Checklist

gobuster dir -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x php,txt,config,pdf -t 100 -u

ffuf -w  /usr/share/dirbuster/wordlists/directory-list-2.3-small.txt -recursion -recursion-depth 4 -e .php,.txt,.html -u

Extensions to look for : php,aspx,txt,html,config,conf,asp,pdf,zip,tar

• /usr/share/seclists/Discovery/Web-Content/raft-medium-directories.txt

• /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt

gobuster vhost -w ~/opt/wordlists/subdomains_small.txt -u domain.htb

 wfuzz -c -f sub-fighter -w /usr/share/dnsrecon/dnsrecon/data/subdomains-top1mil-20000.txt-u $url -H "HOST: FUZZ.$domain.com" --hw 1

Real and per-existing web application

1. Narrow down version

2. Default credentials / bruteforce variations of default creds (run in the background)

3. Search for existing exploits and CVE's

Box built web application

1. Directory bust the f*** out of it at each level (run the background)

2. Default credentials / bruteforce variations of default creds (run in the background)

3. Existing exploits??

4. Fuzz all input boxes for SQLI, command injection, etc.

5. File upload features?

6. Directory traversal, LFI, RFI

7. Read source code, search for hints/clues

8. Review requests and responses in Burp