// notes/ PrivEsc — Windows
📋

Post-Exploitation Checklist

Loot, persistence, and next-host pivoting after you land root/SYSTEM.

#post-ex#checklist
source · airouboss/oscp-prep-notes-2026 · methodology/checklists/post-exploitation.md

Post-Exploitation Checklist

Stabilize Shell

  • Upgrade to full TTY (Linux):
    bash
    $python3 -c 'import pty;pty.spawn("/bin/bash")'
    $# Ctrl+Z
    $stty raw -echo; fg
    $export TERM=xterm
    $stty rows 40 cols 160
  • If Windows → get proper shell (evil-winrm, RDP, PSExec)
  • Set up persistence (second shell/callback) in case of disconnect

Grab Proof

  • cat /root/proof.txt or type C:\Users\Administrator\Desktop\proof.txt
  • whoami && hostname && ip a (screenshot for report)
  • cat /home/USER/local.txt or type C:\Users\USER\Desktop\local.txt

Local Enumeration

  • whoami /all (Windows) or id (Linux)
  • hostname
  • ipconfig /all or ip a → check for dual-homed / additional NICs
  • arp -a → discover adjacent hosts
  • netstat -ano or ss -tlnp → internal services
  • route print or ip route → other networks?

Credential Harvesting

Windows

  • SAM dump: reg save hklm\sam sam && reg save hklm\system system
  • Mimikatz: sekurlsa::logonpasswords
  • LSASS dump → pypykatz
  • PowerShell history: ConsoleHost_history.txt
  • Browser creds (Chrome/Edge/Firefox)
  • KeePass databases
  • FileZilla/WinSCP saved sessions
  • web.config, Unattend.xml
  • Wifi passwords: netsh wlan show profile name=NETWORK key=clear
  • DPAPI credentials

Linux

  • /etc/shadow → crack hashes
  • SSH keys: /home/*/.ssh/id_rsa
  • Bash history: /home/*/.bash_history
  • Config files: .env, wp-config.php
  • Database credentials
  • .git repos → git log -p

Loot for Pivoting

  • Collect ALL credentials (usernames + passwords + hashes)
  • Test each credential against all known hosts
  • Password reuse: try creds on other machines
  • Found hash? → Pass-the-Hash or crack
  • Found SSH key? → Try on other Linux hosts

Network Pivoting

  • Identify internal networks from ifconfig/ipconfig
  • Set up tunnel (Ligolo-ng, Chisel, SSH)
  • Scan new networks: nmap -sT -Pn INTERNAL-SUBNET/24
  • Look for DCs, file servers, database servers
  • Repeat enumeration on new network

Domain Escalation (if AD)

  • Run BloodHound with new creds
  • Check new paths with owned nodes
  • Kerberoast with new user
  • Check for local admin on other hosts: nxc smb TARGETS -u USER -p PASS
  • DCSync if you have the rights

Cleanup Notes (for report)

  • Document everything accessed
  • Screenshot each step
  • Note timestamps for report