Today we will be looking at how to enumerate an HTTP server. The goal is to find hidden directories and map out the site. Sometimes there are juicy URLs that you visit to find sensitive information. First let’s run a quick Nmap scan against our target. I will use the -T4 option to scan faster and -p- to scan all the ports. Later on we can run a more targeted service discovery scan to determine the various services running on the ports
nmap -p- -T4 –reason 10.10.190.136
Gobuster is used for directory busting. You give it a word lists and see if you can make a GET response. If you do that means the URL you visited is a valid directory. Then you can visit it in your web browser and possibly find hidden files.
Gobuster takes a few arguments, we will use the dir mode for directory busting,
-w is for the word list you want to use. The word lists are built into Kali at /usr/share/wordlists/
-u for the URL we want to attack, in this case you use the IP address for the TryHackMe machine http://10.10.22.207
-x is for the extensions you want to add onto the words you try. Depending on the server will depend on what options you want to try. In this case I know it is an Apache web server from the Nmap scan and by looking at Wappalyzer.
gobuster dir -u http://10.10.22.207 -w /usr/share/wordlists/dirbuster/directory-list-2.3-bit.txt -x php,txt,xml,html
Another tool we can try is wfuzz. This tool allows you what URL parameter to FUZZ. If you are looking for juicy admin files you may want to fuzz TARGET.COM/Users/Admin/FUZZ/creds.txt. Since we know the juicy file is called creds.txt, we can simply FUZZ the Admin directory for the correct name.
Looking at the questions, we need for form the command without actual performing wfuzz on the site.
NOTE: shibes.xyz has not authorized anyone to perform fuzzing against them. BE SURE NOT TO RUN THE COMMAND
We can see the format is in ***** ** ** ****,***.*** ****://******.***/***.************** . From here we can start forming the command. We know that the first part will be wfuzz. Next we need to pass it some parameters. Looking at the example given let’s use -c for color, and -z for the payload, giving it the option file and then say what file you want to give it. We will use big.txt. Then we need the URL of http://shibes.xyz/. Next we know that api.php is going to be the page taking parameters and php parameters need a question mark, then the parameter name (breed) and finally what you want to query. Since we are going to fuzz it here just give it FUZZ so wfuzz knows where to start fuzzing.
The final command is below and the answer to our first question.
wfuzz -c -z file,big.txt http://shibes.xyz/api.php?breed=FUZZ
Now back to our target, we found /api from our Gobuster command so let’s see what’s in there.
Great, now we can try to run queries against site-log.php (The answer to the second question). Notice the information disclosure of the type of web server and the type of operating system it is running on. The challenge says the API takes an argument of YYYYMMDD, so we can assume it will be all numbers. We can either go look for a word lists like this or use a tool called Crunch to generate the word list for us.
Here is a link to the quick reference page (https://tools.kali.org/password-attacks/crunch).
Crunch takes a minimum word length and a max length and then you can feed it what characters are acceptable. Note that you will need some stored to use this tool. This shouldn’t take up any storage at all, but once I tried to generate one for a giant UUID, and it would have taken multiple Terabytes to store.
crunch 8 8 0123456789 > 8Char-Number-Only-wordlist.txt
This shows us it will take 858 MB to store, be sure to have enough space in your OS for this. In under 1 minute we now have a word list ready to use for this specific take!
Finally let’s try and fuzz the parameter and find the correct log. We know the parameter we are going to FUZZ is data, so you give it site-log.php?date=FUZZ
wfuzz -c –hw 0 -z file,8Char-Number-Only-wordlists.txt http://10.10.30.7/api/site-log.php?date=FUZZ
-c colors
–hw 0 to hide pages with no content
-z file,wordlist for my wordlist file
and finally the URL with the php page with the parameter we want to fuzz.
I had a lot of issues with timeouts occurring. I went ahead and changed the timeout within the wfuzz.ini file. I also changed my concurrent connections and retries.
nano ~/.wfuzz/wfuzz.ini
Eventually You will see you get a 200 response for the payload 20201125
This was an introduction to generating a quick word list and how to fuzz a target! See you on the next day!