General Check List
- Check default passwords.
- Check versions of services.
- Try more than one file while directory brute-forcing (i.e. /usr/share/wordlists/dirb/big.txt, /usr/share/wordlists/dirbuster/apache-user-enum-2.0.txt, /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt)
- Once inside a CMS or site check every single page.
- bash vs sh. Try both when doing privesc. One does not mean the other.
- SEARCH EVERYTHING.....even if it seems silly!!!! (i.e photos) Check even CSS files.
- Check other exploits too if there are available. Do not stuck on one. It may say version 2.4 and the exploit with version 2.5 will work too.
- Enumerate subdomains if you are getting nothing.
- Check the /opt and /var directories.
- Intercept traffic with BurpSuite if you are stuck.
- If you believe there is no other way in (i.e. have found one), then just stick with it and search search search for it.
- Run more than one privesc scripts (LinEnum, lse.sh, peas etc)
- Read the code. It is on the details what it needs to be done/change. Just read the code!!!
- Try all of them shell_exec, system, exec to be sure.
- If credentials are not working and you are sure it should, then revert the box. Might have crashed the box somehow along the way.
- If you are 100% sure the exploit is the one you are looking and it is not working, try 64 bit or 32 bit. Depends the architecture of the box.
- If there is a redirection to the page....after installing NoRedirect plugin on Firefox....add the page to NOT redirect it. Also intercept the traffic with BurpSuite to see where this goes.
- Execute commands manually. Sometimes you miss it when running automate scripts.
- Search and spend some time with LFI/URL parameters
- Running out of ideas? Brute-Force may be the last option. (use different lists and not only rockyou.txt)
As a general rule:
One finding leads to the next. (e.g. found a file? this will lead you to the next step)