Checklist

Cannot "GET" /blahblah = TRY DIFFRENT REQUEST METHODS

gobuster dir -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x php,txt,config,pdf -t 100 -u

ffuf -w  /usr/share/dirbuster/wordlists/directory-list-2.3-small.txt -recursion -recursion-depth 4 -e .php,.txt,.html -u

Extensions to look for : php,aspx,txt,html,config,conf,asp,pdf,zip,tar

/usr/share/seclists/Discovery/Web-Content/raft-medium-directories.txt
/usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt

Enumerate all sub directories

gobuster vhost -w ~/opt/wordlists/subdomains_small.txt -u domain.htb

 wfuzz -c -f sub-fighter -w /usr/share/dnsrecon/dnsrecon/data/subdomains-top1mil-20000.txt-u $url -H "HOST: FUZZ.$domain.com" --hw 1

Check SSL certificate

Real and per-existing web application

Narrow down version
Default credentials / bruteforce variations of default creds (run in the background)
Search for existing exploits and CVE's

Don't be afraid to get to page 4 on google

Box built web application

Directory bust the f*** out of it at each level (run the background)
Default credentials / bruteforce variations of default creds (run in the background)
Existing exploits??
Fuzz all input boxes for SQLI, command injection, etc.
File upload features?
Directory traversal, LFI, RFI
Read source code, search for hints/clues
Review requests and responses in Burp

If the website is fairly static and boring don't be afraid to look into the assets directory and folders of the nature. Offsec likes hiding things in random places

REGARDING ANY AND ALL HTTP PORTS (WINDOWS RPC SPEFICALLY) VISIT ALL OF THEM USING THE IP AND FQDN... Offsec sneaky like that

PreviousSite Scraping NextSQL Injection

Last updated 5 months ago