// notes/ Web Exploitation
🕸️

Checklist

{% hint style="danger" %}

#web applications#adot8
source · oscp.adot8.com · web-applications/checklist

Checklist

{% hint style="danger" %} Cannot "GET" /blahblah = TRY DIFFRENT REQUEST METHODS {% endhint %}

code
01gobuster dir -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x php,txt,config,pdf -t 100 -u
code
01ffuf -w /usr/share/dirbuster/wordlists/directory-list-2.3-small.txt -recursion -recursion-depth 4 -e .php,.txt,.html -u

Extensions to look for : php,aspx,txt,html,config,conf,asp,pdf,zip,tar

  • /usr/share/seclists/Discovery/Web-Content/raft-medium-directories.txt
  • /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt

{% hint style="info" %} Enumerate all sub directories {% endhint %}

code
01gobuster vhost -w ~/opt/wordlists/subdomains_small.txt -u domain.htb
code
01 wfuzz -c -f sub-fighter -w /usr/share/dnsrecon/dnsrecon/data/subdomains-top1mil-20000.txt-u $url -H "HOST: FUZZ.$domain.com" --hw 1

{% hint style="info" %} Check SSL certificate {% endhint %}

Real and per-existing web application

  1. Narrow down version
  2. Default credentials / bruteforce variations of default creds (run in the background)
  3. Search for existing exploits and CVE's

{% hint style="danger" %} Don't be afraid to get to page 4 on google {% endhint %}

Box built web application

  1. Directory bust the f*** out of it at each level (run the background)
  2. Default credentials / bruteforce variations of default creds (run in the background)
  3. Existing exploits??
  4. Fuzz all input boxes for SQLI, command injection, etc.
  5. File upload features?
  6. Directory traversal, LFI, RFI
  7. Read source code, search for hints/clues
  8. Review requests and responses in Burp

{% hint style="info" %} If the website is fairly static and boring don't be afraid to look into the assets directory and folders of the nature. Offsec likes hiding things in random places {% endhint %}

{% hint style="warning" %} REGARDING ANY AND ALL HTTP PORTS (WINDOWS RPC SPEFICALLY) VISIT ALL OF THEM USING THE IP AND FQDN... Offsec sneaky like that {% endhint %}