Post-Exploitation

After gaining initial access, assess the true impact by exploring what an attacker could achieve: data access, privilege escalation, lateral movement, and persistence.

🎯 Why Post-Exploitation Matters

True Impact Assessment: Initial access is just the beginning - post-exploitation reveals actual business risk
Comprehensive Testing: Clients need to understand full attack chain, not just entry points
Defense Validation: Tests monitoring, detection, and incident response capabilities
Risk Prioritization: Helps stakeholders understand which vulnerabilities are most critical

⚠️ Critical: Always stay within scope. Document everything. Never access real customer data or make permanent changes without explicit authorization.

Post-Exploitation Methodology

Post-exploitation isn't random β€” follow a structured approach to maximize coverage and demonstrate realistic impact:

  1. 1. Situational Awareness β€” What access do I have? Map the current user's role, permissions, and session tokens. Identify the application's data model and backend services.
  2. 2. Privilege Escalation — Can I reach admin? Test vertical escalation (user→admin), horizontal escalation (user→other user), and role manipulation via parameter/cookie tampering.
  3. 3. Data Access Assessment β€” What sensitive data is reachable? Enumerate databases, API endpoints, file storage, and cloud resources accessible from the current context.
  4. 4. Lateral Movement β€” Can I pivot? Use SSRF, cloud metadata, database links, or internal APIs to reach adjacent systems not directly exposed to the internet.
  5. 5. Persistence Analysis β€” Could an attacker maintain access? Identify if session tokens are long-lived, API keys are exposed, service worker registration is possible, or webhooks can be planted.
  6. 6. Evidence & Cleanup β€” Document everything, then remove all test artifacts, temporary accounts, uploaded files, and injected data.

Data Exfiltration Considerations

Demonstrating data access is critical for conveying business impact. However, handling sensitive data during a pentest requires careful boundaries.

βœ… Safe Demonstration

  • β€’ Show record count without extracting full data
  • β€’ Screenshot column names/table structure
  • β€’ Extract only your own test account data
  • β€’ Redact PII in screenshots (last 4 digits only)
  • β€’ Use SELECT COUNT(*) instead of SELECT *
  • β€’ Demonstrate access to the first row with hashed/masked fields

❌ Avoid

  • β€’ Downloading complete database dumps
  • β€’ Storing real customer PII locally
  • β€’ Sending sensitive data through external services
  • β€’ Accessing medical, financial, or legal records
  • β€’ Retaining evidence beyond report delivery
  • β€’ Exfiltrating data not covered in the Rules of Engagement

Danger

Legal & Ethical Boundary: The Rules of Engagement (RoE) define what data you may access. If you discover a breach beyond scope (e.g., another attacker's shell), stop immediately and notify the client through the pre-agreed emergency contact. See Legal & Compliance.

πŸ“š Post-Exploitation Guides

Explore in-depth guides for each post-exploitation technique. Each guide includes tools, techniques, and practical exercises for mastering the skill.

Session Attacks

Auth

Session hijacking, cookie theft, JWT manipulation, token replay, session fixation, and OAuth/OIDC attack techniques.

JWT Cookies OAuth Fixation

Privilege Escalation

Access

Vertical and horizontal privilege escalation, IDOR exploitation, role manipulation, parameter tampering, and access control bypass.

Vertical Horizontal IDOR Autorize

Lateral Movement

Pivoting

SSRF pivoting, cloud metadata exploitation, database pivoting, internal API discovery, Kubernetes escape, and network tunneling.

SSRF Cloud K8s Chisel

Cleanup & Documentation

Report

Evidence collection, artifact cleanup, client communication, professional documentation, and screenshot best practices.

Evidence Cleanup Timeline Templates

Post-Exploitation Workflow

flowchart TD A[Initial Access] --> B[Assess Access Level] B --> C[Data Enumeration] B --> D[Privilege Escalation] B --> E[Lateral Movement] C --> F[Sensitive Data] D --> G[Higher Privileges] E --> H[Additional Systems] F --> I[Impact Assessment] G --> I H --> I %% Styling for high contrast in both light/dark modes style A fill:#00ff00,stroke:#00ff00,color:#000000,stroke-width:2px style I fill:#ff0000,stroke:#ff0000,color:#ffffff,stroke-width:2px

πŸ› οΈ Essential Post-Exploitation Tools

jwt_tool

JWT analysis & manipulation

pip install jwt-tool GitHub β†’

BeEF

Browser exploitation framework

git clone beef.git Docs β†’

hashcat

GPU-accelerated password cracker

brew install hashcat Docs β†’

Autorize

Burp authorization testing

Burp BApp Store GitHub β†’

Stay Within Scope

Post-exploitation should demonstrate impact without causing harm. Avoid accessing actual customer PII, deleting data, or making permanent changes. Document everything.

βœ… Quick Checklist

Ensure you've covered all post-exploitation categories:

Session Attacks
  • ☐ Cookie theft tested
  • ☐ JWT manipulation
  • ☐ Session fixation
  • ☐ OAuth/OIDC tested
Privilege Escalation
  • ☐ Vertical escalation
  • ☐ Horizontal escalation
  • ☐ IDOR testing
  • ☐ Role manipulation
Lateral Movement
  • ☐ SSRF pivoting
  • ☐ Cloud metadata
  • ☐ Database pivoting
  • ☐ Internal API discovery
Cleanup
  • ☐ Test accounts removed
  • ☐ Uploads deleted
  • ☐ Evidence documented
  • ☐ Client notified

Next Steps

With comprehensive evidence of impact, proceed to Reporting to document your findings and provide actionable remediation guidance to the client.

Related Topics

Exploitation

Vulnerability exploitation techniques

Reporting

Document and communicate findings

XSS Attacks

Cross-Site Scripting for session hijacking

Vulnerability Analysis

OWASP Top 10 breakdown