Skip to content

checklist.md

Latest commit

Β 

History

History
296 lines (229 loc) Β· 8.09 KB

checklist.md

File metadata and controls

296 lines (229 loc) Β· 8.09 KB

βœ… CTF Enumeration Checklist

πŸ“‹ Contents

This is your step-by-step enumeration checklist for CTF boxes β€” HackTheBox, TryHackMe, PicoCTF, and similar platforms. Follow it in order. The answer is almost always hiding in something you didn't enumerate thoroughly enough.

🧠 Before You Start

  • Connected to VPN β€” confirm with ip addr show and check for your VPN interface
  • Created a working directory: mkdir ~/htb-<machinename> && cd ~/htb-<machinename>
  • Target IP confirmed and saved: export TARGET=<ip>
  • Output logging enabled β€” all commands saving to files

πŸ” Phase 1 β€” Initial Scanning

Fast Port Scan First β€” Always

# Fast top ports
nmap -sV -sC -T4 --top-ports 20 -oN quick.txt $TARGET

# If host appears down
nmap -sV -sC -T4 -Pn --top-ports 20 -oN quick.txt $TARGET
  • Run fast scan
  • Note every open port
  • Note every service version
  • Search every version number on exploit-db.com

Full Port Scan β€” Run in Background

nmap -p- --min-rate 5000 -T4 -oN full.txt $TARGET
  • Run full port scan in a second terminal tab
  • Check results when complete β€” compare to quick scan
  • Any new ports? Enumerate them immediately

UDP Scan β€” Don't Skip This

nmap -sU --top-ports 20 -oN udp.txt $TARGET
  • Run UDP scan
  • Port 161 open? β†’ SNMP enumeration
  • Port 53 open? β†’ DNS enumeration

🌐 Phase 2 β€” Web Enumeration (Ports 80, 443, 8080, 8443)

First Look

  • Open in browser β€” look at it with your eyes
  • Check page source β€” Ctrl+U
  • Check robots.txt β†’ http://<target>/robots.txt
  • Check sitemap.xml β†’ http://<target>/sitemap.xml
  • Note any technology hints β€” powered by, generator meta tags, response headers

Directory Busting

# Quick scan first
gobuster dir -u http://$TARGET -w /usr/share/wordlists/dirb/common.txt -t 50 -oN gobuster-quick.txt

# Medium scan
gobuster dir -u http://$TARGET \
  -w /usr/share/seclists/Discovery/Web-Content/raft-medium-directories.txt \
  -x php,html,txt,bak \
  -t 50 \
  -o gobuster-medium.txt
  • Run quick directory scan
  • Run medium directory scan with extensions
  • Check every result β€” visit each one in browser
  • Found /admin or /login? β†’ try default credentials
  • Found /.git? β†’ run git-dumper
  • Found /.env? β†’ download it immediately
  • Found /backup or .bak files? β†’ download everything

Virtual Host Fuzzing

# Get default response size first
curl -s http://$TARGET | wc -c

# Fuzz vhosts
ffuf -u http://$TARGET \
  -H "Host: FUZZ.<domain>" \
  -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt \
  -fs <default_size> \
  -t 50
  • Identify the domain name (check nmap output, SSL cert, web response)
  • Run vhost fuzzing
  • Found new vhosts? β†’ add to /etc/hosts, enumerate each one

API Enumeration

curl -s http://$TARGET/api
curl -s http://$TARGET/swagger.json
curl -s http://$TARGET/api-docs
  • Check common API paths manually
  • Found swagger/API docs? β†’ read every endpoint
  • Found /graphql? β†’ run introspection query
  • Find JS files and analyze them for endpoints and credentials

πŸ” Phase 3 β€” Service-Specific Enumeration

SSH (Port 22)

nmap --script ssh-hostkey,ssh-auth-methods -p 22 $TARGET
  • Note SSH version β€” search for CVEs
  • Check if password auth is enabled
  • Found private key files elsewhere? β†’ chmod 600 id_rsa && ssh -i id_rsa user@$TARGET

