CheckList

Little check list for myself while tackling the boxes , in case if i miss out something -_- It's not organised i am just roughly putting all my thoughts here will update it time to time

General

  • Always I say always check default credentials for every single service you came across or which has authentication or also don't forget to try common credentials like admin:admin (Will save your lot of time trust me)

  • Gained foothold through web based vulnerability ? DON'T forget to check web root directory where that web site is running , you will likely get configs and juicy information that will help you to privesc

  • Found password , but still not working ? make sure if it's not encoded or hashed

  • Providing payload through url or in post data , DON'T forget to try with both url encoding and without encoding , here is site i use to encode urls along with payload data https://meyerweb.com/eric/tools/dencoder/ as burpsuite not working for me :(

  • This is must - Don't overthink , use what is in front of you , it's intended and vulnerable

  • ALWAYS check all ports , don't fall for rabit hole , run full nmap scan on all ports , no matter how high port that is, you will never know what service actually running without trying different scans

  • Always first search for exploit with searchsploit

  • Always try admin:admin , root:root, root:toor on target box , it will lead somewhere sometime

  • Learn how to trigger error messages in web apps, because once you know what's is running in background , you can search for that particular thing on google and github and you will get source code for that and will open new paths for you and also help you to narrow down your attack vector

  • If nothing work, remember devil is in the information , get all information and look and think

  • change browsers if you think things are not working as expected , this is funny but yeah sometime my brave browser doesn't allow some sites script to properly load and i have to do it on mozila so make sure you are not missing anything

  • You run exploit and you are sure that it's exact exploit and version that can execute your shell but still not getting connection back , probably because of target firewall rules , try to change listening port to something like 21,22,80,443 or

    1. For reverse shells, I use ports that are already shown to be open on the victim machine. That always seems to work for me.

    2. Use a port that your nmap enumeration said was already open on the victim machine.

  • If you are using right exploit and still it's not working try to change the payload to something like staged to non-staged also architecture and ett

Linux

  • Gain credentials on box , try sudo su to check if user re-used that password

Window

  • You are likely to find your uploaded files in the directory where your reverse or bind shell is executed and not in directory where you actually uploaded, quit weird but yeah don't forget to check the folder where your shell is executed

  • Always check "Program Files" and "Program Files(x86)" while doing privesc , you will likely find installed softwares and applications on box that if vulnerable will lead you to admin ,

Last updated