search

Web Exploitation Last Resorts

Use these techniques if classic techniques do not work.

hashtag
Getting usernames & passwords from webpages -

Try gathering potential username & passwords while surfing through webpages. These can prove to be potential credentials for smb or other services running on the target.

hashtag
Looking for other valid subdomains

wfuzz -u https://streamio.htb -H "Host: FUZZ.streamio.htb" -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt --hh 315

hashtag
Looking for valid query parameters

If there are multiple query parameters present in the URL, and we can't find much there, then always look for other hidden query parameters using fuzzing -

wfuzz -u https://streamio.htb/admin/?FUZZ= -w /usr/share/seclists/Discovery/Web-Content/burp-parameter-names.txt -H "Cookie: PHPSESSID=jtde06u71uq4t7pvs59b8iis1o" --hh 1678
#Add cookie only if it is needed in that scenario

hashtag
Getting metadata from documents -

Using exiftool -

exiftool <filename> #Run this on docx, pdf, etc.

Using binwalk -

binwalk -e <filename>

hashtag
Creating wordlist with different tools -

hashtag
Using cewl -

If website is using array of words in the webpages, then tool like cewl can be used to create a custom wordlist -

hashtag
Using date (for brute-forcing dates) -

We can use "date" tool to create wordlist containing huge range of dates -

Now, we can use basic for loop, to create a whole wordlist with these kind of dates -

Use this wordlist, to bruteforce a directory which takes filenames with these kind of dates.

hashtag
Gathering information from SSL Certificate -

Look for usernames or subdomains in the SSL certificate.

hashtag
Exploiting SSRF -

SSRF can be exploited mainly to check which other ports are open in the target. Also, if some port is not accessible right now (Forbidden), then it can be accessed thereafter.

Brute force other ports using SSRF like this (JUST AN EXAMPLE) -

NextWindows / AD Enumeration

Last updated