Tools and Commands nmap searchsploit python netcat Recon Start with an nmap scan: $ sudo nmap -A -oA nmap 10.10.194.158 The only open port is 80, a Apache/2.4.18 web server. View the web page in a browser and we find it’s the default page for FUEL CMS 1.4, which also gives us some basic info about the CMS. A quick Gobuster scan gives us nothing particularly useful: $ gobuster dir -u http://10.
The first 23 days are simple bullet points describing how to do the task. Day 24 is a more complete write-up, as it was a more complete challenge! Table of Contents [Day 1] Web Exploitation: A Christmas Crisis [encoding] [Day 2] Web Exploitation: The Elf Strikes Back! [file upload] [Day 3] Web Exploitation: Christmas Chaos [brute force] [Day 4] Web Exploitation: Santas watching [brute force / fuzzing] [Day 5] Web Exploitation: Someone stole Santas gift list!