Offsec - Gaara - Jun 3rd 2023

Target is [LAB_IP]

I installed auto recon to make recon automated as much as possible.

https://github.com/Tib3rius/AutoRecon

sudo env "PATH=$PATH" autorecon [LAB_IP]

Now to let it do it's thing (Loud as hell on an IDS so pentest only and NOT a redteam strategy!)

[*] Scanning target [LAB_IP]

[*] [[LAB_IP]/all-tcp-ports] Discovered open port tcp/22 on [LAB_IP]

[*] [[LAB_IP]/all-tcp-ports] Discovered open port tcp/80 on [LAB_IP]

[*] [[LAB_IP]/tcp/80/http/vhost-enum] The target was not a hostname, nor was a hostname provided as an option. Skipping virtual host enumeration.

[*] [[LAB_IP]/tcp/80/http/known-security] [tcp/80/http/known-security] There did not appear to be a .well-known/security.txt file in the webroot (/).

[*] [[LAB_IP]/tcp/80/http/curl-robots] [tcp/80/http/curl-robots] There did not appear to be a robots.txt file in the webroot (/).

So SSH and http web. Checking out the site now.

Edgy sand guy from Naruto.

Checking source code

Nothing good

There is the email on the page that's kinda hard to read: dyuuwijaya@yahoo.com

Possible opening for social engineering on broken website and needing FTP access to fix it.

Running dirb

Nada

Using dirbuster since dirb crashed on me. Also stopped auto recon.

I like how bad dirbuster is with it's UI. Not large enough to show the start button.

Reset the vpn connection and now it's running. Used /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-2.3-big.txt

50 Threads max. Anything more typically breaks connections

A search suggests running gobuster. Not my favorite since it requires actual command usage but here it is:

gobuster dir -u http://[LAB_IP] -x txt,php,html --wordlist /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-big.txt -o dir.log