Black Hat Bash - Bash Scripting for Hackers and Pentesters (Early Access) (Dolev Farhi, Nick Aleks)

exist in directory indexing pages. You can verify this by viewing the

source HTML page at http://172.16.10.11/backup.

If we find either string, we call the wget command 4 with the

quiet option (-q) to silence verbose output, the recursive option (-r)

to download files recursively from folders, the no-parent option (-

np) to ensure we download only files at the same level of hierarchy

or below (subfolders), and the reject option (-R) to exclude files

starting with the word index.html. We then use the target folder

option (-P) to download the content to the path specified by the user

calling the script (OUTPUT_FOLDER variable). If the user did not

provide a destination folder, the script will default to use the data

folder set at 5.

The acme-impact-alliance folder appears to be empty. But is it

really? When dealing with web servers, you may run into what seem

to be dead ends only to find out that there is something hiding there,

just not in a very obvious place. Take note of the empty folder for

now; we’ll resume this exploration in a little bit.

Identifying Suspicious robots.txt Entries

Continue to the third IP address and explore the results from

Nikto:

+ Server: Apache/2.4.54 (Debian)

+ Retrieved x-powered-by header: PHP/8.0.28

--snip--

+ Uncommon header 'link' found, with contents: <http://172.16.10.12/wp-json/>; rel="https://api.w.org/"

--snip--

+ Entry '/wp-admin/' in robots.txt returned a non-forbidden or redirect HTTP code (302)

+ Entry '/donate.php' in robots.txt returned a non-forbidden or redirect HTTP code (200)

+ "robots.txt" contains 17 entries which should be manually viewed.

+ /wp-login.php: Wordpress login found

--snip--

Nikto was able to find a lot more information this time! Other

than the missing security headers (which is extremely common to

see in the wild, unfortunately) it also found that the server is running

on Apache (Debian), and that it is powered by PHP, a backend

programming language commonly used in web applications.

The tool also found an uncommon link that points to

http://172.16.10.12/wp-json and two suspicious entries in the

robots.txt file, namely /wp-admin/ and /donate.php. The robots.txt

file is a special file used to indicate to web crawlers (such as