alg:none and key confusion attacks.
alg:none bypass, weak HS256 secrets (crackable with hashcat), and RS256→HS256 key confusion are real CVEs found in production systems. Always inspect JWTs in security reviews.
/proc/PID/cmdline sometimes contain database passwords passed as flags.
-perm -4000) is a core privilege escalation technique. Misconfigurations like writable cron scripts owned by root, or custom SETUID binaries with vulnerabilities, are found this way. GTFOBins documents how to exploit common SETUID binaries.
sudo -l is run immediately after gaining a shell. Sysadmins often give developers sudo access to specific tools without realising those tools can be abused to escape to a root shell. GTFOBins lists over 200 exploitable binaries.
.). Permissions show who can read/write/execute each file, which is critical for understanding what's accessible.
.env, .bash_history, .ssh/id_rsa, .config/) frequently contain credentials, API keys, and SSH private keys. Bash history files reveal past commands including passwords typed by the user. Always check hidden files when on a compromised system.
strings as a first-pass triage step to identify C2 server URLs, mutex names, registry keys, and capabilities without executing the sample. Hardcoded credentials in compiled binaries are a common finding in application security assessments.
gets, strcpy, system), and understand program logic. Also used in vulnerability research to analyse patches and identify the exact change that fixed a CVE.
gdb-peda or pwndbg for a better interface.
pip install pwntools.
p64() packs a 64-bit address as little-endian bytes — critical for x86-64 return address overwrites. cyclic() generates de Bruijn sequences to find exact offsets automatically.
base64, hashlib, struct (binary packing), binascii (hex), and socket (networking). For binary exploitation, pwntools is the go-to library. For rapid scripting, nothing beats a 3-line Python one-liner.
pwntools makes binary exploitation automation trivial — handling connections, payloads, and format strings.
zip2john, pdf2john, and similar tools to extract crackable hashes from files.
*2john utilities (zip2john, pdf2john, keepass2john) make John the tool of choice when cracking encrypted files rather than raw hashes. Widely used in forensic investigations to recover passwords from encrypted evidence files and in pentesting to crack /etc/shadow hashes.
25 50 44 46, ZIP=50 4B 03 04, PNG=89 50 4E 47.