HTTP/HTTPS (80/443)

Enumeration

Feroxbuster

Feroxbuster is similar to gobuster but uses more threads by default and has a recursive method which gobuster does not have. You can start with a small list, but if nothing useful is found you can use the larger "medium" list.

feroxbuster -e -x php html txt / -u http://$IP -w /usr/share/wordlists/dirb/common.txt

feroxbuster -e -x php html txt / -u http://$IP -w /usr/share/wordlists/dirbuster/directory-list-lowercase-2.3-medium.txt

Gobuster

However, there are times that feroxbuster breaks and starts displaying every page attempted. In those cases I go back to gobuster.

gobuster dir -u http://$IP -w /usr/share/wordlists/dirb/common.txt

FFUF

search for subdomains (notice the -fs to filter by size)

ffuf -w /usr/share/seclists/Discovery/DNS/namelist.txt -H "Host: FUZZ.acmeitsupport.thm" -u http://10.10.195.230 -fs {size}

fuzz for existing usernames

ffuf -w /usr/share/seclists/Usernames/Names/names.txt -X POST -d "username=FUZZ&email=x&password=x&cpassword=x" -H "Content-Type: application/x-www-form-urlencoded" -u http://10.10.77.43/customers/signup -mr "username already exists"

brute force valid accounts (use anything but status 200 as valid submission)

ffuf -w valid_users.txt:W1,/usr/share/seclists/Passwords/Common-Credentials/10-million-password-list-top-100.txt:W2 -X POST -d "username=W1&password=W2" -H "Content-Type: application/x-www-form-urlencoded" -u http://10.10.77.43/customers/login -fc 200

PHPINFO document root

If you have access to a phpinfo.php file you can find the document root fast with curl

curl http://$IP/phpinfo.php | grep 'DOCUMENT_ROOT' | html2text