Skip to content
Lesson 7 of 8

Post-Exploitation and Privilege Escalation

5 min read

What Post-Exploitation Is

Post-exploitation is the phase that follows gaining initial access, and its goal is to answer a critical question: how far could an attacker go from here? An initial low-privilege access may seem minor, but if from it you can escalate to administrator, pivot to other systems, or access sensitive data, the real impact is much greater. Post-exploitation measures that impact.

This phase is always carried out within scope and responsibly. The goal is to demonstrate the potential reach of the compromise, not to cause harm or maintain indefinite access. Each action is documented and, when appropriate, reverted. In this course we treat post-exploitation conceptually: understanding the principles is more valuable in the long run than memorizing specific commands.

Understanding post-exploitation also helps with defense. Knowing how an attacker would escalate privileges or move laterally lets the client design defense in depth that stops the adversary even after an initial compromise.

Local Reconnaissance

After gaining access to a system, the first step is to understand where you are. Local reconnaissance consists of identifying the current user and their privileges, the operating system and its version, the running processes, the network connections, the system users, and the scheduled tasks. This internal map reveals both escalation opportunities and routes toward other systems.

On Linux, this involves reviewing who you are, which groups you belong to, which binaries with special permissions exist, and how the system is configured. On Windows, you examine account privileges, services, policies, and configurations. Enumeration tools like LinPEAS and WinPEAS automate much of this reconnaissance, pointing out potential escalation vectors in a structured way.

Local reconnaissance is the foundation of everything that follows. Without understanding the context of the compromised system, any escalation or movement attempt is blind. Take the time to map the environment before acting.

Privilege Escalation on Linux

Privilege escalation seeks to move from a user with limited permissions to one with full control, typically root. On Linux, common vectors include sudo misconfigurations that allow running privileged commands, binaries with a misconfigured SUID bit, cron jobs that run with elevated privileges and are modifiable, and kernel versions with known vulnerabilities.

The GTFOBins project is a key resource: it catalogs how legitimate system binaries can be abused to escalate privileges when misconfigured. For example, certain editors or interpreters, if they can be run via sudo, allow obtaining a privileged shell. Understanding these patterns helps both to exploit them in a test and to recommend them as configurations to fix.

Defense against escalation on Linux comes down to the principle of least privilege: restrict sudo strictly, audit SUID binaries, secure cron jobs, and keep the kernel patched. As a pentester, you document the vector found and recommend the specific mitigation.

Privilege Escalation on Windows

On Windows, escalation vectors include services with weak permissions that allow replacing their executable, unquoted service paths that can be hijacked, misassigned token privileges, credentials stored in plaintext or in the registry, and misconfigured group policies. The Windows ecosystem has its own set of common misconfigurations.

Tools like WinPEAS and manual enumeration techniques identify these vectors. In Active Directory domain environments, escalation is often combined with lateral movement: compromising a service account or abusing delegations can open a path toward the domain controller. BloodHound is a tool that maps relationships in Active Directory to visualize attack paths toward high privileges.

As on Linux, knowledge of these vectors is bidirectional: it lets you demonstrate the risk in an engagement and, above all, recommend hardening configurations, rotating credentials, and applying the principle of least privilege across the entire domain.

Persistence and Lateral Movement

Persistence is the ability to maintain access to a system over time, even after reboots. In a real engagement, an attacker would seek it; an ethical pentester demonstrates it in a controlled and reversible way, removing any mechanism at the end. The value of demonstrating persistence is showing the client how difficult it would be to evict a real intruder.

Lateral movement is the displacement from a compromised system toward others within the network, expanding the reach of the compromise. It usually relies on reused credentials, trust relationships between systems, or internally accessible services that were not accessible from outside. Conceptually, it demonstrates how a single entry point can compromise an entire poorly segmented network.

Both persistence and lateral movement are treated here at a conceptual level and always within the authorized scope. The educational goal is to understand the risk in order to defend against it: network segmentation, monitoring of anomalous behavior, credential rotation, and detection of known techniques are the countermeasures you would recommend.

Cleanup and Documentation

An inescapable responsibility of the ethical pentester is to leave systems as they were found. Any tool uploaded, account created, configuration modified, or persistence mechanism installed must be removed at the end. Keeping a precise record of every change made during post-exploitation makes cleanup complete and verifiable.

The documentation of this phase is especially valuable for the report: it shows the client the complete compromise chain, from initial access to full control or access to critical data. That impact narrative — "with this minor vulnerability, an attacker could reach here" — is often what motivates the organization to invest in security. Document rigorously and communicate clearly.