Butch_Web

Web

---

Nmap discovered a Web server on the target port 450 The running service is Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)

┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/butch]
└─$ curl -I http://$IP:450/ 
HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 2128
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/10.0
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
Date: Wed, 26 Feb 2025 12:31:37 GMT

Webroot It’s a login page to a custom ASP.NET web application

SQLi

---

SQLi entrypoint discovered username field is vulnerable to SQL injection Based on the returned error message, the backend DB appears to be MSSQL Given this is a login page with the returned SQL error, both Error-based and Blind SQLi can be performed

Fuzzing

---

┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/butch]
└─$ ffuf -c -w /usr/share/wordlists/seclists/Discovery/Web-Content/big.txt -u http://$IP:450/FUZZ -ic
________________________________________________
 :: Method           : GET
 :: URL              : http://192.168.238.63:450/FUZZ
 :: Wordlist         : FUZZ: /usr/share/wordlists/seclists/Discovery/Web-Content/big.txt
 :: Follow redirects : false
 :: Calibration      : false
 :: Timeout          : 10
 :: Threads          : 40
 :: Matcher          : Response status: 200-299,301,302,307,401,403,405,500
________________________________________________
dev                     [Status: 301, Size: 153, Words: 9, Lines: 2, Duration: 21ms]
:: Progress: [20478/20478] :: Job [1/1] :: 1612 req/sec :: Duration: [0:00:11] :: Errors: 0 ::

/dev/

/dev/

---

/dev/site.master.txt

---

The official Microsoft documentation for site.master indicates that this file provides a template for every page on an ASP.NET MVC-style application.

The file indicates that this webpage uses C# as a backend language, uses a site.master file as a template and often resides in the web root. This file can also contain C# arbitrary code, which is not mentioned in the Microsoft documentation. This may be leveraged for code execution