Skip to content
Alvin Smith edited this page Sep 27, 2024 · 34 revisions

Welcome to the OSCP-PWK wiki

ReverseShell, Alternative to swissPayload everything

THM writeups

https://shishirsubedi.com.np/categories/#thm

Holy war on Fuzzing tools

  • feroxbuster can do wildcard auto-filtering. User-Agent: feroxbuster/<version>
  • gobuster only returns on 200,204,301,302,307,403 by default. User-Agent: gobuster/<version>. I didn't make proxychain work for it. Used https_proxy=localhost:8080 instead.
  • dirb used User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1) by default.
update at Aug 2022.
ffuf -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-20000.txt -u http://$IP -H 'Host: FUZZ.schooled.htb' -fs 20750
  • gobuster for verbose fuzz bad requests or bad response. Or use proxy. e.g
gobuster fuzz -u http://ip:portFUZZ -w /usr/swagger.txt -t 50 -v > go2.txt
cat go2.txt | grep --invert-match "Lenght=XX"

gobuster dir -u http://127.0.0.1/app --proxy 'http://lance.friedman:[email protected]:3128' -w /usr/share/wordlists/dirb/common.txt -x py

More on that: https://github.com/A1vinSmith/OSCP-PWK/wiki/Web-Enumeration

update at Sep 2024
ffuf -request            File containing the raw http request
ffuf -u http://x.htb/upload-cover -X POST -request request.txt -w ports.txt

Due to the slow performance of Burp Suite's Intruder tool for fuzzing, a faster alternative ffuf. To set up the scan, save the raw request to a file named request.txt and created another file called ports.txt...

Holy war on Scanning tools

  • Nmap not suitable for the full scan especially for CTF, HTB or THM. Run others to find opening ports first
  • Rustscan is fast but sometimes missing ports. https://github.com/RustScan/RustScan/issues/494
  • Use masscan as a backup runner. i.e.
masscan -p1-65535,U:1-65535 $IP --rate=2000 -e tun0

Tools

Report

Clone this wiki locally