🚩Capture The Flag Initial Recon Checklist

This section contains a checklist for initial recon of the target

---

• Provide the IP in the host file

• Check for firewalls

# Check firewalls via wafw00f
wafw00f target.local

• Do Nmap/Rustscan on target.tld

• Check for the version of the services detected via Nmap

• Is there any service that has an RCE? or can be exploited, use searchsploit

• Use Default credentials to login to services, to check for vulnerabilities

• Is FTP available?

• is SMB available?

# FTP connect command
ftp target.tld
# FTP login as Anonymous
------------------------
# SMB Enumeration
enum4linux target.local | tee report.txt

# SMB List shares
smbclient -L \\\\target.local

# SMB Connect to a share
smbclient \\target.local\sharename -u username

• Can we write on FTP / SMB mounts?

• Start a Nikto or Nessus session on the target

# Start a nikto session
nikto -h target.local -c

• Do a DIrectory enumeration via gobuster | feroxbuster | diresearch

# Use Gobuster
gobuster dir --no-error -t 50 -u target.tld -w $direnumCombined
# Use ferox
feroxbuster -s $feroxStatusCodes -t 50 --timeout 15 -u target.tld -w $direnumCombined -e
# Using Dirsearch
dirsearch -r -u target.tld -t 50 -w $direnumCombined

• Do a DNS enumeration via gobuster

gobuster dns --no-error -t 50 -i -d target.tld -w $dnsenumCombined

• Do a VHOST enumeration via gobuster

gobuster vhost --no-error -t 50 -u target.tld -w $dnsenumCombined --append-domain

• Is there a username or password leak?

• If there is a username leak, is SSH available? Bruteforce via Hydra on SSH

# Using hydra to brute force with found usernames
hydra -L username.txt -P $passrockyou -t 16 -f ssh://target.local

• Is there a particular CMS Available?

• Is it WordPress? or drupal or Joomla? etc…

# For wordpress use
wpscan -u target.local
# for drupal or joomla use droopescan
droopescan scan drupal/joomla -u target.local --enumerate-plugins

# Use Vulnx to get more information on exploitable CMS
# Parameters :
# -d : get subdomain information
# -D : use dorks available on the internet
# --dns : dns information gathering
# -w : web information gathering
# -t : threads
vulnx -u target.tld -d -D -w --dns -t 50 --output /output

• Check for LFI

• Check for Webroot via LFI

• The type of server running can give you the location of the webroot, check via LFI

• Is the site running via Nginx? LFI on '/etc/nginx/sites-enabled/default'

• Is the site running via Nginx? LFI on '/etc/nginx/nginx.conf'

• Is the site running via Apache? LFI on '/var/www/'

• Sometimes LFI can leak directory contents as well

• Use a LFI Payload list

GitHub - payloadbox/rfi-lfi-payload-list: 🎯 RFI/LFI Payload List

File Inclusion/Path traversal

• Is there some information on GitHub about the tech stack or the framework or the project that is being used on the target

• Leverage OSINT

• Do we have sensitive images that can provide us intel? check for metadata, use steganography tools to enumerate JPG/JPEG images

• Does the target use a custom web app?

• If so, then use Burp suite/OWASP Zap to enumerate parameters

• Is there a page or a URL parameter that can be abused for LFI?

• Check for XSS

GitHub - payloadbox/xss-payload-list: 🎯 Cross Site Scripting ( XSS ) Vulnerability Payload List

xss payloads collect

• Check for CSRF

• Check for SSRF

• Check for OWASP Top 10 Vulnerabilities