Tools and Techniques
This tool is commonly used to brute-force directories on a web server using a wordlist.
What is DirBuster (or gobuster/ffuf)?
You search social media and public records to gather information about a target named KB.
What is Reconnaissance (OSINT)?
Publicly available information gathered about a target.
What is OSINT?
After obtaining a user password, this command shows what commands the user can run with elevated privileges.
What is sudo -l?
Using long, complex, and unique passwords helps prevent this type of attack.
What is brute-force attack?
This command-line tool is used to securely connect to a remote machine over port 22.
What is SSH?
You use tools to discover open ports and enumerate services like SSH and HTTP.
What is Scanning/Enumeration?
A file that stores passwords in a hidden 'non reversable' format.
What is a hash?
You find a .git directory exposed on a web server—what is the main goal of exploiting this?
What is retrieving source code (and potentially credentials/secrets)?
This authentication method is more secure than passwords and uses a key pair.
What are SSH keys?
This tool is used to crack password hashes using GPU acceleration.
What is Hashcat? or (John the Ripper but that is CPU based)
You exploit a vulnerable WordPress plugin to gain remote code execution.
What is Exploitation?
A vulnerability that allows execution of commands on a remote system.
What is Remote Code Execution (RCE)? or CE
A system has a SUID binary using nano. What is the goal of exploiting this misconfiguration?
What is spawning a root shell (or editing privileged files as root)?
Removing unnecessary SUID permissions helps prevent this type of attack.
What is privilege escalation?
This tool or technique allows you to extract hidden repository data from a misconfigured web server exposing a .git directory.
What is git-dumper (or manually downloading the .git directory)?
After gaining access, you escalate privileges using a SUID binary to become root.
What is Post-Exploitation (Privilege Escalation)?
A special permission that allows a file to run with the privileges of its owner.
What is SUID?
You crack a hash and log in via SSH—what is the next logical step in a pentest?
What is privilege escalation (or post-exploitation enumeration)?
Keeping software like WordPress and plugins updated helps prevent this.
What is exploitation of known vulnerabilities?
This flag in gobuster allows you to specify the wordlist used for directory brute-forcing.
Answer:
What is -w?
You document all findings, vulnerabilities, and steps taken for the client.
What is Reporting?
The process of increasing your level of access on a system.
What is privilege escalation?
You gain RCE on a web server but it’s unstable. What is a more reliable method to maintain access?
What is establishing a reverse shell or SSH access?
Blocking access to .git directories follows this core security principle of limiting access only to what is necessary.
What is the principle of least privilege?