Chapter 24 Exercises: Post-Exploitation and Pivoting

Lab Environment Required: All exercises must be performed in authorized lab environments only. Never perform post-exploitation techniques against systems you do not own or have explicit written authorization to test.

Exercise 1: Situational Awareness Script

Write a Bash script that performs comprehensive situational awareness on a Linux system. The script should collect:

  • System information (hostname, kernel version, distribution, architecture)
  • Network configuration (interfaces, routes, DNS servers, ARP table, active connections)
  • Running processes with full command lines
  • Installed packages (using apt, yum, or dpkg as appropriate)
  • Scheduled tasks (crontab entries for all users, systemd timers)
  • Current user context (username, groups, sudo privileges, environment variables)
  • SUID/SGID binaries
  • Writable directories in the PATH
  • Mounted file systems and disk usage

Format the output in a structured, readable manner suitable for inclusion in a penetration test report. Include section headers, timestamps, and error handling for commands that may not be available on all systems.

Difficulty: Beginner Objectives: Understand post-exploitation information gathering; practice scripting for consistent data collection. Hints: Use conditional checks (which, command -v) to determine which tools are available before running them. Redirect stderr to avoid cluttering output with permission denied errors. Consider saving output to a file with a timestamp-based filename.

Exercise 2: Windows Post-Exploitation Enumeration

Using a Windows VM (such as a Commando VM or YOURVM running Windows 10), perform manual post-exploitation enumeration using only built-in Windows commands (no third-party tools). Document at least 15 different pieces of information you can gather about the system, network, users, and security configuration.

Difficulty: Beginner Objectives: Understand Windows post-exploitation enumeration without relying on automated tools.

Exercise 3: Linux Privilege Escalation Discovery

Set up a Linux VM with intentional privilege escalation vulnerabilities (or use a platform such as TryHackMe's "Linux PrivEsc" room). Identify and exploit at least three different privilege escalation vectors. For each, document the discovery process, the exploitation method, and the defensive remediation.

Difficulty: Intermediate Objectives: Practice privilege escalation discovery and exploitation in a controlled environment.

Exercise 4: SSH Tunneling Lab

Using a three-VM lab setup (Attacker, Pivot, Target), configure all three types of SSH tunneling:

  1. Local port forwarding: Forward a port on the Attacker to a web service on the Target through the Pivot. Verify by accessing the service via localhost on the Attacker.
  2. Remote port forwarding: Forward a port on the Pivot to a listener on the Attacker. Verify by connecting to the forwarded port from the Target.
  3. Dynamic port forwarding (SOCKS proxy): Establish a SOCKS proxy through the Pivot. Configure proxychains and demonstrate accessing multiple services on the Target's network through the single SOCKS tunnel.

For each method, document: the exact SSH command used, how to verify the tunnel is working, what the tunnel looks like from a network monitoring perspective (run tcpdump on the Pivot to observe the traffic), and how to tear down the tunnel cleanly.

Difficulty: Intermediate Objectives: Master SSH tunneling techniques for pivoting. Lab Setup: Three VMs on different network segments -- Attacker (192.168.1.0/24), Pivot (192.168.1.0/24 and 10.0.0.0/24), Target (10.0.0.0/24). Install a web server (Apache or nginx) on the Target to serve as the test service.

Exercise 5: Chisel Pivoting Exercise

Download and compile Chisel for your lab environment. Set up a reverse SOCKS proxy through a compromised host and use it to scan an internal network segment. Compare the experience with SSH dynamic port forwarding in terms of setup complexity, performance, and traffic characteristics.

Difficulty: Intermediate Objectives: Gain practical experience with Chisel for HTTP-based tunneling.

Exercise 6: Ligolo-ng Pivoting Lab

Set up Ligolo-ng in a multi-VM environment. Create a TUN-based tunnel and demonstrate accessing an internal network without proxychains. Run nmap directly against internal targets through the Ligolo-ng tunnel and compare the results with SOCKS-based approaches.

Difficulty: Advanced Objectives: Understand TUN-based pivoting and its advantages over SOCKS proxying.

Exercise 7: Persistence Mechanism Implementation and Detection

In a lab environment, implement three different persistence mechanisms on a Linux system and three on a Windows system. For each mechanism, also document how a defender could detect it using built-in operating system tools or common security tools.

Difficulty: Intermediate Objectives: Understand persistence techniques from both offensive and defensive perspectives.

Exercise 8: Pass-the-Hash Lab

Set up a Windows Active Directory lab with a Domain Controller and at least one member workstation. Perform the following:

  1. Hash extraction: Use Mimikatz (or an equivalent tool) to extract NTLM hashes from the member workstation's LSASS process
  2. Pass-the-Hash with CrackMapExec: Use the extracted hashes to authenticate to the Domain Controller via SMB. Enumerate shares, execute commands, and dump additional credentials
  3. Pass-the-Hash with Impacket: Use Impacket's psexec.py, wmiexec.py, and smbexec.py to achieve remote code execution on the DC using the same hashes. Note the differences in behavior, logging, and detection characteristics between the three tools
  4. Detection analysis: On the Domain Controller, examine Windows Security Event Log entries (4624, 4625, 4672) generated by each tool. Document which events are generated and what distinguishes PtH authentication from legitimate NTLM authentication

Difficulty: Advanced Objectives: Practice credential-based lateral movement in Active Directory environments. Hints: If Credential Guard or RunAsPPL is enabled, LSASS dumping will fail. Disable these protections in the lab for learning purposes, then re-enable them and document their effectiveness as defensive controls.

Exercise 9: Data Exfiltration Detection

Write a Python script that monitors network traffic for common data exfiltration patterns: unusually large DNS queries, periodic beaconing behavior, large outbound data transfers to unusual destinations, and encoded data in HTTP parameters. Test your script against simulated exfiltration in a lab environment.

Difficulty: Intermediate Objectives: Understand data exfiltration detection from the defender's perspective.

Exercise 10: Post-Exploitation Cleanup Procedure

Create a comprehensive cleanup checklist and verification procedure for a penetration test engagement. Include templates for documenting installed persistence, uploaded tools, modified configurations, and created accounts. Then, practice using the checklist by cleaning up after the exercises above.

Difficulty: Beginner Objectives: Develop professional cleanup habits and documentation skills.

Exercise 11: Double Pivot Challenge

Set up a four-VM lab environment with the following network topology:

  • Attacker (192.168.1.10): Can only reach DMZ Host
  • DMZ Host (192.168.1.50, 10.0.1.50): Dual-homed, accessible from Attacker
  • Internal Host (10.0.1.100, 10.0.2.100): Dual-homed, accessible from DMZ Host only
  • Restricted Host (10.0.2.200): Accessible from Internal Host only

Successfully access a web service running on the Restricted Host from the Attacker through two pivot points. Try this challenge using three different approaches:

  1. SSH chained tunnels: Nested SSH tunnels through each hop
  2. Chisel chained tunnels: Chisel reverse SOCKS on each hop
  3. Ligolo-ng multi-agent: Multiple Ligolo-ng agents reporting to the same proxy

For each approach, document the exact commands used on each host, the total setup time, and the perceived latency of the final connection. Identify which approach was most practical and why.

Difficulty: Advanced Objectives: Master multi-hop pivoting through complex network topologies. Hints: For SSH chaining, you can use the -J (ProxyJump) flag in newer SSH versions for cleaner syntax. For Chisel, you will need to chain SOCKS proxies or use the upstream feature. Consider drawing a network diagram before starting.

Exercise 12: Kerberoasting Lab

In your Active Directory lab, create service accounts with SPNs and weak passwords. Perform Kerberoasting using Impacket's GetUserSPNs.py, extract the service tickets, and crack them using Hashcat. Document the attack chain and recommend defensive measures.

Difficulty: Advanced Objectives: Understand Kerberos-based lateral movement in Active Directory environments.

Exercise 13: C2 Framework Exploration

Install Sliver C2 framework in a lab environment. Generate an implant, deploy it on a lab target, and explore the post-exploitation capabilities: file operations, process management, pivoting, and lateral movement. Compare the experience with manual post-exploitation using individual tools.

Difficulty: Advanced Objectives: Gain familiarity with modern C2 frameworks used in professional penetration testing.

Exercise 14: MedSecure Scenario Walkthrough

Using the MedSecure scenario described in this chapter, create a detailed attack narrative document that traces the complete attack path:

  1. Initial access: SQL injection on the patient portal (DMZ web application)
  2. Post-exploitation: Situational awareness on the compromised web server, privilege escalation
  3. Pivoting: Establishing a tunnel from the DMZ to the internal network
  4. Lateral movement: Moving from the web server to internal systems using discovered credentials
  5. Objective achievement: Demonstrating access to patient record database systems

For each phase, include: specific commands and tools used, screenshots or example output, time spent, IOCs generated, and defensive controls that would have detected or prevented the activity. Conclude with a risk-rated findings table and prioritized remediation recommendations.

Difficulty: Intermediate Objectives: Practice constructing comprehensive attack narratives for penetration test reports. Deliverable: A 3-5 page report section suitable for inclusion in a professional penetration test report.

Exercise 15: Netsh Port Forwarding on Windows

Using a Windows lab VM, configure port forwarding using the built-in netsh interface portproxy commands. Forward traffic from the Windows host to an internal service and access it from the attacker machine. Document the commands used and how to verify and remove the forwarding rules.

Difficulty: Beginner Objectives: Understand Windows-native pivoting capabilities that require no additional tools.

Exercise 16: Cloud Lateral Movement Research

Research and document at least five lateral movement techniques specific to cloud environments (AWS, Azure, or GCP). For each technique, describe the prerequisites, the attack procedure, the impact, and the defensive countermeasures. Create a comparison table showing similarities and differences with on-premises lateral movement.

Difficulty: Intermediate Objectives: Understand how post-exploitation and lateral movement differ in cloud environments.

Exercise 17: Golden Ticket and Silver Ticket Lab

In an Active Directory lab, perform the following Kerberos attacks:

Golden Ticket: 1. Obtain Domain Admin access through the techniques practiced in earlier exercises 2. Extract the KRBTGT hash using DCSync (Mimikatz or Impacket's secretsdump) 3. Create a Golden Ticket with Mimikatz (kerberos::golden) or Impacket's ticketer.py 4. Use the Golden Ticket to access any service on any domain-joined system 5. Verify that the ticket works even after changing the impersonated user's password

Silver Ticket: 1. Extract the NTLM hash for a specific service account (e.g., a SQL Server service account) 2. Create a Silver Ticket for that service using Mimikatz or Impacket 3. Demonstrate that the Silver Ticket provides access only to that specific service 4. Compare: which attacks generate Event ID 4769 (TGS requests) on the DC, and which do not?

Document the differences in scope (domain-wide vs. service-specific), persistence duration, detection characteristics (what logs are and are not generated), and defensive countermeasures for each technique.

Difficulty: Advanced Objectives: Understand advanced Kerberos attacks and their detection characteristics. Hints: Golden Tickets never touch the DC during use (the TGT is forged locally), making them extremely difficult to detect. Silver Tickets similarly bypass the DC for TGS generation. The primary defensive countermeasure is rotating the KRBTGT password (twice) for Golden Tickets and the service account password for Silver Tickets.

Exercise 18: Post-Exploitation Report Writing

Based on the exercises completed in this chapter, write a professional penetration test report section covering the post-exploitation and pivoting phase. Include an executive summary, detailed technical findings, evidence (screenshots, command output), risk ratings, and remediation recommendations. Follow the structure used in professional reports.

Difficulty: Intermediate Objectives: Develop professional report writing skills for post-exploitation findings.