gobuster
Discovered web directories files and folders.
Link
How I used it
This is the first program that I learned to be able to brute-force files and directories from websites.
| Category | What I did | Why I did it |
|---|---|---|
| Brute-Force Directories | Discover hidden directories/files with medium wordlist. | Find admin panels, backup files, forgotten endpoints. |
| Brute-Force Directories | Use `-x` switch to find specific file types. | Sometimes the gold is in `.bak` files or hidden `.txt` notes, like dev notes. |
Proof
- THM Vulnversity - Brute-forced directories.
- THM Brainpan - Tries to find interesting goodies.
Commands I Use Most
Find Juicy Files and Directories
Finding the good stuff
┌──(sec㉿kali)-[~] └─$ gobuster dir -u http://10.10.207.42:3333 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -o gobuster
What I Learned the Hard Way
Choosing the right extension
Spent like an hour getting nothing. Finally checked gobuster usage and realized I needed the -x flag for extensions. Face, meet palm.
Playing with the wordlists
Choose those wordlists carefully. Seclists offers a bunch to play with running. But if you get stuck, double back and try bigger, better wordlists and maybe you will find what you are looking for.
When gobuster Let Me Down
When I started a box late at night, watching the gobuster results just absolutely crawl. This is the time that I switched to ffuf.