Post-exploit check
/root hostname && whoami && cat proof.txt && /sbin/ifconfig ; w|uname -a|id|pwd
Any databases contents (e.g.
mysql -uroot -pzaq1xsw2cde3 -e 'show databases;')
Linux - root user
*may reset any user password and then rdp / ssh in
Password hashes: cat /etc/shadow
User folders: ls -lahR /home/ (look for ".*_history" files, ".ssh" or ".gpg") ;
check /etc/passwd to see if any users with other paths as their user folders
Network connections: netstat -antup (checking with high privileged may see more)
GUI: pidof X (anything save in web browser e.g. history, saved passwords, homepage ; any 'recently opened' app/files)
history as root: cat ~/.bash_history
Windows - admin / system
HKLM Hash
Last updated