Where to start?

Greetings all, I hope this finds you well.

*Disclaimer - this doesnt contain spoilers, as what im referring to is a starting point lab that the tutorial explains.
Also, if this is in the wrong spot i apologize. I will try to post to forums better going forward.

I am new to this site and cybersecurity, and I just have a a question - how do you know where to start, when starting in “starting point”?

For example, on machine “oopsie”, port 80 and 22 are open, and I would have started looking into ssh instead of 80 and going the way of the tutorial.

does this just come with time and experience, or is it obvious to go the route of the tutorial? I appreciate and welcome all feedback, including constructive criticism.

thank you

Hello! Welcome to the forums :slight_smile: I will caveat everything that I say by the fact that I am a newbie myself and at the time of writing haven’t even finished rooting all the Starting Point boxes.

First of all, well done for thinking about alternative routes. I have watched a bunch of Youtube videos and hacking streams, of IppSec and others and going to port 80 if it’s open seems to be the ‘classic’ route, as:
a) A web page (80) is openly accessible. An ssh port (22) is very very rarely openly accessible and at the very least you would need a username to access it, which you do not know at the beginning.
b) Opening a web page can give us a lot of information. We can potentially get what engine is the website running on, the operating system of the server and lots more.

From my observations, it seems to be following the path of least resistance first - if there is something openly accessible somewhere, such as a web page, it’s worth checking that first, and then if that did not work - trying other vectors. So, to answer your question - it does come from the experience :slight_smile:

I would love to read the perspectives of the more experienced members, it would be very interesting to get different insights!

Like @tasidonya said, sure you could start by looking at SSH but you’d very quickly realise you can’t log in there so then you’d move on to port 80

thank you both for the explanations and i appreciate it very much. again, i apologize if this was in wrong forum or if it had spoilers (definitely not my intent). i respect and value your answers and they are insightful. i think i will learn what paths are of least resistance and then develop experience to know where to look first after seeing these comments.thanks tasidonya and VbScrub

@anonymous1574q Good luck in your path! Keep at it :slight_smile:

@anonymous1574q said:

Greetings all, I hope this finds you well.

Hello back at you and welcome to the forums.

For example, on machine “oopsie”, port 80 and 22 are open, and I would have started looking into ssh instead of 80 and going the way of the tutorial.

There has already been a lot of advice here, so I will turn this round and ask - why would you start with SSH rather than HTTP?

It’s not a trick question, there isn’t a right or wrong answer but (IMHO of course) it is good to understand your thought processes. @VbScrub hit the nail on the head in that, to an extent, it doesn’t matter where you start, you will eventually get to the right place.

As you progress, you’ll find boxes with dozens (if not hundreds) of open ports (Windows servers tend to be the worst for this) and 99% of them are basically useless to you as an attacker.

It is worth building a methodology so you can quickly get through the ports and avoid the rabbit holes that often crop up. Some people find it helps to keep a document (Notepad, Cherry Tree, whatever) with a list of “enumeration” steps to try on each port. As you become more experienced your list will grow and you will become faster at deciding where to focus and when to give up.

Picking on SSH vs HTTP - there is nearly never any point starting with an SSH server as your enumeration options are very limited (look for an exploit if you can find the server version or try brute forcing usernames and passwords, but without something to go on, this is going to be a largely pointless exercise).

However, if an HTTP server is listening you can try lots of things - dirbusting, nikto, cewl, manual enumeration, form injection, robots.txt checks etc. All as part of the initial assessment.

I think this is one of the reasons why the tutorial skips port 22 and focuses on port 80 and while you should keep this in mind, make sure you find your own workflow.