Skip to content

Post-Exploitation

Overview

Techniques for enumerating and escalating privileges on systems after initial access has been gained. Organized by operating system, with dedicated subfolders for specific attack techniques.

Subdirectories

Directory Description
linux/ Linux enumeration, privilege escalation, and RCE techniques
windows/ Windows enumeration and credential hunting

Linux

The linux/ folder covers the full post-exploitation workflow on Linux systems, from initial enumeration through to privilege escalation and remote code execution.

Directory Description
linux/ System enumeration checklist: users, SUID, cron, credentials, network
linux/ssh-brute-force/ Gaining SSH access via credential brute-forcing with Hydra
linux/suid-path-hijack/ Privilege escalation via SUID binaries calling commands without absolute paths
linux/rce/ RCE via Redis, Ghostscript, and LESSOPEN environment variable injection

Typical Linux Workflow

Gain access (SSH brute force, service exploit, web shell)
Enumerate (system info, users, sudo, SUID, cron, writable files)
Identify escalation path (misconfigured SUID, writable cron script, vulnerable service)
Escalate to root (PATH hijack, cron overwrite, LESSOPEN injection)

Windows

The windows/ folder covers enumeration of Windows systems from an existing shell, including user and group discovery, registry credential hunting, and basic user management.

Directory Description
windows/ System info, user/group enumeration, credential hunting via registry

Typical Windows Workflow

Gain access (RDP, reverse shell, credential reuse)
Enumerate (computer name, OS version, users, groups, SIDs)
Hunt for credentials (cmdkey, registry password search)
Escalate (add user to Administrators, abuse stored credentials)

References