🤯
Hacker Mind
  • Penetration Testing Notes
    • 00 - Kali Linux Preparation
    • Page 1
    • Web Application (80/443)
      • XSS
      • LFI / Path Traversal
      • Wordpress
    • SMB (445)
    • LDAP
    • MSRPC (135)
    • MSSQL
    • Kerberos (88/tcp)
    • DNS (53)
    • IPv6
    • Import Nessus to Metasploit
  • STUCK? Look at this :D
  • Buffer Overflow
    • WinDbg
    • BoF Script Python
  • Active Directory Recon
    • Username Generation
    • PowerView
    • BloodHound
    • Flooding Attack
  • Payload
    • Sendemail
    • Phishing Payload
    • Bypass All The Things
      • AppLocker
      • MSBuild Shell
      • C# Runner
      • Payload Mod
      • Powershell
      • Bypass AV Linux
        • C Runner
  • Exploit
    • Brute Force
    • File Upload
    • Cracking
    • Shell & Stabilization
    • Database
    • MSSQL Injection
  • Tradecraft
    • Invoke-ReflectivePEInjection
  • Metasploit
    • Meterpreter Tricks
  • Privilege Escalation
    • Lateral Movement
    • Linux
    • Windows
  • Post Exploit
    • Active Directory
      • Kerberos
      • ACLs/ACEs
      • DCSync
      • Golden Ticket with krbtgt
      • LAPS
      • Page
      • Impersonate Token
    • Pivoting
      • Pivot in a Case
    • Transfer File
    • Exfiltration
    • Persistence
  • WiFi Pentesting
    • WPA-PSK
    • WPA-E (hostapd)
    • Attack WEP
    • Evil Twin - Wi-Fi
    • WPA3 Downgrade
  • Hardware Hacking
    • Information Gathering
  • Practice & Lab
Powered by GitBook
On this page
  • Manual Checking
  • Grep a username or subdomain
  • Important files
  • Additional Checks
  • Fuzzing
  • [Important] Please check without exclude 404 code, because you will mis any third parties control. Go forward with exclude 404 if it is an inhouse production web apps
  • Wordlist
  • FUZZ Files
  • FUZZ Directory
  • FUZZ Subdomain / VHOST
  • FUZZ Params
  • Sub domain
  1. Penetration Testing Notes

Web Application (80/443)

set the variable

  • Normal URL

    export URL=http://<web url>

  • File fuzzing

    export URL=http://<web url>/FUZZ

  • Directory fuzzing

    export URL=http://<web url>/FUZZ/

Manual Checking

Grep a username or subdomain

curl $URL -s -q |grep -o http://.*.worker.htb

curl $URL -s -q | grep -o */*.js

Important files

robots.txt
.svn
.DS_STORE
cgi-bin/
.git

# check backend
index.php
index.html

Additional Checks

  • Check the copy right web apps and search the version

  • Search version with changelog

    example: FreePBX 2.8.1.4 changelog

    maybe you will discover a juicy info about the last version's vulnerability

  • Check cookies

  • Check date in the pictures

  • Check backend language

  • Check metadata of the pictures

  • Check source code

Fuzzing

[Important] Please check without exclude 404 code, because you will mis any third parties control. Go forward with exclude 404 if it is an inhouse production web apps

Wordlist

big.txt --> for getting a juicy file

directory-list-2.3-medium.txt --> for directory

Next level wordlist using SecLists.

If your Kali haven't installed SecLists, use this command:

sudo apt install seclists
cp -r /usr/share/seclists /usr/share/wordlists/SecLists

FUZZ Files

export URL="http://<web url>/FUZZ"
wfuzz -c -z file,/usr/share/wordlists/SecLists/Discovery/Web-Content/raft-large-files.txt --hc 404 "$URL"

FUZZ Directory

export URL="http://<web url>/FUZZ/"
wfuzz -c -z file,/usr/share/wordlists/SecLists/Discovery/Web-Content/raft-large-directories.txt --hc 404 "$URL"

FUZZ Subdomain / VHOST

export URL="http://<web url>

wfuzz

wfuzz -u $URL -H "Host: FUZZ.<domain>.htb" -w /usr/share/wordlists/SecLists/Discovery/DNS/subdomains-top1million-5000.txt --hh <some number>

gobuster

gobuster vhost -u <domain> -w /usr/share/wordlists/SecLists/Discovery/DNS/bitquark-subdomains-top100000.txt -t 100

FUZZ Params

If you have a .php file but no output try this:

/secret/evil.php

export URL="http://$IP/secret/evil.php?FUZZ=../../../../../../../etc/passwd"
wfuzz -c -z file,/usr/share/wordlists/SecLists/Discovery/Web-Content/burp-parameter-names.txt --hc 404 "$URL"

Sub domain

gobuster dns -d realcorp.htb -r 0.10.10.224 -w /usr/share/wordlists/SecLists/Discovery/DNS/subdomains-top1million-5000.txt -o gobuster-dns.out

PreviousPage 1NextXSS

Last updated 7 months ago