1.4 KiB
1.4 KiB
How to work through a vulnerable host
Scan for vulnerabilities
We're searching for vulnerabilities in the host, application, or information leakage.
- NMAP scanning
- vhost enumeration
- Gobuster
- Ping scanning
- Google Dorking
Determine Versions
After gathering information about the host and applications, we need to determine what versions they have.
- Banner grabbing
- netcat / telnet
- Shodan and Censys
- Inspect headers
- Throw intentional errors
Find Exploits
Find exploits for identified versions and software on host
- searchsploit
- exploit-db
- Shodan
Craft Payload
Create malicious payload through identified exploit. Allows further exploitation through reverse shells or other similar exploitation routes.
- msfvenom
- searchsploit
Execute Payload
Execute the payload we made, there can be some very interesting and creative ways to achieve this!
- Invoke-Command
- runas
- sudo
Establish Persistence
Ensure that our exploits will stay persistent on the host
- service takeovers
- cron jobs
- startup scripts
Escalate Privileges
Move from a foothold to root!
- get-process
- PowerUp.ps1
- LinEnum.sh
- LinPEAS
- WinPEAS
- suid/guid
- sudo -l
Exfiltrate Data
Steal the data on the host!
- Invoke-WebRequest
- iwr
- curl
- Imagination!!