Exploit Workflow

How to work through a vulnerable host

Scan for vulnerabilities

We're searching for vulnerabilities in the host, application, or information leakage.
  • NMAP scanning
  • vhost enumeration
  • Gobuster
  • Ping scanning
  • Google Dorking

Determine Versions

After gathering information about the host and applications, we need to determine what versions they have.
  • Banner grabbing
  • netcat / telnet
  • Shodan and Censys
  • Inspect headers
  • Throw intentional errors

Find Exploits

Find exploits for identified versions and software on host
  • searchsploit
  • exploit-db
  • Google
  • Shodan

Craft Payload

Create malicious payload through identified exploit. Allows further exploitation through reverse shells or other similar exploitation routes.
  • msfvenom
  • searchsploit

Execute Payload

Execute the payload we made, there can be some very interesting and creative ways to achieve this!
  • Invoke-Command
  • runas
  • sudo

Establish Persistence

Ensure that our exploits will stay persistent on the host
  • service takeovers
  • cron jobs
  • startup scripts

Escalate Privileges

Move from a foothold to root!
  • get-process
  • PowerUp.ps1
  • LinEnum.sh
  • LinPEAS
  • WinPEAS
  • suid/guid
  • sudo -l

Exfiltrate Data

Steal the data on the host!
  • Invoke-WebRequest
    • iwr
  • curl
  • Imagination!!