Introduction
In most environments, web servers play a big part in the infrastructure, and in the daily processes of many departments. Web servers can sometimes be used strictly internally by employees, but most of the time can be found to be public-facing, which means anyone from the Internet can access them to retrieve information, and files from their hosted web pages.For the most part, the web pages hosted on the web servers are managed through their administrative panels, locked behind a log-in page.
Learn more about WordPress:
Let us think of an example: You have decided to start your own blog and use WordPress to achieve this. If you are not familiar with WordPress, then you can read more about it from my blog, link is in my description box.
WordPress is essentially a popular web application that allows you to easily manage the content you want to post for the rest of the world to read. Once installed, your WordPress website will have a public-facing side, and a private-facing one, the latter being your administrative panel hosted on the wp-admin page. This page is locked behind a log-in screen.
Once you, as an administrator of the WordPress site, log into its' admin panel, you will have access to a myriad of controls, ranging from content uploading mechanisms to theme selection, custom script editing for specific pages, and more. The more you learn about WordPress, the more you will see how this is a vital part of a successful pentest, as some of these mechanisms could be outdated and come with critical flaws that would allow an attacker to gain a foothold and subsequently pivot through the network with ease.
Thus, we conclude that Web enumeration, specifically directory busting, is one of the most essential skills any Penetration Tester must possess. While manually navigating websites and clicking all the available links may reveal some data, most of the links and pages may not be published to the public and, hence, are less secure. Suppose we did not know the wp-admin page is the administrative section of the WordPress site we exemplified above. How else would we have found it out if not for web enumeration and directory busting?
Immediately after, we can follow up with a preliminary scan of the target. Using Nmap and the appropriate service version detection switch, we scan the IP address for any open ports and services.
From the scan result, a single entry is shown and catches our attention. It is an http service running on port 80, signaling that this target might be hosting some explorable web content.
Let me take a look at the contents, we can open a web browser of our choice, and navigate to the target's IP address in the URL bar at the top of the window. This will automatically address the target's port 80 for the client-server communication and load the web page's contents.
Once that installation is complete, you can proceed with installing the go-buster. If you have a Go environment ready to go, it is as easy as typing in the following command in your terminal:
In our case, we will only need to use the following:
Now you can see “admin.php” existed, and was returned to us in the output, signaling that the webpage exists and we can navigate to it manually to check out its contents.
Usually, in situations such as this one, we would need to fire up some brute-forcing tools to attempt logging in with multiple credentials sets for an extended period of time until we hit a valid log-in since we do not have any underlying context about usernames and passwords that might have been registered on this web site as valid administrative accounts. But first, we can try our luck with some default credentials since this is a fresh Nginx installation. We are betting that it might have been left unconfigured at the time of our assessment. Let us try logging in with the following credentials:
Let us think of an example: You have decided to start your own blog and use WordPress to achieve this. If you are not familiar with WordPress, then you can read more about it from my blog, link is in my description box.
WordPress is essentially a popular web application that allows you to easily manage the content you want to post for the rest of the world to read. Once installed, your WordPress website will have a public-facing side, and a private-facing one, the latter being your administrative panel hosted on the wp-admin page. This page is locked behind a log-in screen.
Once you, as an administrator of the WordPress site, log into its' admin panel, you will have access to a myriad of controls, ranging from content uploading mechanisms to theme selection, custom script editing for specific pages, and more. The more you learn about WordPress, the more you will see how this is a vital part of a successful pentest, as some of these mechanisms could be outdated and come with critical flaws that would allow an attacker to gain a foothold and subsequently pivot through the network with ease.
Thus, we conclude that Web enumeration, specifically directory busting, is one of the most essential skills any Penetration Tester must possess. While manually navigating websites and clicking all the available links may reveal some data, most of the links and pages may not be published to the public and, hence, are less secure. Suppose we did not know the wp-admin page is the administrative section of the WordPress site we exemplified above. How else would we have found it out if not for web enumeration and directory busting?
Enumeration
Firstly click on spawn Machine to find out our target IP address.Immediately after, we can follow up with a preliminary scan of the target. Using Nmap and the appropriate service version detection switch, we scan the IP address for any open ports and services.
- -sV: switch to Probe open ports to determine service/version info.
┌──(mrdev㉿mrdev)-[~]
└─$ sudo nmap -sV 10.129.56.242
Starting Nmap 7.92 ( https://nmap.org ) at 2021-12-24 10:59 IST
Nmap scan report for 10.129.56.242
Host is up (0.53s latency).
Not shown: 999 closed tcp ports (reset)
PORT STATE SERVICE VERSION
80/tcp open http nginx 1.14.2
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 17.41 seconds
┌──(mrdev㉿mrdev)-[~]
└─$
From the scan result, a single entry is shown and catches our attention. It is an http service running on port 80, signaling that this target might be hosting some explorable web content.
