Web Application (80/443)

set the variable

Manual Checking

curl $URL -s -q |grep -o http://.*.worker.htb

curl $URL -s -q | grep -o */*.js

robots.txt
.svn
.DS_STORE
cgi-bin/
.git

# check backend
index.php
index.html

Check the copy right web apps and search the version
Search version with changelog
example: FreePBX 2.8.1.4 changelog
maybe you will discover a juicy info about the last version's vulnerability
Check cookies
Check date in the pictures
Check backend language
Check metadata of the pictures
Check source code

big.txt --> for getting a juicy file

directory-list-2.3-medium.txt --> for directory

Next level wordlist using SecLists.

If your Kali haven't installed SecLists, use this command:

sudo apt install seclists
cp -r /usr/share/seclists /usr/share/wordlists/SecLists

export URL="http://<web url>/FUZZ"

wfuzz -c -z file,/usr/share/wordlists/SecLists/Discovery/Web-Content/raft-large-files.txt --hc 404 "$URL"

export URL="http://<web url>/FUZZ/"

wfuzz -c -z file,/usr/share/wordlists/SecLists/Discovery/Web-Content/raft-large-directories.txt --hc 404 "$URL"

export URL="http://<web url>

wfuzz

wfuzz -u $URL -H "Host: FUZZ.<domain>.htb" -w /usr/share/wordlists/SecLists/Discovery/DNS/subdomains-top1million-5000.txt --hh <some number>

gobuster

gobuster vhost -u <domain> -w /usr/share/wordlists/SecLists/Discovery/DNS/bitquark-subdomains-top100000.txt -t 100

If you have a .php file but no output try this:

/secret/evil.php

export URL="http://$IP/secret/evil.php?FUZZ=../../../../../../../etc/passwd"

wfuzz -c -z file,/usr/share/wordlists/SecLists/Discovery/Web-Content/burp-parameter-names.txt --hc 404 "$URL"

gobuster dns -d realcorp.htb -r 0.10.10.224 -w /usr/share/wordlists/SecLists/Discovery/DNS/subdomains-top1million-5000.txt -o gobuster-dns.out

Last updated 6 months ago