# 🔬HTTP Enumeration ## Lab 1 - Method Enumeration > 🔬 [HTTP Method Enumeration](https://attackdefense.com/challengedetailsnoauth?cid=1802) > > * Target IP: `192.41.48.3` > * Credentials: `john`:`password` ```bash ip -br -c a eth1@if193355 UP 192.41.48.2/24 ``` * Open the browser and navigate to * `http://192.41.48.3/login.php` * **View Source code** of the login page and check the `POST` method ![](https://1996978447-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FlhjuckuLbvBn36EoFL7P%2Fuploads%2Fgit-blob-048fe2a3404133be2c3be34eb897e5c09653a2e0%2Fimage-20230503193434893.png?alt=media) * Login with the provided credentials * Follow the remaining links * `http://192.41.48.3/post.php` * `http://192.41.48.3/index.php` ### Dirb * Enumerate hidden directories using [**`dirb`**](https://www.kali.org/tools/dirb/) ```bash dirb http://192.41.48.3 ``` ![dirb http://192.41.48.3](https://1996978447-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FlhjuckuLbvBn36EoFL7P%2Fuploads%2Fgit-blob-94eb27193e4bcf3995db658f132001e0da4c62bf%2Fimage-20230503193742374.png?alt=media) > 📌 Hidden directories are `css`, `img`, `js`, `mail`, `uploads`, `vendor` ### Curl * Use **`curl`** to send some requests ```bash # GET curl -X GET 192.41.48.3 # HEAD curl -I 192.41.48.3 # OPTIONS curl -X OPTIONS 192.41.48.3 -v # POST curl -X POST 192.41.48.3 # PUT curl -X PUT 192.41.48.3 ``` ![](https://1996978447-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FlhjuckuLbvBn36EoFL7P%2Fuploads%2Fgit-blob-c7a953ddf66da3bdb42c3fc4c423f438b84f91db%2Fimage-20230503194859978.png?alt=media) * Use **`curl`** to interact with `login.php` and `post.php` ```bash curl -X OPTIONS 192.41.48.3/post.php -v Allow: GET,POST,HEAD,OPTIONS curl -X OPTIONS 192.41.48.3/login.php -v Allow: GET,POST,HEAD,OPTIONS curl -X POST 192.41.48.3/login.php -d "name=john&password=password" -v ``` ![POST](https://1996978447-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FlhjuckuLbvBn36EoFL7P%2Fuploads%2Fgit-blob-b61a7107fb76091da9e02d9f43b1e73a3b46b5cc%2Fimage-20230503195235445.png?alt=media) * Interact with `uploads` directory ```bash curl -X OPTIONS 192.41.48.3/uploads/ -v ``` ![](https://1996978447-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FlhjuckuLbvBn36EoFL7P%2Fuploads%2Fgit-blob-5d55ffd456e4a6a6c005faf21016113b98f1cf67%2Fimage-20230503195647655.png?alt=media) > 📌 `WebDAV` module is enabled on the Apache Server and allows file upload via `PUT` method. * Upload a file with **`PUT`** method ```bash echo "Hello Hackers" > hello.txt curl 192.41.48.3/uploads/ --upload-file hello.txt ``` ![http://192.41.48.3/uploads/hello.txt](https://1996978447-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FlhjuckuLbvBn36EoFL7P%2Fuploads%2Fgit-blob-1a55769dff01fffef004a3509a5d8555af475456%2Fimage-20230503195951821.png?alt=media) ```bash curl -X DELETE 192.41.48.3/uploads/hello.txt -v ``` ### BurpSuite > 🔬 Check the [BurpSuite Basics lab here](https://blog.syselement.com/ine/courses/ejpt/exam-preparation-labs/p.t.-prerequisites-labs/burp-suite-basics) * Target IP has changed to `192.83.140.3` * Use [**`BurpSuite`**](https://portswigger.net/burp) to interact with the web page, by turning on the `FoxyProxy` Firefox plugin and opening the BurpSuite with the Proxy intercept on. * Capture the home page and send it to `Repeater` * Use the various options to sed **requests** and check the **response**. ![](https://1996978447-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FlhjuckuLbvBn36EoFL7P%2Fuploads%2Fgit-blob-e8e3058f96221e0410601644e983cee79f074918%2Fimage-20230504132553928.png?alt=media) ![](https://1996978447-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FlhjuckuLbvBn36EoFL7P%2Fuploads%2Fgit-blob-8ba1148d1ca3a2efbf00c67ec9c3633776e3641b%2Fimage-20230504132902967.png?alt=media) * Try to login in the webpage, intercept the request and send it to the repetear * Send a `POST` to `login.php` with valid credentials ![](https://1996978447-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FlhjuckuLbvBn36EoFL7P%2Fuploads%2Fgit-blob-cafd2d0769235d49c22b639386275a4ccf4ecef3%2Fimage-20230504133444982.png?alt=media) * Try to upload a file to `/uploads/` ![](https://1996978447-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FlhjuckuLbvBn36EoFL7P%2Fuploads%2Fgit-blob-a3aba4cb9782978ee26f9bf4b5e3adb9cdc28f30%2Fimage-20230504133626514.png?alt=media) ![](https://1996978447-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FlhjuckuLbvBn36EoFL7P%2Fuploads%2Fgit-blob-cab36dd048740b9a949c84a6531d34c88952a341%2Fimage-20230504133907192.png?alt=media) *** ## Lab 2 - Directory Enumeration ### [Gobuster](https://github.com/OJ/gobuster) > 🔬 [Directory Enumeration with Gobuster](https://.attackdefense.com/challengedetails?cid=1882) > > * Target IP: `192.185.38.3` > * Enumerate a **Multillidae II** vulnerable web app ```bash ip -br -c a eth1@if203734 UP 192.185.38.2/24 nmap -sS -sV 192.185.38.2 ``` * Open the browser and navigate to * `http://192.185.38.3/` ![](https://1996978447-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FlhjuckuLbvBn36EoFL7P%2Fuploads%2Fgit-blob-d71e2a3f52bdb7f291c91aa20f6c00636093dffb%2Fimage-20230504135323480.png?alt=media) * Use **`gobuster`** to enumerate directories, ignoring `403` and `404` status codes ```bash gobuster dir -u http://192.185.38.3 -w /usr/share/wordlists/dirb/common.txt -b 403,404 ``` ![gobuster](https://1996978447-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FlhjuckuLbvBn36EoFL7P%2Fuploads%2Fgit-blob-c2f023ebfabf4bf429006fa4a663f6984c17f8e9%2Fimage-20230504135749412.png?alt=media) * Scan to find specific file extensions and interesting files ```bash gobuster dir -u http://192.185.38.3 -w /usr/share/wordlists/dirb/common.txt -b 403,404 -x .php,.xml,.txt -r # -u = url string # -w = wordlist # -b = status code blacklist # -x = extensions string # -r = follow redirect ``` ![](https://1996978447-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FlhjuckuLbvBn36EoFL7P%2Fuploads%2Fgit-blob-551d860bee25a20c6568de48121a2d16ebe532f4%2Fimage-20230504140051930.png?alt=media) ```bash gobuster dir -u http://192.185.38.3/data -w /usr/share/wordlists/dirb/common.txt -b 403,404 -x .php,.xml,.txt -r ``` ![](https://1996978447-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FlhjuckuLbvBn36EoFL7P%2Fuploads%2Fgit-blob-2373fdbba6fed5aa6fa9f21edeb6fd400b6de32c%2Fimage-20230504140129200.png?alt=media) * Check the `xml` file * `http://192.185.38.3/data/accounts.xml` ![accounts.xml](https://1996978447-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FlhjuckuLbvBn36EoFL7P%2Fuploads%2Fgit-blob-66052007e643cd850beb1939588716de02529757%2Fimage-20230504140341853.png?alt=media) ### Burp Suite > 🔬 [Directory Enumeration with Burp Suite](https://attackdefense.com/challengedetails?cid=1886) > > * Target IP: `192.221.162.3` > * Enumerate a **Multillidae II** vulnerable web app ```bash ip -br -c a eth1@if203734 UP 192.221.162.2/24 nmap -sS -sV 192.221.162.3 ``` * Open the browser and navigate to * `http://192.221.162.3/` * Activate FoxyProxy Plugin * Start `BurpSuite` (set *User options/Display/Look* to *Darcula* and restart BurpSuite) * Intercept the home page request and send it to `Intruder` * **`Intruder`** - set `HOST` target IP and `PORT` * Configure **`Payload Positions`** * Clear § * Add `§name§` in the `GET` request * **`Payloads - Options`** - add a list of strings and load the `/usr/share/wordlists/dirb/common.txt` list * **`Start Attack`** and check the status code ![](https://1996978447-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FlhjuckuLbvBn36EoFL7P%2Fuploads%2Fgit-blob-10462caab2fb6019bcdd9b858ac326c2a01ea4d6%2Fimage-20230504141116943.png?alt=media) ![](https://1996978447-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FlhjuckuLbvBn36EoFL7P%2Fuploads%2Fgit-blob-d92d89a891a80276d6ae202a952863a620896ee3%2Fimage-20230504141534109.png?alt=media) ![](https://1996978447-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FlhjuckuLbvBn36EoFL7P%2Fuploads%2Fgit-blob-acfd0df99c74b24989fea7ab215e492f667134e1%2Fimage-20230504141924267.png?alt=media) ![](https://1996978447-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FlhjuckuLbvBn36EoFL7P%2Fuploads%2Fgit-blob-6d5edb7172d7ce9441cba93b9c36234de59dd606%2Fimage-20230504142015220.png?alt=media) * Navigate to `http://192.221.162.3/passwords/accounts.txt` ![](https://1996978447-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FlhjuckuLbvBn36EoFL7P%2Fuploads%2Fgit-blob-61e729f77336780c15ce29b7a5f5426f7a53a472%2Fimage-20230504142127386.png?alt=media) ***