FTP (Port 21)

ftp $TARGET
# Try: anonymous / anonymous
nmap --script ftp-anon -p 21 $TARGET
  • Try anonymous login
  • Download all accessible files: mget *
  • Check for vsftpd 2.3.4 backdoor
  • Try write access: put test.txt

SMB (Ports 139, 445)

enum4linux-ng -A $TARGET
smbclient -L //$TARGET/ -N
nmap --script smb-vuln-ms17-010 -p 445 $TARGET
  • Run enum4linux-ng β€” note users, shares, password policy
  • List shares β€” try null session
  • Connect to each accessible share
  • Download everything readable
  • Check for EternalBlue

DNS (Port 53)

dig $TARGET NS +short
dig axfr @$TARGET <domain>
  • Attempt zone transfer
  • Success? β†’ add all discovered hosts to /etc/hosts
  • Run subdomain brute force

SNMP (UDP Port 161)

onesixtyone -c /usr/share/seclists/Discovery/SNMP/common-snmp-community-strings.txt $TARGET
snmpwalk -v2c -c public $TARGET > snmp-walk.txt
  • Brute force community string
  • Found valid string? β†’ full snmpwalk
  • Check processes for credentials
  • Check user list

SMTP (Port 25)

nc $TARGET 25
smtp-user-enum -M VRFY -U /usr/share/seclists/Usernames/Names/names.txt -t $TARGET
  • Banner grab β€” note software version
  • User enumeration β€” VRFY, RCPT, EXPN
  • Found valid users? β†’ add to username list

πŸ•΅πŸ½ Phase 4 β€” Advanced Enumeration

  • Run waybackurls on the domain
  • Check crt.sh for subdomains
  • Analyze JavaScript files for hidden endpoints
  • Parameter fuzzing on all found endpoints
  • Check for exposed .git directory
  • Run Nikto on all web servers
nikto -h http://$TARGET -o nikto.txt
waybackurls <domain> | grep -E "\.(php|bak|config)$"
curl -s "https://crt.sh/?q=%.<domain>&output=json" | python3 -c "import sys,json; [print(x['name_value']) for x in json.load(sys.stdin)]" | sort -u

🚨 If You're Stuck β€” Decision Tree

Nothing on port 80? β†’ Check other web ports: 8080, 8443, 8000, 3000, 5000 β†’ Run full port scan if not done yet β†’ Try HTTPS version

Directory busting found nothing interesting? β†’ Try larger wordlist β†’ Try more extensions: .php, .asp, .aspx, .jsp, .txt, .xml, .bak, .zip β†’ Run feroxbuster for recursive scanning β†’ Try vhost fuzzing

Can't log in anywhere? β†’ Check all found usernames against default passwords β†’ Check if passwords were found elsewhere (FTP files, SMB shares, SNMP) β†’ Try credential stuffing across all services

All ports seem dead? β†’ Did you run UDP scan? β†’ Did you use -Pn flag? β†’ Are you connected to VPN?

SMB access but nothing useful? β†’ Check every share recursively β†’ Try authenticating with any found credentials β†’ Check for EternalBlue

Web app but can't find the vulnerability? β†’ Did you check ALL response codes β€” including 403s? β†’ Did you fuzz parameters? β†’ Did you analyze JS files? β†’ Did you check for vhosts? β†’ Did you try SQL injection on every input field?

πŸ“‹ Documentation Template

Keep a notes file as you go:

# Create notes file
cat > notes.txt << 'EOF'
Target: 
IP: 
OS: 
Open Ports: 

Web:
- Port 80: 
- Technologies: 
- Interesting directories: 
- Credentials found: 

Users found:
- 

Credentials found:
- 

Rabbit holes (dead ends):
- 

Next steps:
- 
EOF

πŸ”— Related References

This checklist assumes you already know your nmap. If you need the full flag reference, scan combinations, NSE scripts, and CTF vs professional scanning breakdown:

Resource What It Covers
nmap-reference Complete nmap reference β€” flags, scans, NSE, parsing output
google-dorking Passive recon and OSINT before you touch the target
exploitation-reference Coming soon β€” what happens after enumeration gives you a lead πŸ‘€

The checklist gets you to the door. The references tell you how to pick the lock.

by SudoChef Β· Part of the SudoCode Pentesting Methodology Guide