`
As you can see, there is a single user, jtorres, on this blog. This
can be a good target to brute-force later on. If this curl command
returned many users, you could parse only the usernames with the
following jq command:
$ curl -s http://172.16.10.12/wp-json/wp/v2/users/ | jq .[].name
All three findings were true positives, which is great news for us.
Let's recap the identities we've identified so far.
Table 5-1
Identity information gathered from git repositories
Source
Name
acme-impact-alliance git repository
Kevin Peterson
kpeterson@acme-impact-
alliance.com
acme-hyper-branding git repository
Melissa Rogers
WordPress Account
J. Torres
Note that in the case of the WordPress account we've identified,
we only discovered an account by the name of jtorres. Since this was
found on the ACME Impact Alliance website, and we already know
the email scheme they use (first letter of first name and the last
name) it is pretty safe to assume jtorres email is jtorres@acme-
impact-alliance.com. We do not yet know their first name, though.
Exercise 7: Parsing Nuclei’s Findings
Nuclei’s scan output is a little noisy, and it can be difficult to
parse with bash, but not impossible. Nuclei allows you to pass a -
silent parameter to show only the findings in the output. Before
we write a script to parse the output, let’s consider Nuclei’s output
format:
[template] [protocol] [severity] url
[extractor]
Each field is enclosed between brackets [] and separated by
spaces. The template field is a template name (taken from the
name of the template file), the protocol shows the protocol, such
as HTTP, and the severity shows the severity of the finding
(informational, low, medium, high, or critical). The fourth field is the
URL or IP address, and the fifth field is metadata extracted by the
template’s logic using extractors.
Black Hat Bash (Early Access) © 2023 by Dolev Farhi and Nick Aleks