🔓 What is Post Exploitation?
Post exploitation refers to the phase after a system or application has been successfully compromised. It involves exploring, maintaining, and leveraging access to gather further intelligence, expand control, and achieve the attacker’s objectives — all while avoiding detection.
🎯 Key Goals of Post Exploitation
- Privilege escalation
- Credential harvesting
- Data exfiltration
- Persistence mechanisms
- Pivoting to other systems
- Covering tracks
🧩 Phases Explained
1. Enumeration of Environment
Identify OS, users, network configuration, running services, scheduled tasks, and mounted file systems.
# Linux
uname -a
whoami
ip a
cat /etc/passwd
# Windows
systeminfo
whoami
ipconfig /all
net user2. Privilege Escalation
Gain higher-level permissions (e.g., root or SYSTEM). Use automated tools like linpeas.sh, winPEAS.exe, or manual enumeration.
- Search for misconfigured SUID binaries (Linux)
- Check unquoted service paths (Windows)
- Look for vulnerable drivers or schedulers
3. Credential Harvesting
Extract stored passwords, hashes, or tokens.
# Windows: Dump SAM database
reg save HKLM\SAM sam
reg save HKLM\SYSTEM system
mimikatz # sekurlsa::logonpasswords
# Linux: View shadow file if root
cat /etc/shadow4. Persistence
Establish long-term access, often using:
- Startup scripts (.bashrc, .profile)
- New user creation
- Scheduled tasks or cron jobs
- Registry Run keys (Windows)
5. Lateral Movement & Pivoting
Use the compromised system to move deeper into the network (e.g., through SSH agent forwarding, pass-the-hash, or RDP).
- Identify internal IP ranges and services
- Use tools like proxychains, chisel, or metasploit pivoting
6. Data Exfiltration
Identify and extract valuable data securely and stealthily.
# Archive and encrypt data
tar czf secrets.tar.gz /home/user/secrets
gpg -c secrets.tar.gz
# Use scp, curl, or exfil over DNS/TCP/HTTP💼 Real-World Example
Scenario: After exploiting a vulnerable CMS plugin, you obtain a reverse shell as www-data on a Linux web server.
- Enumerate the system:
sudo -lshows ALL commands can be run as root - Escalate privilege:
sudo su - Harvest credentials: dump Apache config, find database passwords
- Persistence: create new cronjob as root
- Exfiltrate: send database dump to remote VPS via scp
🧠Pro Tips for Post Exploitation
- Stay stealthy: avoid logs and alerts
- Use in-memory tools or living-off-the-land binaries (LOLBins)
- Document everything for your report
- Always respect client scope and privacy