Web Enumeration Room at TryHackMe— Learn the methodology of enumerating websites by using tools such as Gobuster, Nikto and WPScan.
Task 1: Introduction — Gives you a brief introduction to the lab and getting connected
Task 2: Manual Enumeration — Discusses basics of inspecting the content of the website
Task 3: Introduction to Gobuster
Task 4: 1.1 Gobuster Modes — begins to cover the different modes and uses of gobuster
Pay attention to the examples … You will need them later
Task 5: 1.2 Useful Wordlists — shows you where the default wordlists on kali are and where to find/install new ones.
Task 6: 1.3 Practical: Gobuster (Deploy #1)
Deploy the machine and follow the instructions to modify your hosts file.
Q: Run a directory scan on the host. Other than the standard css, images and js directories, what other directories are available?
gobuster dir -u http://webenum.thm -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
Q: Run a directory scan on the host. In the "C******" directory, what file extensions exist?
gobuster dir -u http://webenum.thm/Changes/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x php,html,txt,conf,js,thm -t50
Q: There’s a flag out there that can be found by directory scanning! Find it!
gobuster dir -u http://webenum.thm/VIDEO/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x php,txt,html
Q: There are some virtual hosts running on this server. What are they?
gobuster vhost -u http://webenum.thm -w /usr/share/wordlists/SecLists/Discovery/DNS/subdomains-top1million-5000.txt -t50
Q: There’s another flag to be found in one of the virtual hosts! Find it!
for vhost in products learning; do gobuster dir -u http://${vhost}.webenum.thm -w /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt -x php,txt -t50 ; done
Now we can pull the flag down with curl… Though because of the vhost entry we hand to specify the — resolve flag with curl.
curl --resolve 'products.webenum.htm:80:10.10.xx.xx' http://products.webenum.thm/redacted.xxx
Task 7 : 2. Introduction to WPScan
This task goes over the installation, updating and basic usage of WPScan
Task 8 : 2.1 WPScan Modes
Q: What would be the full URL for the theme “twentynineteen” installed on the WordPress site: “http://cmnatics.playground"
A: This is covered in the discussion of enumerating for installed themes and is theoretical as you have not deployed a machine for this portion yet.
Q: What argument would we provide to enumerate a WordPress site?
A: enumerate
Q: What is the name of the other aggressiveness profile that we can use in our WPScan command?
A: passive — This is found by running wpscan — help
or in the discussion of 2.1 WPScan modes.
Task 9: 2.2. Practical: WPScan (Deploy #2)
Deploy the new machine. You may have to terminate your previous Gobuster machine and then start the WPScan Machine. Once the machine has stated up follow the instructions to update your /etc/hosts
file with the proper entries for the lab.
Q: Enumerate the site, what is the name of the theme that is detected as running?
A: This can be found by looking at the source of the page and grep for theme.
twentynineteen
wget -O- http://cmnatics.playground | grep theme
Q: WPScan says that this theme is out of date, what does it suggest is the number of the latest version?
A: I couldn’t get WPScan to detect the theme; but since I manually found that it was twentynineteen I checked online for the correct version and found it is 2.0.
Q: Enumerate the site, what is the name of the plugin that WPScan has found?
A:
wpscan — url http://cmnatics.playground -e ap
Q: Enumerate the site, what username can WPScan find?
wpscan — url http://cmnatics.playground -e u
Q: Construct a WPScan command to brute-force the site with this username, using the rockyou wordlist as the password list. What is the password to this user?
A: Here we can just add the --passwords and give it the path to rockyou.txt and see what we find.
wpscan — url http://cmnatics.playground --passwords /usr/share/wordlists/rockyou.txt
Task 10: 3. Introduction to Nikto
Gives a little history and a quick introduction to Nikto
Task 11 : 3.1. Nikto Modes
Q: What argument would we use if we wanted to scan port 80 and 8080 on a host?
A: This is covered in the reading “Scanning Multiple Hosts & Ports” in the same section.
-p 80,8080
Q: What argument would we use if we wanted to see any cookies given by the web server?
A:
-display 2
Task 12 3.2. Nikto Practical (Deploy #3)
Q: What is the name & version of the web server that Nikto has determined running on port 80?
A:
nikto -h 10.10.XX.XX -p 80
Q: There is another web server running on another port. What is the name & version of this web server?
A: By scanning the site with nmap and then piping it to
nikto
we can find and scan the other site.
nmap --top-ports 1000 10.10.64.208 -oG - | nikto -h
Q: What is the name of the Cookie that this JBoss server gives?
A: We can run add in the -Display 2 option and get the cookie for the JBoss server. Note that -Display starts with a capital letter.
nikto -h 10.10.64.208 -p 8080 -Display 2
Thank you to ben and cmnatic and NamelessOne. Great room on web enumeration!