Monday, March 14, 2011

You're in, now what?

You're in, now what?

Let's not make any assumptions regarding how you spawned a shell. Just that you did...
This case, I have a reverse Netcat shell.

This blog wasn't created with the idea of teaching you how to get a shell or command prompt on a system, but rather what to do with a shell once you have one.

I will however, assume that you were sneaky in doing so. You were careful to be stealthy about your business.

So, don't start getting sloppy now.

Look both ways before proceeding ;)

So, as the title states, "You're in, now what?"

Me, I might be concerned with who else might be logged in to the box at the same time I am.

So, I have a windows system running a netcat listener (google it) with a reverse connection from a linux system:

Linux Reverse Shell:
First lets determine my current context.

***(click image for full detail)

Root? Nice..

Now let's figure out who else is logged in to the box.

The first is simple.

(I like this one)

***(click image for full detail)

I can see that my reverse Netcat session shows as a root( tty1) session. And I can see that root is logged in locally.

"Be wary wary quiet..."

Another way,

>who -a

***(click image for full detail)
(Full of juicy info)

Or you could try this,


***(click image for full detail)
(limited results)
Attack of the roots!

And last, but not least (haha, get it, last?)


***(click image for full detail)

Wow. I even get some addressing info. Even frequency of use.

Last looks through /var/log/wtmp and displays a log of the last users logged on, including those currently logged on.

Windows Reverse Shell:


Shows both console and rdp sessions.

***(click image for full detail)
**If this had been an RDP connection, you would see rdp-tcp instead of console.
So, Geek is currently logged into the local console.
How hard was that? It wasn't.
More next time.