80, 443
Checklist
IIS :
Try changing file.asp file to file.asp.txt to reveal the source code of the files
Apache :
Shell shock (https://www.exploit-db.com/exploits/34900)
OpenFuck (https://github.com/exploit-inters/OpenFuck)
try accessing /manager endpoint (use null or tomcat/tomcat as credentials)
use LFI to read tomcat-user.xml at
/etc/tomcat7,8,9/tomcat-users.xml
Directory Enumeration
Apache : x -> php, asp, txt, xml, bak
IIS : x-> asp, aspx, txt, ini, tmp, bak, old
Gobuster quick directory busting
Gobuster search with file extension
Gobuster comprehensive directory busting
gobuster dir -t 100 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x txt,php,csv,md,json,js,html,py,sh -k -u http://10.10.10.x
-k (ignore ssl verification)
-x specific extension
Dirbuster
Change wordlists (Wfuzz, dirb)
Custom directory enumeration (HTB Obscurity)
wfuzz -c -z file,common.txt -u http://10.10.10.168:8080/FUZZ/SuperSecureServer.py
Parameter Fuzzing
WFUZZ
hc - status code to ignore
hw - word length to ignore
hh - char length to ignore
hl - line length to ignore
Wordpress
Wpscan
Metasploit
Username Enumeration via Bruteforce
python wp_brute.py -t
http://10.10
-u usernames.txt
Last updated