Post-Exploitation
Manage active sessions and execute post-exploitation modules
Active Sessions
4 Active| ID | Hostname | IP Address | User | Operating System | Privileges | Status | Uptime | Actions |
|---|---|---|---|---|---|---|---|---|
S001 |
WEB-SERVER-01 | 192.168.1.100 | www-data | Ubuntu 20.04 | User | Active | 2h 34m | |
S002 |
DB-PROD-01 | 192.168.1.150 | administrator | Windows Server 2019 | Admin | Active | 1h 12m | |
S003 |
WORKSTATION-05 | 192.168.1.45 | john.smith | Windows 10 Pro | User | Idle | 45m | |
S004 |
DC-01 | 192.168.1.10 | NT AUTHORITY\SYSTEM | Windows Server 2022 | SYSTEM | Active | 3h 05m |
Session Console
whoami
systeminfo
net user
ipconfig /all
net localgroup administrators
PS C:\Windows\system32> whoami
corp\administrator
PS C:\Windows\system32> systeminfo
Host Name: DB-PROD-01
OS Name: Microsoft Windows Server 2019 Standard
OS Version: 10.0.17763 N/A Build 17763
OS Manufacturer: Microsoft Corporation
OS Configuration: Member Server
OS Build Type: Multiprocessor Free
Registered Owner: Windows User
Registered Organization: CORP
Product ID: 00429-00000-00000-AA123
Original Install Date: 1/15/2024, 10:30:42 AM
System Boot Time: 12/13/2025, 8:15:23 AM
System Manufacturer: VMware, Inc.
System Model: VMware Virtual Platform
System Type: x64-based PC
Processor(s): 2 Processor(s) Installed.
[01]: Intel64 Family 6 Model 142 Stepping 10
Domain: corp.local
Logon Server: \\DC-01
Hotfix(s): 3 Hotfix(s) Installed.
Network Card(s): 1 NIC(s) Installed.
[01]: Intel(R) PRO/1000 MT Network Connection
Connection Name: Ethernet0
DHCP Enabled: No
IP address(es)
[01]: 192.168.1.150
PS C:\Windows\system32> net user administrator
User name administrator
Full Name
Comment Built-in account for administering
User's comment
Country/region code 000 (System Default)
Account active Yes
Account expires Never
Password last set 11/10/2025 3:22:15 PM
Password expires Never
Password changeable 11/11/2025 3:22:15 PM
Password required Yes
User may change password Yes
Workstations allowed All
Logon script
User profile
Home directory
Last logon 12/13/2025 8:45:32 AM
Logon hours allowed All
Local Group Memberships *Administrators
Global Group memberships *Domain Admins *Domain Users
The command completed successfully.
PS C:\Windows\system32> █
Program Files
Program Files (x86)
Users
Windows
inetpub
database_backup.sql
credentials.txt
startup.bat
Post-Exploitation Modules
Credential Harvesting
Extract credentials from memory and system stores
Privilege Escalation
Attempt to escalate privileges to SYSTEM/root
Lateral Movement
Move laterally to other systems in the network
Persistence
Establish persistent access to the compromised system
Data Exfiltration
Exfiltrate sensitive data from the target system
Keylogging
Capture keystrokes from the active user
Screenshot
Capture screenshots of the active desktop
Token Manipulation
Impersonate other users via access tokens
Activity Log
Command Executed
2 minutes ago
Session S002 (DB-PROD-01):
net user administrator
Credentials Harvested
5 minutes ago
Session S004 (DC-01): Extracted 12 NTLM hashes via Mimikatz
Lateral Movement
8 minutes ago
Session S002: Successfully moved to DB-PROD-01 from WEB-SERVER-01
Session Idle
12 minutes ago
Session S003 (WORKSTATION-05): No activity for 10 minutes
Persistence Established
15 minutes ago
Session S001 (WEB-SERVER-01): Registry run key created at HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Privilege Escalation
18 minutes ago
Session S004 (DC-01): Escalated from administrator to NT AUTHORITY\SYSTEM
Data Exfiltrated
22 minutes ago
Session S002 (DB-PROD-01): database_backup.sql (45.2 MB) uploaded to C2 server
Screenshot Captured
25 minutes ago
Session S003 (WORKSTATION-05): Desktop screenshot saved (1920x1080)
New Session
30 minutes ago
Session S003 established on WORKSTATION-05 (192.168.1.45)
Command Executed
35 minutes ago
Session S002 (DB-PROD-01):
whoami /priv