Day 26: The Pentester's Playbook — Strategy, Keys, and Smart Pivoting 🕵️‍♂️

🎯 The "Path of Least Resistance" Workflow

When you compromise a "Jump Box" (a server with access to the internal LAN), you are faced with multiple choices. Here is how I learned to prioritize them:

1. The "Golden Ticket": SSH Private Keys

If you find an id_rsa file in a user's .ssh directory, this is your Priority #1.

• The Logic: It allows for an instant, passwordless connection to other internal servers.
• The Rule: Always check the directory name to identify the user (e.g., /home/admin/.ssh belongs to the admin user).
• Command: ssh -i id_rsa admin@internal-target-ip

2. Credential Logic: Stop Mixing Your Assets

One of the most common mistakes is trying to use Database credentials for SSH logins.

• Database Credentials: Found in config.php or settings.py. Use them for mysql or psql to dump sensitive data.
• System Credentials: Found in history or shadow files. Use them for ssh, sudo, or su.

🛠️ Strategic Pivoting: When to Use What?

I refined my use of SSH tunneling based on the specific mission:

Technique	Command	Best Use Case
Dynamic Forwarding (-D)	ssh -D 1080 user@pivot	Broad Search: Scanning the entire internal subnet with proxychains nmap.
Local Forwarding (-L)	ssh -L 3306:internal-db:3306	Surgical Strike: Connecting a local DB GUI (like DBeaver) to a specific internal database.

🕵️‍♂️ The Internal "Radar"

Before jumping into complex tunnels, I used "Living off the Land" techniques to spot targets:

1. ip a: Discover hidden network segments (10.x, 172.x, or 192.x).
2. netstat -tulnp: Identify which internal ports are listening on the target.
3. arp -a: See a list of other active hosts the compromised machine has recently talked to.

Follow my journey: #1HourADayJourney