##  How to work through a vulnerable host
#### Scan for vulnerabilities
We're searching for vulnerabilities in the host, application, or information leakage.

-   NMAP scanning
-   vhost enumeration
-   Gobuster
-   Ping scanning
-   Google Dorking

---
#### Determine Versions
After gathering information about the host and applications, we need to determine what versions they have.

-   Banner grabbing
-   netcat / telnet
-   Shodan and Censys
-   Inspect headers
-   Throw intentional errors

---
#### Find Exploits
Find exploits for identified versions and software on host

-   searchsploit
-   exploit-db
-   Google
-   Shodan

---
#### Craft Payload
Create malicious payload through identified exploit. Allows further exploitation through reverse shells or other similar exploitation routes.

-   msfvenom
-   searchsploit

---
#### Execute Payload
Execute the payload we made, there can be some very interesting and creative ways to achieve this!

-   Invoke-Command
-   runas
-   sudo

---
#### Establish Persistence
Ensure that our exploits will stay persistent on the host

-   service takeovers
-   cron jobs
-   startup scripts

--- 
#### Escalate Privileges
Move from a foothold to root!

-   get-process
-   PowerUp.ps1
-   LinEnum.sh
-   LinPEAS
-   WinPEAS
-   suid/guid
-   sudo -l  

---
#### Exfiltrate Data
Steal the data on the host!

-   Invoke-WebRequest
    -   iwr
-   curl
-   Imagination!!