Enumerating a Web Server
Thursday 15th September 2022
Working my way through the Practice Proving Grounds, nearly every machine I attempt includes some form of a web server. More often than not, it provides us with the first step towards some form of a shell, whether that be through SQL injection or LFI/RFI. Today I will give a breakdown of the steps I take to garner as much information as possible from a web server.
Gobuster
My most used enumeration tool would be Nmap, but a very close second would be Gobuster.
Below is an example of scanning a server for any hidden directories and fields. We can add as many different extensions to check for (-x), as well as custom headers and much more. As with all tools, the most crucial factor is the data they have to work with. My first port of call is always the directory-list-lowercase-2.3-medium.txt wordlist from DirBuster
gobuster dir -u http://IP_ADDRESS -w /usr/share/wordlists/dirbuster/directory-list-lowercase-2.3-medium.txt -t 100 -x txt,php,js --no-error -z > gobuster-dir.txt
Another option can be to use a wordlist tailored for the web server we're enumerating, such as a Microsoft IIS instance. For example, the list below comes from the awesome SecLists.
gobuster dir -u http://IP_ADDRESS -w /usr/share/wordlists/seclists/Discovery/Web-Content/IIS.fuzz.txt -t 100 -x txt,php,js --no-error -z
Alongside the ability to search for files and directories, gobuster supports DNS sub-domain, virtual hosts and S3 bucket enumeration, and a dedicated fuzzing mode.
DNS
gobuster dns -d http://IP_ADDRESS -w /usr/share/wordlists/seclists/Discovery/DNS/subdomains-top1million-110000.txt
S3
gobuster s3 -d http://IP_ADDRESS -w /usr/share/wordlists/seclists/Discovery/DNS/subdomains-top1million-110000.txt
Virtual Hosts
gobuster vhost -d http://IP_ADDRESS -w /usr/share/wordlists/seclists/Discovery/DNS/subdomains-top1million-110000.txt
Fuzzing
Searching for helpful PHP files
gobuster fuzz -u http://IP_ADDRESS -w /usr/share/wordlists/seclists/Discovery/Web-Content/PHP.fuzz.txt
There are hundreds of wordlists just in SecList to choose from. It's worth taking the time to browse the repo just to know what there is available when you might need it.
wfuzz
An alternative to GoBuster would be wfuzz, which is a dedicated fuzzer. I used this in the Robust room walkthrough. I won't cover it in detail as it offers similar functionality to what we explored above.
wfuzz --sc 200 -u http://192.168.163.200/FUZZ.php -w /usr/share/wordlists/wfuzz/general/big.txt
Nikto
Initially released in 2001 (21 years ago!), Nikto is an excellent tool for a holistic view of the server. It gives you information on the server's general configuration and interesting headers that are present and those that aren't. In the docs, the key features identified as the following:
Server and software misconfigurations
Default files and programs
Insecure files and programs
Outdated servers and programs
Pointers to lead a human tester to better manual testing
Regardless of what server I'm dealing with or what I'm looking for (if I have any idea), I'll run a Nikto scan. The basic command looks like this:
nikto -host IP_ADDRESS -port PORT
There are not too many additional parameters to play with, but you can pass in a virtual host name, other root directories and a custom list of plugins to run.
LFI/RFI
Now, this isn't a tool but a technique I keep forgetting about when enumerating boxes. It's worth explaining that I write these kinds of posts as a reference for myself as much as anything!
When enumerating and eventually accessing a box that has, for example, an Apache instance running on it, it's worth remembering that the key to privilege escalation or at least lateral movement could lie within the server.
Services running under different users!
If you're struggling to find a different user, the weakness could be accessing content through the web server instead of directly through a shell or any FTP/SSH/SMB credentials previously found.
This means rev-shell.php is executed by apache-user instead of my-low-priv-shelled-user.
Through LFI, we could dig out a host of sensitive and valuable information. An example would be the SecList's LFI List, which gives an idea of what data could be gleaned.
Going on better, if we need to move laterally to a user with better privileges, we can use RFI to serve up a more useful reverse shell. These attack vectors are nothing groundbreaking and will be evident to most. Still, I have found myself forgetting or ignoring the possibility of enumerating a web server more, even once I have some form of shell access.
I hope this article is helpful; if nothing else, it can serve as a quick reminder of a step that may have been missed when enumerating a box. It's also worth remembering there are CMS-specific tools out there as well, such as wpscan, which can be invaluable!