Web
Nmap has enumerated that the target system is hosting a web server off of IIS 7.5 on port 1337.
It’s an unusual port to host a web server on.
Web Root
It’s the default IIS installation page.
Fuzzing
┌──(kali㉿kali)-[~/archive/htb/labs/mantis]
└─$ ffuf -c -w /usr/share/wordlists/seclists/discovery/web-content/iis.fuzz.txt -u http://$IP:1337/FUZZ -ic
/aspnet_client/ [status: 403, Size: 1233, Words: 73, Lines: 30, Duration: 38ms]
:: Progress: [210/210] :: Job [1/1] :: 0 req/sec :: Duration: [0:00:00] :: Errors: 1 ::
┌──(kali㉿kali)-[~/archive/htb/labs/mantis]
└─$ ffuf -c -w /usr/share/wordlists/iisfinal.txt -u http://$IP:1337/aspnet_client/FUZZ -ic
system_web [status: 301, Size: 172, Words: 9, Lines: 2, Duration: 29ms]
:: Progress: [1305/1305] :: Job [1/1] :: 1356 req/sec :: Duration: [0:00:01] :: Errors: 1 ::
┌──(kali㉿kali)-[~/archive/htb/labs/mantis]
└─$ ffuf -c -w /usr/share/wordlists/iisfinal.txt -u http://$IP:1337/aspnet_client/system_web/FUZZ -ic
2_0_50727 [status: 301, Size: 182, Words: 9, Lines: 2, Duration: 29ms]
2_0_50727/ [status: 403, Size: 1233, Words: 73, Lines: 30, Duration: 29ms]
4_0_30319 [status: 301, Size: 182, Words: 9, Lines: 2, Duration: 32ms]
4_0_30319/ [status: 403, Size: 1233, Words: 73, Lines: 30, Duration: 31ms]
:: Progress: [1305/1305] :: Job [1/1] :: 1143 req/sec :: Duration: [0:00:01] :: Errors: 1 ::Fuzzing for files doesn’t reveal anything interesting. Only the default installation files/directories
┌──(kali㉿kali)-[~/archive/htb/labs/mantis]
└─$ ffuf -c -w /usr/share/wordlists/seclists/discovery/web-content/directory-list-2.3-big.txt -u http://$IP:1337/FUZZ/ -ic
orchard [status: 500, Size: 3026, Words: 683, Lines: 73, Duration: 58ms]
secure_notes [status: 200, Size: 471, Words: 40, Lines: 3, Duration: 29ms]
%5c [status: 200, Size: 689, Words: 25, Lines: 32, Duration: 28ms]
aspnet_client [status: 403, Size: 1233, Words: 73, Lines: 30, Duration: 31ms]
:: Progress: [1273820/1273820] :: Job [1/1] :: 1388 req/sec :: Duration: [0:16:12] :: Errors: 0 ::Providing a different wordlist results in finding two interesting directories
/orchard//secure_notes/
Navigating to /secure_notes/ reveals two files
dev_notes_NmQyNDI0NzE2YzVmNTM0MDVmNTA0MDczNzM1NzMwNzI2NDIx.txt.txtweb.config
dev note
┌──(kali㉿kali)-[~/…/htb/labs/mantis/secure_notes]
└─$ cat dev_notes_NmQyNDI0NzE2YzVmNTM0MDVmNTA0MDczNzM1NzMwNzI2NDIx.txt.txt
1. Download OrchardCMS
2. Download SQL server 2014 Express ,create user "admin",and create orcharddb database
3. Launch IIS and add new website and point to Orchard CMS folder location.
4. Launch browser and navigate to http://localhost:8080
5. Set admin password and configure sQL server connection string.
6. Add blog pages with admin user.
Credentials stored in secure format
OrchardCMS admin creadentials 010000000110010001101101001000010110111001011111010100000100000001110011011100110101011100110000011100100110010000100001
SQL Server sa credentials file namezdev_notes_NmQyNDI0NzE2YzVmNTM0MDVmNTA0MDczNzM1NzMwNzI2NDIx.txt.txt appears to be a to-do list.
It points out:
- A SQL server 2014 Express with a username
admin^6f96a0- has a DB named,
orcharddb
- has a DB named,
- A running instance of OrchardCMS hosted on the target port 8080
- admin credential in a string of bits
I can easily turn the string of bits into ASCII characters
@dm!n_P@ssW0rd!
┌──(kali㉿kali)-[~/archive/htb/labs/mantis]
└─$ ll secure_notes
total 12K
4.0K drwxr-xr-x 3 kali kali 4.0K Oct 10 01:00 ..
4.0K drwxr-xr-x 2 kali kali 4.0K Oct 10 00:16 .
4.0K -rw-r--r-- 1 kali kali 912 Sep 13 2017 dev_notes_NmQyNDI0NzE2YzVmNTM0MDVmNTA0MDczNzM1NzMwNzI2NDIx.txt.tx
File name also appears to be a base64 string as well…
┌──(kali㉿kali)-[~/archive/htb/labs/mantis]
└─$ hurl -b "NmQyNDI0NzE2YzVmNTM0MDVmNTA0MDczNzM1NzMwNzI2NDIx"
Original string :: NmQyNDI0NzE2YzVmNTM0MDVmNTA0MDczNzM1NzMwNzI2NDIx
base64 DEcoded string :: 6d2424716c5f53405f504073735730726421
┌──(kali㉿kali)-[~/archive/htb/labs/mantis]
└─$ hurl -x "6d2424716c5f53405f504073735730726421"
Original HEX :: 6d2424716c5f53405f504073735730726421
ASCII/RAW DEcoded :: m$$ql_S@_P@ssW0rd!m$$ql_S@_P@ssW0rd!
Interesting.
Based on the context, this appears to be a password for the SQL server mentioned above
Now that I got at least 2 passwords, I can try to spray them against discovered users.
However, I will check the running OrchardCMS instance that is mentioned in the note.