Web Exploitation Last Resorts

Use these techniques if classic techniques do not work.

Getting usernames & passwords from webpages -

Try gathering potential username & passwords while surfing through webpages. These can prove to be potential credentials for smb or other services running on the target.

Looking for other valid subdomains

wfuzz -u https://streamio.htb -H "Host: FUZZ.streamio.htb" -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt --hh 315

Looking for valid query parameters

If there are multiple query parameters present in the URL, and we can't find much there, then always look for other hidden query parameters using fuzzing -

wfuzz -u https://streamio.htb/admin/?FUZZ= -w /usr/share/seclists/Discovery/Web-Content/burp-parameter-names.txt -H "Cookie: PHPSESSID=jtde06u71uq4t7pvs59b8iis1o" --hh 1678
#Add cookie only if it is needed in that scenario

Getting metadata from documents -

Using exiftool -

exiftool <filename> #Run this on docx, pdf, etc.

Using binwalk -

binwalk -e <filename>

Creating wordlist with different tools -

Using cewl -

If website is using array of words in the webpages, then tool like cewl can be used to create a custom wordlist -

cewl <URL> --with-numbers > wordlist

Using date (for brute-forcing dates) -

We can use "date" tool to create wordlist containing huge range of dates -

date --date="680 day ago" +%Y-%m-%d-upload.pdf
#This will create a file with name -> 2021-01-09-upload.pdf (at the time of writing)

Now, we can use basic for loop, to create a whole wordlist with these kind of dates -

for i in $(seq 690 1050); do date --date="$i day ago" +%Y-%m-%d-upload.pdf; done > files

Use this wordlist, to bruteforce a directory which takes filenames with these kind of dates.

Gathering information from SSL Certificate -

Look for usernames or subdomains in the SSL certificate.

Exploiting SSRF -

SSRF can be exploited mainly to check which other ports are open in the target. Also, if some port is not accessible right now (Forbidden), then it can be accessed thereafter.

Brute force other ports using SSRF like this (JUST AN EXAMPLE) -

wfuzz -u http://staging.love.htb/beta.php -d 'file=http://localhost:FUZZ&read=Scan+file' -z range,1-65535 --hl 211

NextWindows / AD Enumeration

Last updated 2 years ago