Day 50/100 Hack and Improvement

1 minute read

Day 50 comes with a writeup source about vertical privilege escalation and finding endpoints.

Small Investment to Simple Vertical Privilege Escalation

From Rajesh Ranjan. Here is the writeup.

Need to find some endpoints?

From Sam (CoffeeJunkie). Being invited to a private program with a large scope, I came across with the question “where the hell should I start?” well, by enumerating the subdomains I went with the target on scope that has a lot of subdomains to check. Ok, what’s next then? talking to Rajesh Ranjan and explaining him that I was getting a little bit tired of enumerating and attacking sites finding no bugs and without bypassing the content filters in the site he sent me a pretty good resource related to gf which is a tool created by tomnomnom. gf will help us out to grep the endpoints in order to find possible XSS, SSRF, Open redirects and more.

Time to find the endpoints

You can run the following bash script in order to find the endpoints. You will need waybackurls, gau, and paramspider.

#!/bin/bash

## Gather all the endpoints
echo "$1" | waybackurls > $1-wayback.txt
echo "$1" | gau > $1-gau.txt
python3 paramspider.py --domain $1 --output $1-param.txt

## Merge the lists :)

sort $1-wayback.txt $1-gau.txt output/$1-param.txt | uniq > $1-endpoints.txt

## Clean up a bit 

rm -rf $1-wayback.txt $1-gau.txt output/$1-param.txt

Great! Once you got all the endpoints we can use the gf_profiles found in paramspider in order to gather the endpoints. For more information on how to use the gf_profiles read paramspider and gf documentation.

gf xss domain.com-endpoints.txt
gf potential domain.com-endpoints.txt

After running the commands there will be some results related about potential endpoints in order to achieve xss and more. Remember to always read the documentation from the tools.

Leave a comment