π οΈ The Post-Exploitation Checklist
In a real-world engagement, getting a root shell is temporary. The system might reboot, or the admin might kill your process. You need Persistence.
1. Maintaining Access (Persistence)
-
The SSH Backdoor: Adding an attacker's public key to
/root/.ssh/authorized_keysallows for passwordless, permanent remote access. - The Cron Persistence: Scheduling a hidden task to send a reverse shell every minute ensures that even if you lose your connection, the system "calls" you back automatically.
2. Credential Harvesting & Shadow Cracking
Once you have root, you own the identity store.
-
The Shadow File: Accessing
/etc/shadowallows an attacker to dump password hashes for offline cracking using tools like John the Ripper or Hashcat. -
The History Leak: Always check
~/.bash_history. Users often accidentally type passwords directly into the command line (e.g.,mysql -u root -p'password123').
3. Lateral Movement (Pivoting)
Root on one machine is often the key to the next.
-
SSH Key Hunting: Searching for
id_rsafiles. These private keys are often used to automate logins between servers. If you find a key on the web server, it might grant you access to the database or backup server without a single exploit. - Credential Reuse: Using harvested passwords to try and log into other machines on the same network.
π΅οΈββοΈ Advanced Concept: Process Hijacking
I analyzed a scenario where a root-owned service runs a script in a world-writable directory (e.g., /opt/app.py with 777 permissions).
- The Attack: Overwrite the script with a payload.
- The Result: The system continues to execute your malicious code with root privileges in a continuous loop. Itβs stealthy and highly effective.
Follow my journey: #1HourADayJourney
Top comments (0)