- GoBuster v2.0.1
- Terminal
- Web Browser
- Ubuntu
Launch Browser and Visit Targeted Site:
Finding Hidden Website Pages :
Open Terminal and use command to find potentially hidden and vulnerable pages.
gobuster -u http://fakebank.com -w wordlist.txt dir
In the command above, -u is used to state the website we're scanning, -w takes a list of words to iterate through to find hidden pages.
You will see that GoBuster scans the website with each word in the list, finding pages that exist on the site. GoBuster will have told you the pages it found in the list of page/directory names (indicated by Status: 200).
Gobuster is a tool used to brute-force: URIs (directories and files) in web sites, DNS subdomains (with wildcard support), Virtual Host names on target web servers, Open Amazon S3 buckets, Open Google Cloud buckets and TFTP servers.
A wordlist may contain thousands of words to search through in the .txt file.
Finding Secret Pages:
At this point you will be shown what unprotected pages are vulnerable.
Using TryHackMe's example, with the use of GoBuster and terminal we found a secret bank transfer page that allows us to transfer money between accounts at the bank (/bank-transfer).
Type the hidden page into the FakeBank website in the browser.
http://fakebank.com/bank-transfer
From here we were able to enter account details and transfer funds from one bank account to another.
Mission Complete:
