Things to Try When Stuck

Stuck on a box? Try the below ideas -------->

Initial Access

Web discovery

  • Fuzz any parameter which looks interesting or if it's working in different way. Maybe there is command execution. Try word lists with values like - 2*2 or 2+2 .... (Hetemit PG)

  • Try using SMB share name or Hostname as the web root directory.

Getting a shell

  • Examine response headers for minor custom errors.

  • Consider similar protocols. If you get an SSH key, try using it over SCP for file transfer.

  • For hydra always do -e nsr. Example: hydra -l admin -P /usr/share/wordlists/rockyou.txt 192.168.1.1 ftp -vV -f -e nsr -I

  • Look for auth-owners in nmap to get usernames.

  • See Proving Grounds' Dibble for node.js RCE.

  • Guess parameters. If there's a POST forgot_pass.php with an email param, try GET /forgot_pass.php?email=%0aid.

  • When brute forcing credentials, guess the software name as the username and password.

  • While bruteforcing services, try using username as the password also. (Medusa does this automatically unlike Hydra).

  • In case of Blind SQLi --> Try getting database names and try them on website as directory names. For example, if get "inoerp_db" as the db name then try - /inoerp/ as directory name.

  • Try running commands directly by passing arguments to SSH if terminal is not being provided.

    Example -> ssh -i <keys> user@<ip> 'whoami'

Windows Privilege Escalation

  • GOOGLE EVERY term you see inside files that you find interesting and look for exploits.

  • Explore the C:\ drive root. Some scheduled tasks can't be seen as a low level user could be located at C:\.

  • Explore alternatives to a reverse shell. Leverage exposed remote access protocols. For example, if a reverse shell doesn't work, execute a command to change the Administrator password and used smbexec to auth.

  • Identify all users. Attempt to brute force authentication via RDP

  • Always view "C:\program files" and "C:\program files (x86)" for installed apps.

Linux Privilege Escalation

  • GOOGLE EVERY term you see inside files that you find interesting and look for exploits.

  • Privesc scripts aren't always right. Try basic things yourself. (Add them from medium blog)

  • Identify all users. Attempt to brute force auth ssh if /home or /etc/passwd is pulled.

  • Always run echo $PATH to show available commands/locations.

  • Docker - see Proving Grounds' Sirol/Escape box.

  • Check interesting groups to which current user belongs.

  • Fully understand software that's related to a user's group (e.g. fail2ban group).

  • Use pspy to spy on processes and cronjobs you may not be able to see

  • cat ~/.profile && cat ~/.bashrc.

  • Custom SUIDs won't be highlighted as linpeas and other privesc scripts don't know what they are. Find them manually.

  • Examine each and every SUID!

PreviousWindows PrivEsc (Extra Tricks)NextLast Resort

Last updated