InfoSec LAB

Intelligence_Web

Created: 2 min read

Web

Nmap discovered a Web server on the target port 80 The running service is Microsoft IIS httpd 10.0

Webroot The website appears vague

There is a section dedicated for receiving news letter, but it doesn’t appear functional

PDF Documents

There is also what appears to be Documents section that contains 2 hyperlinks to 2 PDF files, which were mapped by the passive crawler in Burp Suites

The content within those 2 PDF files are nothing more than just IPSUM

┌──(kali㉿kali)-[~/…/htb/labs/intelligence/pdf]
└─$ wget -q http://$IP/documents/2020-01-01-upload.pdf ; wget -q http://$IP/documents/2020-12-15-upload.pdf

Downloading those 2 PDF files for further review

File Name

┌──(kali㉿kali)-[~/…/htb/labs/intelligence/pdf]
└─$ file 2020-01-01-upload.pdf 2020-12-15-upload.pdf
2020-01-01-upload.pdf: PDF document, version 1.5
2020-12-15-upload.pdf: PDF document, version 1.5

While I have identified the version information of those 2 PDF files, their file naming structure also came into my attention. There appears to be a naming convention for PDF files; <YEAR>-<MONTH>-<DATE>-upload.pdf

This observation hints at the possibility of the existence of additional PDF files. If that’s the case, I might consider conducting fuzzing

Metadata

┌──(kali㉿kali)-[~/…/htb/labs/intelligence/pdf]
└─$ exiftool 2020-01-01-upload.pdf 2020-12-15-upload.pdf 
======== 2020-01-01-upload.pdf
ExifTool Version Number         : 12.65
File Name                       : 2020-01-01-upload.pdf
Directory                       : .
File Size                       : 27 kB
File Modification Date/Time     : 2023:02:08 17:01:03+01:00
File Access Date/Time           : 2023:09:26 15:10:11+02:00
File Inode Change Date/Time     : 2023:02:08 17:01:03+01:00
File Permissions                : -rw-r--r--
File Type                       : PDF
File Type Extension             : pdf
MIME Type                       : application/pdf
PDF Version                     : 1.5
Linearized                      : No
Page Count                      : 1
Creator                         : William.Lee
======== 2020-12-15-upload.pdf
ExifTool Version Number         : 12.65
File Name                       : 2020-12-15-upload.pdf
Directory                       : .
File Size                       : 27 kB
File Modification Date/Time     : 2023:02:08 17:01:26+01:00
File Access Date/Time           : 2023:09:26 15:10:18+02:00
File Inode Change Date/Time     : 2023:02:08 17:01:26+01:00
File Permissions                : -rw-r--r--
File Type                       : PDF
File Type Extension             : pdf
MIME Type                       : application/pdf
PDF Version                     : 1.5
Linearized                      : No
Page Count                      : 1
Creator                         : Jose.Williams
    2 image files read

Checking the metadata reveals the usernames in the Creator field; - William.Lee - Jose.Williams

  • Judging by those 2 names, it suggests the naming convention that the target domain uses; <FIRSTNAME>.<LASTNAME>
  • This information could be leveraged to effectively extract valid domain users by performing an additional brute-force attack on the target KDC server

Interactive Graph View

Backlinks