How I get swag from a RDP by just creating a sitemap via wayback and ffuf that sitemap
Hello hackers this is Deepak Dhiman from India and I hope you all are doing good. So this writeup is about how I found the an interesting endpoint on target by just making the site map on a rdp program named as prepladder. Without wasting the time lets start the main point.
So one day I am testing this target and I get an endpoint name demo in it but that url is RIP (lol). So I just try one thing that is why don’t I check this endpoint on all other domains of that target and I get 200 ok on one domain and which is luckily out of scope and not so sensitive. So I run dirsearch on inscope but does not work.
So from that demo endpoint I got an Idea why don’t I generate a sitemap of target using waybackurls. So you think that you just run ffuf on all urls why You need to generate a sitemap of endpoints using them I am saying this becuase I notice in wayback that if there is a.target.com/juicy url in wayback but no longer exist it may be possible that this endpoint is exist on their new domain or other domain like b.target.com and this is what I notice.
For waybackurls I use tomnomnom waybackurl tool which you can find on github.
How I to generate sitemap wordlist using waybackurls.
cat alive.txt | waybackurls | cut -d “/” -f4,5,6,7,8,9 | tee -a waybackwordlist.txt
Than I run ffuf on all alivedomains with this wordlist.
ffuf -w alive.txt:URL -w waybackwordlist.txt:DIR -u URL/DIR -t 300 -mc 200,403 -of html -o sitemap.html
And I found an Interesting endpoint name attendance visiting It I can add employee on target delete any employee and also check the attendance of all employees even I can upload fake attendance.
So I just take screenshots and make a good report and got a swag from the target.
If you like this please give me a follow on twitter and Instagram.
https://twitter.com/Virdoex_hunter
https://www.instagram.com/virdoex_hunter/
Program: RDP(prepladder)
Bounty:Swag
Thanks for the reading.
