Final step - Post-exploitation

Post-exploitation ✈️ is the last step of the pentester activities. Once we got access to the target, and escalated to administrator, we are trying to maintain and expand our access to other machines.

Pivoting to another victim is called lateral movement πŸ”“.

Common activities πŸ€–

  • πŸšͺ Leave a backdoor (persistence)
  • πŸ™Š Deface the public website
  • πŸ•ΈοΈ Redirect users to a malicious website
  • πŸ’° Stealing data (files, photos, emails, source code...)
  • πŸ”‘ Stealing credentials (authentication tokens, password, keepass)
  • πŸŒ‹ Mess with timestamp/... to complicate forensics
  • 🧹 Cleanup logs
  • ⌨️ installing keyloggers
  • 🧨 Edit software configurations/users permissions
  • 🐲 Reset user passwords to access their account

πŸ‘» To-do πŸ‘»

Stuff that I found, but never read/used yet.


  • πŸšͺ Create a new administrator
PS > net user <username> <password> /add
PS > net localgroup administrators <username> /add
  • See also VSS


  • πŸšͺ You can give capabilities to a file with setcap
  • SSH key
  • Passive attacks (monitor)
  • Active attacks
  • Meterpreter
  • /.dockerenv (check if we are in a docker)
  • KeePass (see exploitation note too?)
  • Vulnerable security questions (unencrypted, easy to guess, reset passwords)
  • Pass-The-Hash Attack
  • rootkit, bootkit
  • Credential dumping
  • Forensics: clear PowerShell history