P.0.O
05-Nmap
10-Enumeration
15-IIS Short Names
20-Huh
25-Foothold
30-p00ned
10-Enumeration
➜  poo gobuster dir -u http://10.13.38.11 -w /usr/share/seclists/Discovery/Web-Content/raft-large-words-lowercase.txt -t 50       [0/0]
===============================================================                                                               
Gobuster v3.6                                                  
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)                                                                 
===============================================================                                                               
[+] Url:                     http://10.13.38.11                                                                               
[+] Method:                  GET                                                                                              
[+] Threads:                 50                                     
[+] Wordlist:                /usr/share/seclists/Discovery/Web-Content/raft-large-words-lowercase.txt                          
[+] Negative Status codes:   404                                                                                              
[+] User Agent:              gobuster/3.6                                                                                     
[+] Timeout:                 10s                                                                                              
===============================================================
Starting gobuster in directory enumeration mode                
===============================================================    
/js                   (Status: 301) [Size: 145] [--> http://10.13.38.11/js/]
/images               (Status: 301) [Size: 149] [--> http://10.13.38.11/images/]
/templates            (Status: 301) [Size: 152] [--> http://10.13.38.11/templates/]
/admin                (Status: 401) [Size: 1293]                   
/themes               (Status: 301) [Size: 149] [--> http://10.13.38.11/themes/]
/plugins              (Status: 301) [Size: 150] [--> http://10.13.38.11/plugins/]
/uploads              (Status: 301) [Size: 150] [--> http://10.13.38.11/uploads/]
/dev                  (Status: 301) [Size: 146] [--> http://10.13.38.11/dev/]
/.                    (Status: 200) [Size: 703]                    
/widgets              (Status: 301) [Size: 150] [--> http://10.13.38.11/widgets/]
/meta-inf             (Status: 301) [Size: 151] [--> http://10.13.38.11/meta-inf/]
Progress: 2390 / 107983 (2.21%)[ERROR] context deadline exceeded (Client.Timeout or context cancellation while reading body)
Progress: 4039 / 107983 (3.74%)[ERROR] context deadline exceeded (Client.Timeout or context cancellation while reading body)
/.ds_store            (Status: 200) [Size: 10244]                  
Progress: 11266 / 107983 (10.43%)

The .ds_store file is interesting.

Before we start with the parsing of a .DS_Store file, let me tell you a bit about it. You might have received the (hidden) file on an USB stick from a colleague with MacOs or seen it somewhere else. Apple's operating system creates this file in apparently all directories to store meta information about its contents. In fact, it contains the names of all files (and also directories) in that folder. The equivalent on Microsoft Windows might be considered the desktop.ini or Thumbs.db.

Due to the fact that .DS_Store is prefixed with a dot, it is hidden from MacOs' Finder, so Mac-users might not be aware of its existence. Furthermore, the file format is proprietary and not much documentation about it is available online.

I found this tool https://github.com/Keramas/DS_Walk which enumerates all possible files and directories on a web server where a .ds_store file can be accessed.

➜  DS_Walk git:(master) ✗ python3 ds_walk.py -u http://10.13.38.11/             
[!] .ds_store file is present on the webserver.
[+] Enumerating directories based on .ds_server file:
----------------------------
[!] http://10.13.38.11//admin
[!] http://10.13.38.11//dev
[!] http://10.13.38.11//iisstart.htm
[!] http://10.13.38.11//Images
[!] http://10.13.38.11//JS
[!] http://10.13.38.11//META-INF
[!] http://10.13.38.11//New folder
[!] http://10.13.38.11//New folder (2)
[!] http://10.13.38.11//Plugins
[!] http://10.13.38.11//Templates
[!] http://10.13.38.11//Themes
[!] http://10.13.38.11//Uploads
[!] http://10.13.38.11//web.config
[!] http://10.13.38.11//Widgets
----------------------------
[!] http://10.13.38.11//dev/304c0c90fbc6520610abbf378e2339d1
[!] http://10.13.38.11//dev/dca66d38fd916317687e1390a420c3fc
----------------------------
[!] http://10.13.38.11//dev/304c0c90fbc6520610abbf378e2339d1/core
[!] http://10.13.38.11//dev/304c0c90fbc6520610abbf378e2339d1/db
[!] http://10.13.38.11//dev/304c0c90fbc6520610abbf378e2339d1/include
[!] http://10.13.38.11//dev/304c0c90fbc6520610abbf378e2339d1/src
----------------------------
[!] http://10.13.38.11//dev/dca66d38fd916317687e1390a420c3fc/core
[!] http://10.13.38.11//dev/dca66d38fd916317687e1390a420c3fc/db
[!] http://10.13.38.11//dev/dca66d38fd916317687e1390a420c3fc/include
[!] http://10.13.38.11//dev/dca66d38fd916317687e1390a420c3fc/src
----------------------------
[!] http://10.13.38.11//Images/buttons
[!] http://10.13.38.11//Images/icons
[!] http://10.13.38.11//Images/iisstart.png
----------------------------
[!] http://10.13.38.11//JS/custom
----------------------------
[!] http://10.13.38.11//Themes/default
----------------------------
[!] http://10.13.38.11//Widgets/CalendarEvents
[!] http://10.13.38.11//Widgets/Framework
[!] http://10.13.38.11//Widgets/Menu
[!] http://10.13.38.11//Widgets/Notifications
----------------------------
[!] http://10.13.38.11//Widgets/Framework/Layouts
----------------------------
[!] http://10.13.38.11//Widgets/Framework/Layouts/custom
[!] http://10.13.38.11//Widgets/Framework/Layouts/default
----------------------------
[*] Finished traversing. No remaining .ds_store files present.
[*] Cleaning up .ds_store files saved to disk.

Cannot access any of these files, as they were forbidden.

Table Of Contents