1. If there is phpMyAdmin on the box, check for webdav. There's a good chance if it's a Windows box, that it's running XAMPP, and the webdav creds haven't been changed from wampp/xampp.
2. MS11-080 doesn't work on everything. Heh.
3. Ditto #2 for MS08-067.
4. Always pick the low hanging fruit first, don't wait, because you may run out of time.
5. Screenshot EVERYTHING.
6. Learn how to make the Linux Terminal log EVERYTHING. It's the best way to keep track of how you did that thing you did.
7. Precompile as many exploits as you can.
8. Learn how Python works with PyWin and PyInstaller so that your exploits fire off right.
9. Once you're inside the box, look for other avenues to do privesc besides kernel exploitation. Kernel exploitation won't always work, even on Windows.
10. Check the patch level on every box you can.
11. If you can, build out servers as much of an exact replica as you can.
12. Learn how to privesc when you have EXTREMELY reduced privileges. (LMGTFY: "Bypassing Group Policy Restrictions")
13. Learn how to reboot a server when you can't reboot a server.
14. Always check the services running on a box.
15. mingw32 doesn't have ALL needed Windows libraries.
16. Learn how to use msfvenom properly. Ugh. (-t != -f ...so much wasted time)
17. Write your report as you go.
18. Add to that document all the PrivEsc exploits you can find...then see #7.
19. Prepare yourself that you may not be prepared for what's coming.
20. See #19.
21. Set up a Windows dev environment. Learn how to use it to fix/compile code quickly.
22. Probably still better to run Kali in a VM unless you just absolutely need the computing power to crack passwords. If you do need that, set up a separate cracking machine.
23. Learn how to code in Python better.
24. Learn how to fix broken exploits faster.
25. nmap -sS -iL
26. After 25, nmap -A the ports and IPs you found.
27. Run nikto and dirb on all webservers...you can't hurt the servers on the test...this may not apply to real-world scenarios.
28. VNCInject payloads can be your friend, just remember, they are INCREDIBLY SLOW.
29. Nmap's scripting engine is there for a reason. Use it.
30. Take your time, take breaks, take a powernap. 4 Rockstars in a row are not good for your body.
31. Metasploit doesn't always work on things you think it will. Especially if the version number isn't mentioned in the sploit.
32. BACKUP EVERYTHING. If there's not a log or a screenshot of it, it didn't happen.
33. Read everything you can get your hands on. If you're going to be good at this, you need to be as good as you can be.
**UPDATE** -- After doing some research, I realized that one of my exploits probably would have worked, if I hadn't already screwed up the machine with other failed exploits...sooooooooooooooo...
34. (This applies to the exam and labs only, not real life...) ALWAYS REVERT THE MACHINE AFTER A FAILED EXPLOIT.