THM Web App Resources

THM Web App Resources

OWASP Favicon Database:

Other places to find information only using basic tools:

robots.txt, sitemap.xml, HTTP Headers, Framework Stack – developer tools

Google Hacking / Dorking

Google hacking / Dorking utilizes Google’s advanced search engine features, which allow you to pick out custom content. You can, for instance, pick out results from a certain domain name using the site: filter, for example (site:tryhackme.com) you can then match this up with certain search terms, say, for example, the word admin (site:tryhackme.com admin) this then would only return results from the tryhackme.com website which contain the word admin in its content. You can combine multiple filters as well. Here is an example of more filters you can use:

FilterExampleDescription
sitesite:tryhackme.comreturns results only from the specified website address
inurlinurl:adminreturns results that have the specified word in the URL
filetypefiletype:pdfreturns results which are a particular file extension
intitleintitle:adminreturns results that contain the specified word in the title

Wappalyzer – idnetify technologies a website uses

Wayback Machine – Identify changes to versions and previous vulnerabilities

GitHub – version tracker

S3 Buckets – storage service where people store files to access over cloud

Automated Discover Through Wordlists

 

Sub Domain Enumeration

Methods: Brute Force, OSINT, Virtual Host

SSL/TLS Certificates: sites like https://crt.sh and https://ui.ctsearch.entrust.com/ui/ctsearchui offer a searchable database of certificates that shows current and historical results.

Use Google, EG. site:*.tryhackme.com -site:www.tryhackme.com to find submdomains

Bruteforce DNS Tool such as dnsrecon, sublist3r, FFUF

 

Authentication Bypass

ffuf to enumerate valid usernames by checking which ones trigger the response username already exists (or similar)

brute force login with valid usernames and password wordlist

Use logic flaws to bypass logins

Intercept password reset requests using valid username via curl requests, create account on site to forward password reset email to via curl request, use resources like support tickets etc to bypass login screen for valid user.

Cookie Tampering

Alter login cookies changing booleans to true

Hash replays – database of hashes

Encode and Decode https://www.base64encode.org/

 

IDOR

Insecure Direct Object Reference

Altering requests to retrieve different files or info

Altering your invoice number in a url from an email to receive another customers invoice data

decode requests, alter info, encode again and resend

create two accounts and swap the ID numbers

parameter mining

 

r0tZ Avatar

Leave a Reply

Your email address will not be published. Required fields are marked *