Day 50 comes with a writeup source about vertical privilege escalation and finding endpoints.
Small Investment to Simple Vertical Privilege Escalation
Need to find some endpoints?
From Sam (CoffeeJunkie). Being invited to a private program with a large scope, I came across with the question “where the hell should I start?” well, by enumerating the subdomains I went with the target on scope that has a lot of subdomains to check. Ok, what’s next then? talking to Rajesh Ranjan and explaining him that I was getting a little bit tired of enumerating and attacking sites finding no bugs and without bypassing the content filters in the site he sent me a pretty good resource related to gf which is a tool created by tomnomnom. gf will help us out to grep the endpoints in order to find possible XSS, SSRF, Open redirects and more.
Time to find the endpoints
#!/bin/bash ## Gather all the endpoints echo "$1" | waybackurls > $1-wayback.txt echo "$1" | gau > $1-gau.txt python3 paramspider.py --domain $1 --output $1-param.txt ## Merge the lists :) sort $1-wayback.txt $1-gau.txt output/$1-param.txt | uniq > $1-endpoints.txt ## Clean up a bit rm -rf $1-wayback.txt $1-gau.txt output/$1-param.txt
Great! Once you got all the endpoints we can use the gf_profiles found in paramspider in order to gather the endpoints. For more information on how to use the gf_profiles read paramspider and gf documentation.
gf xss domain.com-endpoints.txt gf potential domain.com-endpoints.txt
After running the commands there will be some results related about potential endpoints in order to achieve xss and more. Remember to always read the documentation from the tools.