2 :80 IIS
http://10.10.10.97 > http://10.10.10.97/login.php
Secure Notes Login
# wappalyzer shows PHP 7.2.7 with IIS!
# default admin:admin fails
# user enumeration is possible
http://10.10.10.97/register.php
can register
# registered using kashz:iamkashz
# login using kashz:iamkashz
http://10.10.10.97/home.php
| Due to GDPR, all users must delete any notes that contain Personally Identifable Information (PII). Please contact tyler@secnotes.htb using the contact link below with any questions.
# there are notes section
# valid username (checked via login enum)
tyler@secnotes.htb
$ gobuster dir -u http://10.10.10.97 -w /usr/share/wordlists/dirbuster/directory-list-lowercase-2.3-medium.txt -x php,html,txt -t 80
===============================================================
/register.php (Status: 200) [Size: 1569]
/home.php (Status: 302) [Size: 0] [--> login.php]
/login.php (Status: 200) [Size: 1223]
/contact.php (Status: 302) [Size: 0] [--> login.php]
/db.php (Status: 500) [Size: 1208]
/logout.php (Status: 302) [Size: 0] [--> login.php]
/auth.php (Status: 500) [Size: 1208]
# process
1. sqli?
2. template injection after logging in via notes?
Last updated