Webroot
Webroot of the target port 80.
Nmap scan discovered that the target system is hosting a web server off of IIS 7.5 on port 80
It appears to be a custom web site
wappalyzer also identified the technologies involved.
The web server is built on ASP.NET 2.0.50727
Fuzzing
┌──(kali㉿kali)-[~/archive/htb/labs/bounty]
└─$ ffuf -c -w /usr/share/wordlists/seclists/Discovery/Web-Content/raft-large-files.txt -u http://$IP/FUZZ -ic
/'___\ /'___\ /'___\
/\ \__/ /\ \__/ __ __ /\ \__/
\ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\
\ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/
\ \_\ \ \_\ \ \____/ \ \_\
\/_/ \/_/ \/___/ \/_/
v1.5.0 Kali Exclusive <3
________________________________________________
:: Method : GET
:: URL : http://10.10.10.93/FUZZ
:: Wordlist : FUZZ: /usr/share/wordlists/seclists/Discovery/Web-Content/raft-large-files.txt
:: Follow redirects : false
:: Calibration : false
:: Timeout : 10
:: Threads : 40
:: Matcher : Response status: 200,204,301,302,307,401,403,405,500
________________________________________________
iisstart.htm [Status: 200, Size: 630, Words: 25, Lines: 32, Duration: 31ms]
Transfer.aspx [Status: 200, Size: 941, Words: 89, Lines: 22, Duration: 73ms]
:: Progress: [37050/37050] :: Job [1/1] :: 1320 req/sec :: Duration: [0:00:29] :: Errors: 1 ::Fuzzing the webserver for files reveals /Transfer.aspx
┌──(kali㉿kali)-[~/archive/htb/labs/bounty]
└─$ ffuf -c -w /usr/share/wordlists/seclists/Discovery/Web-Content/big.txt -u http://$IP/FUZZ/ -ic
/'___\ /'___\ /'___\
/\ \__/ /\ \__/ __ __ /\ \__/
\ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\
\ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/
\ \_\ \ \_\ \ \____/ \ \_\
\/_/ \/_/ \/___/ \/_/
v1.5.0 Kali Exclusive <3
________________________________________________
:: Method : GET
:: URL : http://10.10.10.93/FUZZ/
:: Wordlist : FUZZ: /usr/share/wordlists/seclists/Discovery/Web-Content/big.txt
:: Follow redirects : false
:: Calibration : false
:: Timeout : 10
:: Threads : 40
:: Matcher : Response status: 200,204,301,302,307,401,403,405,500
________________________________________________
aspnet_client [Status: 403, Size: 1233, Words: 73, Lines: 30, Duration: 33ms]
uploadedfiles [Status: 403, Size: 1233, Words: 73, Lines: 30, Duration: 33ms]
:: Progress: [20476/20476] :: Job [1/1] :: 1284 req/sec :: Duration: [0:00:16] :: Errors: 0 ::ffuf also found a none default directory; /uploadedfiles/
/Transfer.aspx
Browsing to the /Transfer.aspx file results in discovering a file upload feature
I uploaded test.jpg for testing
Given the fact that there is a directory called, /uploadedfiles/, I figured that’s where uploaded files get stored
However, test.jpg isn’t available at all at the directory
It is totally possible that there is a filter or a renaming scheme taking in place for security purpose
Attempted to upload an ASPX web shell, cmdasp.aspx, and discovered a few things;
- Extension filter was in place (can’t upload .aspx)
- Was able to upload cmdasp.aspx.jpg with the magic number of JPG (FF D8 FF E0)
- Files uploaded couldn’t be located and accessed in the first place
- Yet, the web app throws a different 404 page compared to the one above
during my research, i found an interesting article, that provides a workaround
There is a way to bypass the upload filter taking place.
It’s via uploading a malicious web.config file with malicious ASP codes to overwrite the webserver’s configuration.
It only works if web.config is in the whitelist for upload
Testing code
It should be displaying 3 if the ASP code at the bottom executes as the highlighted part suggests
The testing web.config file is uploaded.
This first tells me that web.config is either in the whitelist or not in the blacklist
Navigating to /uploadedfiles/web.config reveals that the ASP Code execute as it displays 3