Post Exploit Checks
General Enumeration
Know if the environment is a real host
Know the permissions of the user
Know the users
Check for
.htaccess
file/etc/apache2/sites-enabled/*
/etc/nginx/nginx.conf
/etc/ssh/sshd_config
Application Specific Configs : wp-config, settings.php etc..,
Groups Exploitation
4(adm)
The adm group members can view the log files
Machine:
Academy - HTB : https://www.youtube.com/watch?v=yQl5RA6APyQ&t=2620
Doctor - HTB : https://youtube.com/watch?v=JcOR9krOPFY&t=1780
116(lxd)
The lxd users can create a malicious docker like contents to load the /root of the machine in a containerized environment
Files Enumeration
Find suid binaries
Find Writeable files
Find files owned by the user (group specific)
Locations to check
Background Jobs Enumeration
Crontabs
Enumerate processes with pspy
Network Enumeration
Know the network adapters ( might be communicating internally )
Open Ports and services
Process Enumeration
Enumerate the services that are running
Get more information about the process (like the passed arguments etc.., it might contain passwords )
Web Directories
Check the web directories for passwords
MYSQL
If MYSQL is running as root in the machine check for priv esc via library
The
\G
option in the sql query of the mysql prints the information in a prettier format
Last updated
Was this helpful?