[OSCP] Directory Brute Force with Gobuster

gobuster : 숨겨진 디렉토리를 찾기위한 툴

명령어야 구글링해서 사용방법 찾고 VM:ip확인해서 넣으면 되는데 

저 common.txt의 위치를 어떻게 알고 찾아야할지 그부분이 의문이다.

 

1. We have been tasked to test the SMS Two-Factor authentication of a newly-developed web application. The SMS verification code is made by four digits. Which Burp tool is most suited to perform a brute force attack against the keyspace?
   --> intruder
2. Repeat the steps we covered in this Learning Unit and enumerate the targets via Nmap, Wappayzer and Gobuster by starting Walkthrough VM 1. When performing a file/directory brute force attack with Gobuster, what is the HTTP response code related to redirection?
   -->301
3. Start up the Walkthrough VM 1 and replicate the steps we covered in this Learning Unit for using Burp Suite. What is the default port Burp proxy is listening to?
   --> 8080
4. We have a lot of mess on our hands, and the new DIRTBUSTER cleaning service is just what we need to help with the cleanup! You can visit their new site on the Module Exercise VM #1, but it is still under development. We wonder where they hid their admin portal. Once found the admin portal, log-in with the provided credentials to obtain the flag.
   -->OS{a26ee248720f80e6774956a733cd74d7}
5. The DIRTBUSTER team finally changed their default credentials, but they are not very original. We complied at http://target_vm/passwords.txt of potential passwords from the DIRTBUSTER employee contact info - I am confident the password is in there somewhere. The username is still admin, and the new login portal is available at the web server root folder on the Module Exercise VM #2.
   --> OS{cad47e21950f4e88ad9422ccd3154b1f}
   
   

passwords_list를 찾았으니 burpsuite를 통해 intruder로 admin / list를 넣어보자