Pentest Workbench

SKILL.md

---
name: pentest-workbench
description: "Comprehensive offensive security workflow for bug bounty, vulnerability assessment, penetration testing, and exploitation. Use when performing security testing, analyzing vulnerable targets, conducting privilege escalation, building exploits, or running reconnaissance. Covers: TCP buffer overflows (vulnserver), web application testing (VulnerableWordpress/WPScan), honeypot analysis (Cowrie), GTFOBins/LOLBAS privesc, pwn.college fundamentals, and offensive toolchain automation. Triggers on: run a pentest, exploit this, buffer overflow, privesc, OSCP, CTF, bug bounty, vulnerability assessment, rev shell, test this target."
---

# Pentest Workbench

## Quick Start

1. **Define scope** — target, rules of engagement, goals
2. **Recon** — passive OSINT, network enumeration
3. **Identify** — find vulnerabilities, misconfigs, weak points
4. **Exploit** — leverage findings with appropriate technique
5. **Document** — record steps, evidence, impact, remediation

## Core Workflow

### Phase 1: Recon & Enumeration

- **Network OSINT**: Use `nmap`, `masscan`, `rustscan` for port discovery
- **Passive OSINT**: Subdomain enum, WHOIS, Shodan, Censys, Google dorking
- **Web recon**: Dirbuster, ffuf, Burp Suite crawler
- **For vulnerable targets**: Netcat manual command probing first

**Tools from linked repos:**
- `netstalking-osint` — automated OSINT recon workflows
- `Pentest-Tools` (40+ categories) — scanner/framework discovery, network_enum

### Phase 2: Vulnerability Analysis

- **Web**: WPScan for WordPress, sqlmap for SQLi, Burp for auth bypass
- **Network**: nmap NSE scripts, Metasploit, searchsploit
- **Binary**: IDA/Ghidra for RE, checksec for mitigations
- **Config reviews**: weak permissions, default creds, exposed secrets

### Phase 3: Exploitation

**Buffer Overflow (vulnserver pattern):**
1. Send oversized input to identify crash point
2. Control EIP with offset measurement
3. Find stable jump (JMP ESP / call esp)
4. Generate shellcode (msfvenom / custom)
5. Execute with proper alignment

**Web:**
- SQLi → sqlmap or manual union/boolean
- XSS → Beef/XSS Hunter
- RCE → reverse shell via pentest-tools

**Privesc (GTFOBins):**
```
# Check sudo/suid binaries
sudo -l
find / -perm -4000 2>/dev/null

# Shell escape from restricted editor
:!/bin/bash
```

**AD Attacks (Pentest-Tools):**
- Kerberoasting, AS-REP roasting, SMB relay
- BloodHound/Sharphound enum → Golden/DFSRM

### Phase 4: Post-Exploitation

- Cowrie honeypot: analyze attacker sessions for TTPs
- Privilege escalation: kernel exploits, sudo abuse, service misconfigs
- Persistence: scheduled tasks, services, SSH keys
- Lateral movement: PsExec, WMI, SMB, Pass-the-Hash

### Phase 5: Documentation

- Steps reproducible by another tester
- Evidence: screenshots, packet captures, log output
- Impact: CVSS score, business risk
- Remediation: specific, actionable fixes

## Key References

- **Binary exploitation**: See `references/buffer-overflow.md` (vulnserver anatomy, exploit dev)
- **Privesc**: See `references/privesc.md` (GTFOBins/LOLBAS, Linux/Windows escalation)
- **Tool inventory**: See `references/tools-inventory.md` (all linked tools catalogued)
- **pwn.college**: CTF exercises for memory corruption, ROP, kernel fundamentals

## Exploit Dev (vulnserver)

Vulnserver runs on port 9999. Vulnerable commands:

| Command | Trigger Function | Buffer Size | Overflow Offset |
|---------|-----------------|-------------|-----------------|
| TRUN | Function3 | 2000 | ~2003 (EIP at ~2007) |
| GMON | Function3 | 2000 | Similar to TRUN |
| KSTET | Function2 | 60 | ~64 |
| GTER | Function1 | 140 | ~144 |
| LTER | Function3 | 2000 | Via transformation |
| HTER | Function4 | 1000 | Hex-encoded |

**Key insight**: `essfunc.dll` EssentialFunc10-14 also use `strcpy` into small buffers (140, 60, 2000, 2000, 1000).

**Exploit strategy**:
1. Find offset with pattern_create / mona.py
2. Confirm EIP control
3. Locate or craft a ROP chain if ASLR/DEP present
4. Generate alphanumeric shellcode if bad chars restrict ASCII
5. Use egghunter if space is small

## Tool Quick Ref

| Tool | Purpose | Key Command |
|------|---------|-------------|
| nmap | Port enum | `nmap -sCV -p- -T4 target` |
| Burp Suite | Web testing | Proxy, Repeater, Intruder |
| sqlmap | SQL injection | `sqlmap -r req.txt --batch` |
| msfvenom | Shellcode gen | `msfvenom -p linux/x64/shell_tcp LHOST=x R` |
| CrackMapExec | AD attacks | `cme smb target -u user -p pass` |
| Evil-WinRM | Remote shell | `evil-winrm -i target -u user -p pass` |

## Mindset

- **Methodical > flashy** — good recon beats brute force
- **Always document as you go** — screenshot everything
- **Understand the payload** — not just "it works"
- **Think like defender** — what would stop this attack?