> For the complete documentation index, see [llms.txt](https://notes.m4lwhere.org/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://notes.m4lwhere.org/offensive/offensive-notes.md).

# Exploit Workflow

#### Scan for vulnerabilities

We're searching for vulnerabilities in the host, application, or information leakage.

* [ ] NMAP scanning
* [ ] vhost enumeration
* [ ] Gobuster
* [ ] Ping scanning
* [ ] Google Dorking

#### Determine Versions

After gathering information about the host and applications, we need to determine what versions they have.

* [ ] Banner grabbing
* [ ] netcat / telnet
* [ ] Shodan and Censys
* [ ] Inspect headers
* [ ] Throw intentional errors

#### Find Exploits

Find exploits for identified versions and software on host

* [ ] searchsploit
* [ ] exploit-db
* [ ] Google
* [ ] Shodan

#### Craft Payload

Create malicious payload through identified exploit. Allows further exploitation through reverse shells or other similar exploitation routes.

* [ ] msfvenom
* [ ] searchsploit

#### Execute Payload

Execute the payload we made, there can be some very interesting and creative ways to achieve this!

* [ ] Invoke-Command
* [ ] runas&#x20;
* [ ] sudo

#### Establish Persistence

Ensure that our exploits will stay persistent on the host

* [ ] service takeovers
* [ ] cron jobs
* [ ] startup scripts

#### Escalate Privileges

Move from a foothold to root!

* [ ] get-process
* [ ] PowerUp.ps1
* [ ] LinEnum.sh
* [ ] LinPEAS
* [ ] WinPEAS
* [ ] suid/guid
* [ ] sudo -l

#### Exfiltrate Data

Steal the data on the host!

* [ ] Invoke-WebRequest
  * [ ] iwr
* [ ] curl
* [ ] Imagination!!
