Daemon Of Hacking
  • WELCOME!
    • 👋/home/usr/KruKnight
  • METHODOLOGIES & RESOURCES
    • Passwords & Attacks
    • Post Exploitation
      • 👀Situational Awareness
      • 🖥️Privilege Escalation
        • Linux Privilege Escalation
        • Windows Privilege Escalation
  • Writeups
    • CyCtf 2024
      • Vending Machine
      • Aerospace
      • OhMyCell
    • Portswigger Labs
      • Authentication
        • Username enumeration via different responses
        • 2FA simple bypass
        • Password reset broken logic
        • Username enumeration via subtly different responses
        • Username enumeration via response timing
        • Broken Brute-Force Protection, IP Block
        • Username enumeration via account lock
        • 2FA broken logic
        • Brute-forcing a stay-logged-in cookie
        • Offline password cracking
        • Password reset poisoning via middleware
        • Password brute-force via password change
        • Broken brute-force protection, multiple credentials per request
      • Os Command Injection
        • OS command injection, simple case
        • Blind OS command injection with time delays
        • Blind OS command injection with output redirection
        • Blind OS command injection with out-of-band interaction
        • Blind OS command injection with out-of-band data exfiltration
      • Cross-Origin Resource Sharing (CORS)
        • CORS vulnerability with basic origin reflection
        • CORS vulnerability with trusted null origin
        • CORS vulnerability with trusted insecure protocols
      • Server-side template injection
        • Basic server-side template injection
        • Basic server-side template injection (code context)
      • Server-Side Request Forgery (SSRF)
        • Basic SSRF against the local server
        • Basic SSRF against another back-end
        • Blind SSRF with out-of-band detection
        • SSRF with blacklist-based input filter
        • SSRF with filter bypass via open redirection vulnerability
      • Path Traversal
  • 🟩HTB Writeups
    • Heal
Powered by GitBook
On this page
  • Introduction
  • File Pilfering
  • Linux Situational Awareness
  • Accounts
  • Groups
  • Interesting Files
  • Windows Situational Awareness
  • Searching the File System
  • Managing Windows Accounts and Groups

Was this helpful?

  1. METHODOLOGIES & RESOURCES
  2. Post Exploitation

Situational Awareness

PreviousPost ExploitationNextPrivilege Escalation

Last updated 8 months ago

Was this helpful?

Introduction

Situational awareness is the process of gathering and understanding key details about the environment after gaining initial access to a system. It involves identifying the system’s role, installed software, network configurations, and defenses, which are crucial for determining how to proceed with privilege escalation, lateral movement, or stealth techniques.

Situational awareness is essential because it allows us to understand the target environment in-depth. This knowledge helps in planning effective attacks and avoiding detection. By understanding the layout and tools in place on one system, we can infer the setup of other systems, which is critical when planning lateral movement and avoiding defensive measures.

File Pilfering

Upon gaining access to a server, the first thing we should look for is the goal data. Remember, the first question we ask prior to conduction of a penetration test is “what data or process, if lost, stolen, compromised, or destroyed would have the greatest impact to your organization?”

If you have access to a user system, look at the files on the user's desktop and documents for passwords. It is, all too common, for users to store passwords in office documents on their desktop or documents directory.

If we gain access to a server, especially a web server, it may contain source code. We can look through that code for passwords and keys. We could, if time allows, analyze the code for security vulnerabilities. Be careful, this is a path that can take a lot of time and, if you aren't careful, could eat up valuable time in your pen test.

Linux Situational Awareness

Accounts

One of the first things you should do when you access a Linux system is to look at /etc/passwd. It contains all the accounts on the system, and the file is readable by any user. You can use these account names for password guessing on other systems. Also, you may be able to escalate to one of the users on the compromised host.

Groups

Groups are used to provide access to certain items on the system. Look specifically for users in groups like “sudo” and “wheel”. You may find a user in the “root” group, but that would be rare and a likely security issue.

The sudo group allows users to use the sudo command, which effectively makes the user a root account. On some systems, the “wheel” group is used to allow access to the “su” command. Remember, that the sudo command requires the current user's password and su requires the target account

Interesting Files

We can also look around the system for files containing specific strings (text). The grep command can be used to search text files only.

grep -Inri passw /etc/* 2>/dev/null

  • I : Used to search for Text files

  • n : Displays line numbers.

  • r : Recursively searches through directories. Which means looks through not only the specified directory but also all its subdirectories and their contents

  • i : perform the search in a case-insensitive manner

  • passw : We need to specify the search string, in this case “passw”, which matches both “password” and “passwd”.

  • /etc/ : we specify the starting location and the files to look through (everything) with /etc/*.

