I had a need for a tool the other day and when I searched for:   "php parameter brute force tool" -- I came up with Parameth.  The description states:  "This tool can be used to brute discover GET and POST parameters.  Often when you are busting a directory for common files, you can identify scripts (for example test.php) that look like they need to be passed an unknown parameter. This hopefully can help find them."

I've only played with this a bit and it doesn't seem to work on everything but it did work when I needed it. 

 “How I Hacked Your Small Business… and How You Could Have Stopped Me” is the title of a talk I gave earlier this year at BSides College Station – back before Corona Virus had us all on lockdown.  The point of the talk is to give a step-by-step walkthrough of how I’d build an anonymous attack platform and set about to take over the infrastructure of a small business.  It wasn’t a blueprint but it was near close because I wanted to show small business owners and small business defenders what it would look like.  In the middle of the talk, I flip the script and I proceed to go into the steps for stopping me.  While this post isn’t that talk, there are some overlaps.  In my day to day work, I see the same issues time and time again and there are some points in my Bsides talk that are worth repeating.

The description states:  "Like its name, this box contains some interesting things about CMS. It has been designed in way to enhance user's skills while playing with some preveleges. Its a quite forward box but stay aware of rabbit holes."

I think the description pretty much nails it.  It's beginner to intermediate -- I think leaning definitely towards beginner but there are some rabbit holes that you might want to hammer on that could lead to some lost time.  I don't want to get too deep into it so let's kick it off with Nmap: