Most companies have an admin portal page, giving their staff access to basic admin controls for day-to-day operations. For a bank, an employee might need to transfer money to and from client accounts. Due to human error or negligence, there may be instances when these pages are not made private, allowing attackers to find hidden pages that show or give access to admin controls or sensitive data.
To begin, type the following command into the terminal to find potentially hidden pages on FakeBank’s website using (a command-line security application).
gobuster -u http://fakebank.thm -w wordlist.txt dir
The command will run and show you an output similar to this:
ubuntu@tryhackme:~/Desktop$ gobuster -u http://fakebank.thm -w wordlist.txt dir ===================================================== Gobuster v2.0.1 OJ Reeves (@TheColonial) ===================================================== [+] Mode : dir [+] Url/Domain : http://fakebank.thm/ [+] Threads : 10 [+] Wordlist : wordlist.txt [+] Status codes : 200,204,301,302,307,403 [+] Timeout : 10s ===================================================== 2024/05/21 10:04:38 Starting gobuster ===================================================== /images (Status: 301) /bank-transfer (Status: 200) ===================================================== 2024/05/21 10:04:44 Finished =====================================================