Post-exploitation and pivoting
The concept of post-exploitation is a skill that few get to practice on a regular basis, but in engagements, it's a core task that needs to be performed in the limited margins around tests. Pivoting is a matter of knowledge of operating systems and protocols that allow the hacker to bounce from machine to machine. Both of these skills help a tester to work out the extent of a vulnerability and better understand and articulate the risk associated with it. Consequently, it's important for scenarios to be created for testers to develop them. This can be performed in numerous ways as shown in the following list:
- The first example is providing a method of privilege escalation and making the flag only accessible to an administrative user. It's not hard to find software with privilege escalation vulnerabilities present as they are often ignored due to not being network accessible. Meterpreter will provide privilege escalation for the uninitiated, and bespoke methods can be used by the more skilled testers. To make it even simpler or possible in a case where a shell is limited, provide admin credentials in saved e-mails or files, and a legitimate method of authentication. This will show testers that exploitation isn't the aim of a test, as some may think, but discovering the associated risk. (If you need an easy sell, taunt anyone resting on their laurels with the age old phrase: "Got root?")
- A second method is providing a secondary stage to the scenario resulting from things taken from the device. The application of cryptographic tools or scenarios detailed later in Chapter 5, Cryptographic Projects, will present extra challenges to even the most skilled testers. Hunting through an operating system for relevant details, keys, or snippets of information potentially describing the method used, or the method to be used, can be an engaging and educating experience.
- Pivoting through providing credentials for other devices, certificates, or SSH keys can allow you to chain scenarios together, making a more realistic scenario. Though most clients will be reluctant to allow testers full access to their networks, they will often be curious about the risk an exposed service provides and provide an exemption for these circumstances. The last thing you want to happen here is for your tester to balk at the thought.
- The final option encourages the tester to attempt to install their tools on the compromised machine to enable further testing. This is the true meaning of pivoting in a Subvert, Upgrade, Subvert (Su-Su) cycle (this is a joke more entertaining, marginally, for Linux users).
