IIS on Steroids

Description

I've been hiding a file that you'll never find in dictionaries and maybe you'll find it with a brute-force attack, but it will take you like 10 years or so :)

Can you deal with it?

http://iis.challenges.bsidestlv.com/

Solution

Let's connect to the server:

Nothing much, apart from the fact that they are using IIS 7.5.

Searching for "IIS 7.5" vulnerability brings up this link as one of the top results.

The vulnerability is caused by a tilde character "~" in a Get request, which could allow remote attackers to disclose File and Folder names. Tilde character "~" can be used to find short names of files and folders when the website is running on IIS. The attacker can find important file and folders that they are not normally visible.

The attack is based on the 8.3 Filename format, which dates back to DOS days. In short, without going into all the corner cases, file names could contains a maximum of 8 characters, a period and three more characters for the extension. Longer file names would be truncated, and the convention was to include the first six characters, a ~ character, and a number (starting from 1).

We can see this in action in one of the other challenges - DoSaTTaCK:

PCDOS3~1.IMG is in fact PCDOS330-DISK1.img after applying the 8.3 Filename format. If we would have PCDOS330-DISK8.img as well, it would have been renamed PCDOS3~2.IMG and so on.

The vulnerability causes IIS to leak the existence of files when using this convention, which can also be combined with wildcards (*). The server will return a 400 error if no file matches the pattern, and a 404 error if some file does match the pattern.

For example:

According to the response codes, we can see that there's a file starting with l, but not one starting with x.

We can find more information here, here and here, for example.

We solved the challenge by trying first "*~1*":

Then "*~2*":

But let's put some effort into it with the following script:

The script found the following files, the third one contained the flag: