// notes/ PrivEsc — Windows
📋
Post-Exploitation Checklist
Loot, persistence, and next-host pivoting after you land root/SYSTEM.
#post-ex#checklist
source · airouboss/oscp-prep-notes-2026 · methodology/checklists/post-exploitation.md ↗Post-Exploitation Checklist
Stabilize Shell
- Upgrade to full TTY (Linux):
bash$python3 -c 'import pty;pty.spawn("/bin/bash")'$# Ctrl+Z$stty raw -echo; fg$export TERM=xterm$stty rows 40 cols 160
- If Windows → get proper shell (evil-winrm, RDP, PSExec)
- Set up persistence (second shell/callback) in case of disconnect
Grab Proof
-
cat /root/proof.txtortype C:\Users\Administrator\Desktop\proof.txt -
whoami && hostname && ip a(screenshot for report) -
cat /home/USER/local.txtortype C:\Users\USER\Desktop\local.txt
Local Enumeration
-
whoami /all(Windows) orid(Linux) -
hostname -
ipconfig /allorip a→ check for dual-homed / additional NICs -
arp -a→ discover adjacent hosts -
netstat -anoorss -tlnp→ internal services -
route printorip route→ other networks?
Credential Harvesting
Windows
- SAM dump:
reg save hklm\sam sam && reg save hklm\system system - Mimikatz:
sekurlsa::logonpasswords - LSASS dump → pypykatz
- PowerShell history:
ConsoleHost_history.txt - Browser creds (Chrome/Edge/Firefox)
- KeePass databases
- FileZilla/WinSCP saved sessions
-
web.config,Unattend.xml - Wifi passwords:
netsh wlan show profile name=NETWORK key=clear - DPAPI credentials
Linux
-
/etc/shadow→ crack hashes - SSH keys:
/home/*/.ssh/id_rsa - Bash history:
/home/*/.bash_history - Config files:
.env,wp-config.php - Database credentials
-
.gitrepos →git log -p
Loot for Pivoting
- Collect ALL credentials (usernames + passwords + hashes)
- Test each credential against all known hosts
- Password reuse: try creds on other machines
- Found hash? → Pass-the-Hash or crack
- Found SSH key? → Try on other Linux hosts
Network Pivoting
- Identify internal networks from
ifconfig/ipconfig - Set up tunnel (Ligolo-ng, Chisel, SSH)
- Scan new networks:
nmap -sT -Pn INTERNAL-SUBNET/24 - Look for DCs, file servers, database servers
- Repeat enumeration on new network
Domain Escalation (if AD)
- Run BloodHound with new creds
- Check new paths with owned nodes
- Kerberoast with new user
- Check for local admin on other hosts:
nxc smb TARGETS -u USER -p PASS - DCSync if you have the rights
Cleanup Notes (for report)
- Document everything accessed
- Screenshot each step
- Note timestamps for report