@anonymous1574q said:
Greetings all, I hope this finds you well.
Hello back at you and welcome to the forums.
For example, on machine “oopsie”, port 80 and 22 are open, and I would have started looking into ssh instead of 80 and going the way of the tutorial.
There has already been a lot of advice here, so I will turn this round and ask - why would you start with SSH rather than HTTP?
It’s not a trick question, there isn’t a right or wrong answer but (IMHO of course) it is good to understand your thought processes. @VbScrub hit the nail on the head in that, to an extent, it doesn’t matter where you start, you will eventually get to the right place.
As you progress, you’ll find boxes with dozens (if not hundreds) of open ports (Windows servers tend to be the worst for this) and 99% of them are basically useless to you as an attacker.
It is worth building a methodology so you can quickly get through the ports and avoid the rabbit holes that often crop up. Some people find it helps to keep a document (Notepad, Cherry Tree, whatever) with a list of “enumeration” steps to try on each port. As you become more experienced your list will grow and you will become faster at deciding where to focus and when to give up.
Picking on SSH vs HTTP - there is nearly never any point starting with an SSH server as your enumeration options are very limited (look for an exploit if you can find the server version or try brute forcing usernames and passwords, but without something to go on, this is going to be a largely pointless exercise).
However, if an HTTP server is listening you can try lots of things - dirbusting, nikto, cewl, manual enumeration, form injection, robots.txt checks etc. All as part of the initial assessment.
I think this is one of the reasons why the tutorial skips port 22 and focuses on port 80 and while you should keep this in mind, make sure you find your own workflow.