Checklist
{% hint style="danger" %}
Checklist
{% hint style="danger" %} Cannot "GET" /blahblah = TRY DIFFRENT REQUEST METHODS {% endhint %}
01gobuster dir -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x php,txt,config,pdf -t 100 -u01ffuf -w /usr/share/dirbuster/wordlists/directory-list-2.3-small.txt -recursion -recursion-depth 4 -e .php,.txt,.html -uExtensions to look for : php,aspx,txt,html,config,conf,asp,pdf,zip,tar
/usr/share/seclists/Discovery/Web-Content/raft-medium-directories.txt/usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
{% hint style="info" %} Enumerate all sub directories {% endhint %}
01gobuster vhost -w ~/opt/wordlists/subdomains_small.txt -u domain.htb01 wfuzz -c -f sub-fighter -w /usr/share/dnsrecon/dnsrecon/data/subdomains-top1mil-20000.txt-u $url -H "HOST: FUZZ.$domain.com" --hw 1{% hint style="info" %} Check SSL certificate {% endhint %}
Real and per-existing web application
- Narrow down version
- Default credentials / bruteforce variations of default creds (run in the background)
- Search for existing exploits and CVE's
{% hint style="danger" %} Don't be afraid to get to page 4 on google {% endhint %}
Box built web application
- Directory bust the f*** out of it at each level (run the background)
- Default credentials / bruteforce variations of default creds (run in the background)
- Existing exploits??
- Fuzz all input boxes for SQLI, command injection, etc.
- File upload features?
- Directory traversal, LFI, RFI
- Read source code, search for hints/clues
- Review requests and responses in Burp
{% hint style="info" %}
If the website is fairly static and boring don't be afraid to look into the assets directory and folders of the nature. Offsec likes hiding things in random places
{% endhint %}
{% hint style="warning" %} REGARDING ANY AND ALL HTTP PORTS (WINDOWS RPC SPEFICALLY) VISIT ALL OF THEM USING THE IP AND FQDN... Offsec sneaky like that {% endhint %}