I’m stuck trying to find that last sub. Read through all the comments and just can’t figure it out.
i did a full nmap scan on all 65,535 and did get 4 that are open. I did all sorts of test on the smtp and saw nothing. With the comments from the forum I’m focusing on the dns but to no avail
DNS enumeration should get you further. Have you followed everything on: 53 - Pentesting DNS - HackTricks ?
yes all, with different tools and wordlists
You find the first subdomain?
yes, now I just used sed to make prefixes to a wordlist
Then you should create mutation wordlist: pre***-wordlist.t**.h**, after that just brute subdomain.
Any hints on how to get LFI on m******ng?
Able to find third subdomain, but not seeing where to go from there. Fuzzed with ffuf against directories (3 but all 403 response), pages (only 1 - main page), parameters (only one found), and values for parameter which seems to just match links on the main page. Didn’t look to me like there’s a sqli within the main page, but ran it anyways with defaults and then with level=5 and risk=3. Tried doing some research against the templating vendor/system but didn’t find anything interesting.
Path traversal bypass
Path traversal is your friend
Got it, where to go from there?
Are you got user?
Stuck on path traversal. Think I’m on the right sub, but the normal files aren’t popping up for me. Any nudges?
Bypass WAF
Try …/./ maybe it’s help you…
Can I pm you?
Yes, of course.
Thanks, learning as I go with this. Able to use ffuf with a wordlist built for path traversal and got it working. Able to read off the file system now
Got it, thank you!