2 Post Exploitation
AlessandroZ edited this page 2018-11-16 17:25:34 +01:00

Post exploitation modules

Some post exploitation modules have been developed for pupy, others use external github project written in python.

Shells

Depending on the system and context, you should launch system command using one of the following module:

  • pyshell: python shell (mainly used for debug)
  • pyexec: run python commands - ex: pyexec -c "import platform;print platform.uname()".
  • shell_exec: simple popen call
  • pexec: simple popen call executed on a thread (slower but safer)
  • interactive_shell: interactive shell. Modified version of winpty used for windows.

Privilege escalation

  • Beroot: find ways to elevate our privilege - from user to admin (windows/linux), check the github for more information.
  • privesc_checker: find well knows vulnerabilities on non up to date systems (windows/linux). linux-exploit-suggester is used on linux and windows-exploit-suggester on windows.
  • sudo_alias: basic sudo alias (linux).
  • bypassuac: bypass uac when possible - admin privilege required (windows). Check WinPwnage github for more information.
  • getsystem: once uac bypassed, get system privilege (windows).

Credentials

  • Lazagne: retrieve lots of passwords stored on the system (windows/linux), check the github for more information.
  • creddump: retrieve system hashes (windows/linux).
  • hashmon: crawl process memory to find system passwords (linux).
  • loot_memory: crawl process memory to browsers passwords.

Credentials found are stored on the local db and visible with the cred command:

>> creds 

Pivoting

  • forward: use this module for port forwarding and proxy socks.
  • ssh: execute system commands on a remote ssh server.
  • sshell: get a full interactive session through a remote ssh server.
  • psexec: launch remote commands using smb or wmi protocols.
  • smb: copy files via smb protocol.
  • smbspider: find into remote shares available and grep for sensitive files/word.