the system and how it communicates with other systems that could be used for lateral movement or stealing credentials to re-use.
  • This stage can be the most critical for evasive testing. As simple commands like net user or whoami from a strange account or IP can trigger alerts and cause our comprised user account or host to become quarantined.
  • Data exfiltration can be an additional step during post-exploitation. This needs to be already stated in the scope, as the type of data could be under other regulations (HIPAA, PCI, GLBA.etc)
    • Dummy data could be created to test exfiltration and see if DLP, EDR or firewall systems detect this

Simple Shell to Interactive

The shell that connects back from a reverse shell is usually very easy to break. It could hang or crash at any moment, losing progress made to gain access. Upgrading the shell to be more stable can be crucial to further exploitation.

# after the revshell nc listener has hooked, spawn pseudo shell on victim
$ python3 -c 'import pty; pty.spawn("/bin/bash")'
# CTRL + Z to bg the reverse shell
attacker@hackbook:~$ echo $TERM                 # notate the result, i.e xterm-256color
attacker@hackbook:~$ stty -a                    # notate the rows and columns
attacker@hackbook:~$ stty raw -echo; fg         # enter tty raw mode (which will glitch the ui)
victim@hackbook:~$ export TERM=xterm256-color   # use same shell as the $TERM output from #1
victim@hackbook:~$ stty rows 36 columns 161     # use the rows and column from #2
# resume activity on victim

Further Enumeration

Once on the machine, host enumeration will help discover new information that can be used to move laterally or elevate privileges.