Stuck?

Help I'm Stuck

I have read that you will run out of ideas before you run out of time. Here are some questions that may help you generate more ideas or remind you of something to check that may have been forgotten. We all get stuck and forget something simple. These checklists are not meant to walk you through hacking (there are other methodologies and checklists on here for that). The goal of this is to help remember or trigger an idea. Some of the suggestions are to go back and walk through the other checklists slowly.

General

• Reset the box?

• What phase are you stuck on?

• Go through each checklist again for each phase.

  • Pay careful attention to each line of output.

  • Don't bounce around from phase to phase. Finish information gathering before trying to exploit.

  • Create a list things to try

• Manually run enumeration commands.

• Have you created a custom wordlist (cewl or patator)?

• Have you tried relaxing search terms?

  • Instead of looking for the specific version of a program try, try looking for anything under that version.

• Have you researched all running service?

• Have you ran all the tools against the target service?

  • You may need to run more than one enumeration tool against the same service. One may provide different information that the other is missing.

• Take inventory of what you DO have?

  • Can any of that be leveraged some how?

• Are you trying to rush? Slow down and think about what you have and where you are trying to go.

• What have you not looked at? Why not?

• Take a walk.

Initial Foothold

• Did you search for vulnerabilities tied to every service?

  • Searchsploit

  • Search engines

• What information do you have?

  • Look at everything you have gained so far.

  • Make sure you look into all folders and files.

  • Do you have a list of users and do not realize it?

    • Websites leak user accounts regularly via email and comments.

    • A share may show /home directory folders which are typically usernames.

  • Are their any services only open to localhost

  • Try to connect to the port on from the localhost

  • Set up a proxy that opens up the port to your machine (ssh proxy, chisel, plink, etc)

Privilege Escalation

• Is there any third party software installed that is vulnerable?

• Is there any process currently running that is vulnerable?

• Walk through the checklist again.

• Walk through an enumeration script.

• Have you tried previously found usernames and passwords?

  • Try all combinations of users and passwords.

• Have you searched through all configuration and log files for sensitive information?

  • Keep in mind there may be non standard configuration files or configuration files in uncommon places.

  • ini, config, log