November 14, 2022 at 8:25 AM
[color=#ffffff]Hello, I'm writing a fairly small guide (sorta)on tactics I've used before when it comes to compromising system integrity or data exfiltration.[/color]This [color=#E82A1F][b]WILL NOT [/b][color=#ffffff]cover basic topics like SQL injection, XSS, etc because it's covered all over the internet.[/color][/color][color=#ffffff]Your first step would be to pick a target, preferably not a huge corporation, and a smaller business or startup because with beginner knowledge the chances of you breaching a major company are 0.[/color][color=#ffffff]later in the tutorial I'[/color][color=#ffffff]m going to be using examples from a company I got multiple bounties for, though the company will remain undisclosed.[/color][color=#E82A1F][color=#666666][color=#000000][color=#ffffff]So firstly, you can just use basic enumeration. What I usually do is look at[/color] [color=#cccccc][b]search[/b].[/color][b][color=#cccccc]censys.io, binaryedge.io, and shodan.io[/color] [/b][color=#ffffff](why they all ending in .io :huh:)[/color][/color][/color][/color][color=#ffffff]This can be used to find potential backup servers and other domains used by the company, you can also look at netlify to find other domains used by the company.[/color][color=#ffffff]Secondly, you can look at subdomains (subdomainfinder.c99.nl is best) and also look at SAN (Subject-alternative-name, can use openssl command line or certificatetools.com) on select domains, as sometimes they can contain again, other domains used by the company.[/color][color=#ffffff]On any domain that contains anything dynamic (i.e not a static support page), looking at the debugger (firefox) or sources (chrome) to view files loaded in the current page, you can press control shift F and search for keywords like website.com, /api, /somepath, and find potentially unused or old paths still there that contain vital information, for example, in a certain undisclosed multi-billion dollar company I found something in a js config file that allowed an unauthorized user to view the entire cache freely[/color][color=#ffffff], which did contain sensitive information[/color][color=#ffffff]. and on another company I got bountied for I found an old unused testing admin endpoint that had GraphQL injection which led me to full account takeover, just found by looking through the source.[/color][color=#ffffff] the account takeover leveraged graphql and an unused endpoint, which let you generate a validated JWT token by a user ID (which in their case is a random string, which you could get by visiting the user's page or graphql)[/color][color=#ffffff]and onto graphql, if you know a website that is utilizing graphql, you can bruteforce schema names and subfields, and s[/color][color=#ffffff]ometimes it'll show a recommendation like 'did you mean[/color][color=#ffffff] , which can helpful. and for example, in linktree one of their subdomains is mostly unused but has an endpoint with graphql introspection enabled which can allow me to map the entire schema (it was fucking massive) and easily look at the structure and find sensitive information. the graphql endpoint was never used by a public-facing server, but i found it by a pure guess (by adding /graphql because i knew regular linktree [/color][color=#ffffff]used it)[/color][color=#ffffff]Another example is with custom CMS authentication, I don't mean open sourced CMS, I mean ones made said website/company, because sometimes (especially if its php) they dont exit the script, and just do a 302 redirect, this is silly because you can use fiddler to remove the Location header and access the CMS easily, I've found numerous websites doing this, including a couple of government organizations & million-dollar companies.[/color][color=#E82A1F][color=#666666][color=#000000][color=#ffffff]I know this is more ranting on about what I do, but this is also some good beginner tactics, I know there's a lot more you can do, but I'm not an expert either. I also forgot a lot of what i dowhen i thought about writing this [/color][/color][/color][/color]