Spoilers ahead
If you are working on Proving Grounds boxes, beware! The list below may contain spoilers for some boxes.
While I was taking OSCP, I prepared for the exam using Offensive Security Proving Grounds boxes. Here is a list of things that caused me to fail OSPG boxes (meaning that I had to get hints or full writeups). Note that I might occasionally add things to this list that has nothing to do with OSPG.
- not trying more credentials, e.g. for Sonatype Nexus Repository Manager, only trying sonatype:sonatype or admin:admin or admin:admin123 but not nexus:nexus
- not enumerating enough of the website (EVERY place, EVERY navbar item, EVERY user-created source file, EVERY version info, EVERY exploit you can find of the server software)
- not scanning ALL ports, DON’T FORGET ABOUT UDP PORTS
- not waiting for the dirsearch / gobuster scan to finish / not using a more concise wordlist (should have ran common.txt first instead of directory-medium)
- not checking CVEs / EDB for local PE (e.g. exiftool had a CVE for arbitrary code execution)
- Nmap didn’t find a port (took too long to scan ports) but rustscan did
- not researching about service-specific common vulnerabilities (e.g. VoIP — SIP — SIP digest leak)
- not reading the HTML source of the index.html, which had a commented endpoint
- not reading the source code (if available/readable) of the web server (especially custom ones)
- for SMB: not running smb-vuln* scripts against BOTH 139 and 445
- not reading about every service, even though it might look insignificant (e.g. erlang port mapper service used for rabbitmq)
- not ping-testing in RCE exploits, thinking that the exploit doesn’t work when it actually could have (e.g. use double quotes instead of singles in command); always test RCE connectivity with ping
- pspy
- /opt and other exotic directories
- don’t ignore white text in linpeas output
- not checking the HTTP response Server header
- using big wordlists before using simple wordlists (ESPECIALLY simple
cewlwordlists without rsmangler)