Web Servers
- Date
- 2026-05-17
Remember that enumeration is an iterative process. After performing our Nmap port scans, make sure to perform detailed enumeration against all open ports based on what is running on the discovered ports. Follow the same process as we did with Nibbles:
- Enumeration/Scanning with Nmap - perform a quick scan for open ports followed by a full port scan
- Web Footprinting - check any identified web ports for running web applications, and any hidden files/directories. Some useful tools for this phase include whatweb and Gobuster
- If you identify the website URL, you can add it to your '/etc/hosts' file with the IP you get in the question below to load it normally, though this is unnecessary.
- After identifying the technologies in use, use a tool such as Searchsploit to find public exploits or search on Google for manual exploitation techniques
- After gaining an initial foothold, use the Python3 pty trick to upgrade to a pseudo TTY
- Perform manual and automated enumeration of the file system, looking for misconfigurations, services with known vulnerabilities, and sensitive data in cleartext such as credentials
- Organize this data offline to determine the various ways to escalate privileges to root on this target
There are two ways to gain a foothold—one using Metasploit and one via a manual process. Challenge ourselves to work through and gain an understanding of both methods.
There are two ways to escalate privileges to root on the target after obtaining a foothold. Make use of helper scripts such as LinEnum and LinPEAS to assist you. Filter through the information searching for two well-known privilege escalation techniques.
Web Servers are applications that run on a back-end server with the purpose of handling HTTP traffic from the client-side browser, routing it to requested pages, and responding to the client-side browser.
Web Servers usually run on TCP ports 80 and 443.
Web Applications provide a vast attack surface, making them a high-value target for attackers and pentesters.
The OWASP Top 10 is a standardized list of the top 10 most dangerous web app vulnerabilities maintained by the Open Web Application Security Project (OWASP). They are:
| Number | Category | Description |
|---|---|---|
| 1. | Broken Access Control | Restrictions are not appropriately implemented to prevent users from |
| accessing other users accounts, viewing sensitive data, accessing | ||
| unauthorized functionality, modifying data, etc. | ||
| 2. | Cryptographic Failures | Failures related to cryptography which often leads to sensitive data exposure or system compromise. |
| 3. | Injection | User-supplied data is not validated, filtered, or sanitized by the |
| application. Some examples of injections are SQL injection, command | ||
| injection, LDAP injection, etc. | ||
| 4. | Insecure Design | These issues happen when the application is not designed with security in mind. |
| 5. | Security Misconfiguration | Missing appropriate security hardening across any part of the |
| application stack, insecure default configurations, open cloud storage, | ||
| verbose error messages which disclose too much information. | ||
| 6. | Vulnerable and Outdated Components | Using components (both client-side and server-side) that are vulnerable, unsupported, or out of date. |
| 7. | Identification and Authentication Failures | Authentication-related attacks that target user's identity, authentication, and session management. |
| 8. | Software and Data Integrity Failures | Software and data integrity failures relate to code and |
| infrastructure that does not protect against integrity violations. An | ||
| example of this is where an application relies upon plugins, libraries, | ||
| or modules from untrusted sources, repositories, and content delivery | ||
| networks (CDNs). | ||
| 9. | Security Logging and Monitoring Failures | This category is to help detect, escalate, and respond to active |
| breaches. Without logging and monitoring, breaches cannot be detected.. | ||
| 10. | Server-Side Request Forgery | SSRF flaws occur whenever a web application is fetching a remote |
| resource without validating the user-supplied URL. It allows an attacker | ||
| to coerce the application to send a crafted request to an unexpected | ||
| destination, even when protected by a firewall, VPN, or another type of | ||
| network access control list (ACL). |
Proper web enumeration is critical, especially when an organization is not exposing many services or those services are appropriately patched.
it is always worth checking if hidden files or directories exist on webservers that are not intended for public access. This can be done using “ffuf” or “GoBuster” by performing directory enumeration.
Sometimes we will find hidden functionality or pages/directories exposing sensitive data that can be leveraged to access the web application or even remote code execution on the web server itself.
Website Certificates often contain email addresses and the company’s name that can be used to conduct a phishing attack.
Robots.txt files provide valuable information such as the location of private files and admin pages.
Source code may also contain very useful information.