pwnerguy

pwnerguy

Hacking, learning, repeating,
because the shell never sleeps.

Post-Exploitation Cheat Sheet

February 01, 2026

Introduction

Welcome to the blog’s Post-Exploitation Cheat Sheet! I will be actively updating it through commits as needed.

Post-Exploitation

Linux PrivEsc	Description
`./linpeas.sh`	Linux enumeration binary
`./lse.sh`	Linux enumeration binary
`sudo -l`	List available `sudo` privileges
`sudo -u user /bin/echo pwned`	Run a command with `sudo`
`sudo su -`	Switch to root user (if we have access to `sudo su`)
`sudo su user -`	Switch to a user (if we have access to `sudo su`)
`find / -perm -4000 -ls 2>/dev/null`	Find SUID binaries
`ssh-keygen -f key`	Create a new SSH key
`echo "ssh-rsa AAAAB...SNIP...M= user@parrot" >> /root/.ssh/authorized_keys`	Once key.pub it’s in the system, add the generated public key to the user
`ssh user@10.10.10.10 -i key`	SSH to the server with the generated private key
`chmod 600 id_rsa` `ssh user@10.10.10.10 -i id_rsa`	If you have read acces to the user’s SSH private key, copy it in a file, chmod it and ssh the server
`crontab -l`	Cron jobs of my user
`systemctl list-timers`	Time left to execute each job
`/etc/crontab` `/etc/cron.d` `/var/spool/cron/crontabs/root`	Write access to any of those files will allow us to to add new cron jobs. Also if we can write to a directory called by a cron job, we can write a reverse shell and it will be executed.
`./pspy`	Analyze running cron jobs
`getcap .r & 2>/dev/null`	Capabilities search in the system
https://gtfobins.org/	GTFOBins

Windows PrivEsc	Description
`./winpeas.sh`	Windows enumeration binary
https://lolbas-project.github.io/	LOLBAS