Let me take a look at the contents, we can open a web browser of our choice, and navigate to the target's IP address in the URL bar at the top of the window. This will automatically address the target's port 80 for the client-server communication and load the web page's contents.
At the top of the page, we observe the mention of the Nginx service. After researching basic information about Ngnix, and its purpose, we conclude that our target is a web server. Web servers are hosts on the target network which have the sole purpose of serving web content internal or external users, such as web pages, images, videos, audio files, and other types. Typically, a web server is accessible from the Internet to allow for the stored content to be explored by the online public for many reasons: shopping, providing and requesting services, banking, reading the news, and more.
What we are looking at on our browser screen is the default post-installation page for the Ngnix service, meaning that there is the possibility that this web application might not be adequately configured yet, or that default credentials are used to facilitate faster configuration up to the point of live deployment. This, however, also means that there are no buttons or links on the web page to assist us with navigation between web directories or other content.
What we are looking at on our browser screen is the default post-installation page for the Ngnix service, meaning that there is the possibility that this web application might not be adequately configured yet, or that default credentials are used to facilitate faster configuration up to the point of live deployment. This, however, also means that there are no buttons or links on the web page to assist us with navigation between web directories or other content.
When browsing a regular web page, we use these elements to move around on the website. However, these elements are only links to other directories containing other web pages, which get loaded in our browser as if we manually navigated to them using the URL search bar at the top of the browser screen. Knowing this, could we attempt to find any "hidden" content hosted on this webserver? The short answer is yes, but to avoid guessing URLs manually through the browser's search bar, we can find a better solution. This method is called dir busting, short for directory busting. For this purpose, we will be using the tool called go-buster, which is written in Go. If you do not have to go buster installed on your machine yet, you can follow my instructions to install it successfully otherwise skip you have already.
Installing Gobuster
First, you need to make sure you have Go installed on your Linux distribution, which is the programming language used to write the go-buster tool. Once all the dependencies are satisfied for Go, you can proceed to download and install go-buster. In order to install Go, you need to input the following command in your terminal window:┌──(mrdev㉿mrdev)-[~]
└─$ sudo apt install golang-go
┌──(mrdev㉿mrdev)-[~]
└─$ sudo apt install gobuster
Using Go-buster
In order to start our dir busting, we will need to discover what capabilities go buster has, and which ones can assist us. By looking at the tool's help page, by typing in the gobuster -h command in our terminal, we receive a list of all possible switches for the tool and their description.
Usage:
gobuster [command]
Available Commands:
dir Uses directory/file enumeration mode
dns Uses DNS subdomain enumeration mode
fuzz Uses fuzzing mode
help Help about any command
s3 Uses aws bucket enumeration mode
version shows the current version
vhost Uses VHOST enumeration mode
Flags:
--delay duration Time each thread waits between requests (e.g. 1500ms)
-h, --help help for gobuster
--no-error Don't display errors
-z, --no-progress Don't display progress
-o, --output string Output file to write results to (defaults to stdout)
-p, --pattern string File containing replacement patterns
-q, --quiet Don't print the banner and other noise
-t, --threads int Number of concurrent threads (default 10)
-v, --verbose Verbose output (errors)
-w, --wordlist string Path to the wordlist
Use "gobuster [command] --help" for more information about a command.
- dir: specify we are using the directory busting mode of the tool
- -w: specify a wordlist, a collection of common directory names that are typically used for sites
- -u: specify the target's IP address
If you have no wordlist on your system Click here.
┌──(mrdev㉿mrdev)-[~]
└─$ sudo gobuster dir -w /usr/share/wordlists/dirb/common.txt -u 10.129.56.242
[sudo] password for mrdev:
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://10.129.56.242
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirb/common.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.1.0
[+] Timeout: 10s
===============================================================
2021/12/24 11:55:42 Starting gobuster in directory enumeration mode
===============================================================
/admin.php (Status: 200) [Size: 999]
===============================================================
2021/12/24 11:57:51 Finished
===============================================================
Now you can see “admin.php” existed, and was returned to us in the output, signaling that the webpage exists and we can navigate to it manually to check out its contents.
Foothold
Navigating to the newly found link manually through our web browser can be done by inputting the following address in our URL search bar. Once we proceed with this, we are met with an administrative panel for the website. It asks us for a username and password to get past the security check, which could prove problematic in normal circumstances.Usually, in situations such as this one, we would need to fire up some brute-forcing tools to attempt logging in with multiple credentials sets for an extended period of time until we hit a valid log-in since we do not have any underlying context about usernames and passwords that might have been registered on this web site as valid administrative accounts. But first, we can try our luck with some default credentials since this is a fresh Nginx installation. We are betting that it might have been left unconfigured at the time of our assessment. Let us try logging in with the following credentials:
|
admin:admin |
We seem to be successful! The log-in worked, and we were presented with our flag.
Post a Comment
If you have any doubts or any queries you can specify here.