# Capture The Flag Initial Recon Checklist *** * [ ] Provide the IP in the host file * [ ] Check for firewalls ```bash # Check firewalls via wafw00f wafw00f target.local ``` * [ ] Do Nmap/Rustscan on target.tld * [ ] Check for the version of the services detected via Nmap * [ ] Is there any service that has an RCE? or can be exploited, use searchsploit * [ ] Use Default credentials to login to services, to check for vulnerabilities * [ ] Is FTP available? * [ ] is SMB available? ```bash # FTP connect command ftp target.tld # FTP login as Anonymous ------------------------ # SMB Enumeration enum4linux target.local | tee report.txt # SMB List shares smbclient -L \\\\target.local # SMB Connect to a share smbclient \\target.local\sharename -u username ``` * [ ] Can we write on FTP / SMB mounts? * [ ] Start a Nikto or Nessus session on the target ```bash # Start a nikto session nikto -h target.local -c ``` * [ ] Do a DIrectory enumeration via gobuster | feroxbuster | diresearch ```bash # Use Gobuster gobuster dir --no-error -t 50 -u target.tld -w $direnumCombined # Use ferox feroxbuster -s $feroxStatusCodes -t 50 --timeout 15 -u target.tld -w $direnumCombined -e # Using Dirsearch dirsearch -r -u target.tld -t 50 -w $direnumCombined ``` * [ ] Do a DNS enumeration via gobuster ```bash gobuster dns --no-error -t 50 -i -d target.tld -w $dnsenumCombined ``` * [ ] Do a VHOST enumeration via gobuster ```bash gobuster vhost --no-error -t 50 -u target.tld -w $dnsenumCombined --append-domain ``` * [ ] Is there a username or password leak? * [ ] If there is a username leak, is SSH available? Bruteforce via Hydra on SSH ```bash # Using hydra to brute force with found usernames hydra -L username.txt -P $passrockyou -t 16 -f ssh://target.local ``` * [ ] Is there a particular CMS Available? * [ ] Is it WordPress? or drupal or Joomla? etc… ```bash # For wordpress use wpscan -u target.local # for drupal or joomla use droopescan droopescan scan drupal/joomla -u target.local --enumerate-plugins # Use Vulnx to get more information on exploitable CMS # Parameters : # -d : get subdomain information # -D : use dorks available on the internet # --dns : dns information gathering # -w : web information gathering # -t : threads vulnx -u target.tld -d -D -w --dns -t 50 --output /output ``` * [ ] Check for LFI * [ ] Check for Webroot via LFI * [ ] The type of server running can give you the location of the webroot, check via LFI * [ ] Is the site running via Nginx? LFI on '/etc/nginx/sites-enabled/default' * [ ] Is the site running via Nginx? LFI on '/etc/nginx/nginx.conf' * [ ] Is the site running via Apache? LFI on '/var/www/' * [ ] Sometimes LFI can leak directory contents as well * [ ] Use a LFI Payload list [GitHub - payloadbox/rfi-lfi-payload-list: 🎯 RFI/LFI Payload List](https://github.com/payloadbox/rfi-lfi-payload-list) [File Inclusion/Path traversal](https://book.hacktricks.xyz/pentesting-web/file-inclusion) * [ ] Is there some information on GitHub about the tech stack or the framework or the project that is being used on the target * [ ] Leverage OSINT * [ ] Do we have sensitive images that can provide us intel? check for metadata, use steganography tools to enumerate JPG/JPEG images * [ ] Does the target use a custom web app? * [ ] If so, then use Burp suite/OWASP Zap to enumerate parameters * [ ] Is there a page or a URL parameter that can be abused for LFI? * [ ] Check for XSS [GitHub - payloadbox/xss-payload-list: 🎯 Cross Site Scripting ( XSS ) Vulnerability Payload List](https://github.com/payloadbox/xss-payload-list) [xss payloads collect](https://xss.js.org/#/) * [ ] Check for CSRF * [ ] Check for SSRF * [ ] Check for OWASP Top 10 Vulnerabilities --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://sumanroy.gitbook.io/ctf-writeups/tryhackme-writeups/capture-the-flag-initial-recon-checklist.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.