Web Enumeration

Magic Zero

/data/0

Curl

-X, --request <command> Specify request command to use
-i, --include           Include protocol response headers in the output

curl -i url -X OPTIONS

Apache Tomcat

manager, host-manager, ROOT or examples as first entry

Then try recursive-depth fuzz for something like status, jmxproxy

Path Traversal

https://www.acunetix.com/vulnerabilities/web/tomcat-path-traversal-via-reverse-proxy-mapping/

https://book.hacktricks.xyz/pentesting/pentesting-web/tomcat#double-url-encode

AJP

https://github.com/hypn0s/AJPy

RCE

http://Apache.Tomcat/manager/jmxproxy/..;/html
https://Apache.Tomcat/manager/status/..;/html

POST /manager/status/..;/html/upload...
POST /manager/jmxproxy/..;/html/upload...

https://book.hacktricks.xyz/pentesting/pentesting-web/tomcat#rce

Ffuf POST

Copy from repeater save to a file

ffuf -X POST -request saved.txt -w /usr/share/wordlists/seclists/Fuzzing/SQLi/quick-SQLi.txt:PARAM1 -w /usr/share/wordlists/seclists/Fuzzing/SQLi/quick-SQLi.txt:PARAM2 -t 200 -c -mode pitchfork -mc all -request-proto http

Try to look carefully

searchsploit is not everything. Especially for new exploits or CMS. Try https://www.exploit-db.com/

Try not to look over

Even 403 can give you exploitable service version sometimes
Nmap could provide some service version even it's not exploitable
/var/SERVICE_NAME/conf Look into the config files if common ways are not working

VHOST

gobuster vhost -u horizontall.htb -w list.txt
ffuf -w list.txt:FUZZ -u http://horizontall.htb -H 'Host: FUZZ.horizontall.htb'

try DNS mode when above two not working for 10-15mins

gobuster dns -d horizontall.htb -w list.txt

When face a wall

It might lock the host to 127.0.0.1 Do pivoting to try again

Provide feedback

Saved searches

Use saved searches to filter your results more quickly