Exploit Workflow

How to work through a vulnerable host

Scan for vulnerabilities

We're searching for vulnerabilities in the host, application, or information leakage.

  • NMAP scanning

  • Gobuster

  • Ping scanning

  • Google Dorking

Determine Versions

After gathering information about the host and applications, we need to determine what versions they have.

  • Banner grabbing

  • netcat / telnet

  • Shodan and Censys

  • Inspect headers

  • Throw intentional errors

Find Exploits

Find exploits for identified versions and software on host

  • searchsploit

  • exploit-db

  • Google

  • Shodan

Craft Payload

Create malicious payload through identified exploit. Allows further exploitation through reverse shells or other similar exploitation routes.

  • msfvenom

  • searchsploit

Execute Payload

Execute the payload we made, there can be some very interesting and creative ways to achieve this!

  • Invoke-Command

  • runas

  • sudo

Establish Persistence

Ensure that our exploits will stay persistent on the host

  • service takeovers

  • cron jobs

  • startup scripts

Escalate Privileges

Move from a foothold to root!

  • get-process

  • PowerUp.ps1

  • LinEnum.sh

  • LinPEAS

  • WinPEAS

  • suid/guid

  • sudo -l

Exfiltrate Data

Steal the data on the host!

  • Invoke-WebRequest

    • iwr

  • curl

  • Imagination!!