  • 2>/dev/null : Redirects error messages (e.g., permissions errors) to /dev/null, so they are not shown in the output.

Copying Files

let's assume that you found an interesting file on the target machine, and you want to download it to your machine, an easy solution is to simply copy and paste it !

Copy/paste seems so obvious, but many forget about it because it is so simple. If the file to be transferred is a text file, simply display the contents of the file with cat, type, or any text editor; copy; and then paste. It really is that simple!

Copy/paste works great for text files, but won't work with binary files, such as executables. In this case, we need to encode the file to text format that can be copied and pasted. We can use the base64 command on Linux to accomplish this.

Here we're encoding the file in base64

The text output can then be copied and pasted into the command below to then copy the new encoded file we created.

If the file is large, we may want to compress it before we copy.

Windows Situational Awareness

When analyzing a system, we should note the environment variables that are set within the shell they use. Depending on how the shell was created (via an exploit, a remotely launched job, ssh, telnet, and such), it may or may not have these variables set. However, if they are set, this information is incredibly useful in understanding the machine in more detail.

To see all environment variables set for the shell, you can simply type: C:> set

  • To see a specific variable's value, you can run: set [variable_name]

  • Two important environment variables are username and path: set username

  • The path environment variable shows you where the shell searches in the file system to find the commands that you type: set path

Searching the File System

We often need to scour the file system to find a file with a given name. To accomplish this, you can use the dir command, but with some specific syntax.

Suppose you want to search for a file named [file] and see if it exists anywhere in the directory structure underneath [directory], recursively going through that directory and its subdirectories. You could run: dir /b /s [directory][file]

It is important to note that there are no spaces between the [directory], the \ and the [file]. It's just one after the other.

  • /b : This option gives a “bare” listing, meaning it only shows the file names and directory names without any extra information like file size, date, or headers.

  • /s : This option is used to search and display the contents of the specified directory and all its subdirectories

For example,

look for the hosts file inside the systemroot using this syntax: dir /b /s %systemroot%\hosts

Managing Windows Accounts and Groups

With the ability to use commands on a computer, we usually want to see a list of users and groups on the computer. We can also create new accounts and change groups, like the administrator's group.

  • To get a list of all local users defined on the machine, you can run: net user

  • To see which local groups have been created on the machine, you could use: net localgroup

  • You can see which accounts are members of the local administrators group with: net localgroup administrators

  • You can add a user to the system with this command: net user [logon_name] [password] /add

  • Then, you can add that user to the local administrators group with: net localgroup administrators [logon_name] /add

Domain User

The first command that can give us a surprising amount of information is net user /domain. The output from this command will list the domain groups where our user is currently enrolled. Not only will the group names give away the employee's work function in the company, but they can also point you to fileshares and resources where your user will have access.

Another interesting bit of information is the logon script location. In larger organizations, the logon script location can be many folders deep in the SYSVOL share. Which, holds a lot of potential for credentials in plaintext files.

Finally, the output from net user can also reveal where user data is backed up. In virtual environments and commonly in larger organizations, we find that the user data folders are backed up to a central file share.

  • List all domain users: net user /domain

  • View info of a single user net user [username] /domain

Local Groups

Another useful net command is checking local group memberships, such as Administrators or Remote Desktop Users. We can quickly identify high-value domain users and group names in the administrators or RDP user local groups without having to send a query to the domain.

Additionally, our list of target accounts and groups will start to develop here. We can also look for non-default local users or groups in these groups. Often, companies create a gold image to put in all of their virtual machines and physical hosts. These images will have default local accounts set with the same password throughout the domain.

  • To list all local groups : net localgroup

  • To list the administrator's local groups: net localgroup administrators

Domain Groups

Similar to local groups, there are groups at the domain level. To get this information, we can use the “net group” command.

  • To get a list of all groups, we can use: net group /domain

  • To get the users in a group, we can specify the group name. For example, to get all the users in the “Domain Admins” group, use this command: net group "Domain Admins" /domain

These commands may fail in some organizations based on filtering and permissions, but it is still useful to attempt these commands.

Determining Firewall Settings

Another important aspect of a Windows system is the built-in Windows host-based firewall. The firewall can be controlled at the command line using the netsh tool. This command can control almost all aspects of Windows networking, including IP addresses, bridging, routing, and so on.

  • To get an overview of its capabilities, you can run: netsh /?

  • To view the complete settings of the firewall, including allowed inbound ports and programs allowed to speak on the network, you could run: netsh advfirewall show allprofiles

Note that the netsh command shows only the settings of the built-in Windows firewall, not other third-party firewalls that may be installed on the system.

👀