2 :80 IIS

http://10.10.10.97 > http://10.10.10.97/login.php
Secure Notes Login
# wappalyzer shows PHP 7.2.7 with IIS!

# default admin:admin fails
# user enumeration is possible

http://10.10.10.97/register.php
can register
# registered using kashz:iamkashz

# login using kashz:iamkashz
http://10.10.10.97/home.php
| Due to GDPR, all users must delete any notes that contain Personally Identifable Information (PII). Please contact tyler@secnotes.htb using the contact link below with any questions. 
# there are notes section

# valid username (checked via login enum)
tyler@secnotes.htb

$ gobuster dir -u http://10.10.10.97 -w /usr/share/wordlists/dirbuster/directory-list-lowercase-2.3-medium.txt -x php,html,txt -t 80
===============================================================
/register.php         (Status: 200) [Size: 1569]
/home.php             (Status: 302) [Size: 0] [--> login.php]
/login.php            (Status: 200) [Size: 1223]
/contact.php          (Status: 302) [Size: 0] [--> login.php]
/db.php               (Status: 500) [Size: 1208]
/logout.php           (Status: 302) [Size: 0] [--> login.php]
/auth.php             (Status: 500) [Size: 1208]

# process 
1. sqli?
2. template injection after logging in via notes?


Last updated