Summary of reconnaissance on a certain H website 230824

Previously deleted

Thinking back to the last penetration test, my mind was completely blank 😅

Incident Cause#

I have played in various black and gray industries in the past few years, so after watching "All In", I became very indignant.
94a1b858a53403ea2f42a0dd1277832
After watching it for the third time, I searched through all my emails, but it was useless.

Until one day, my inbox, yes, my inbox received a spam email.
It's unbelievable, it didn't go to the spam folder.

1692877033053
Finally, it arrived, with an excited heart and trembling hands.

Email Entrance#

The sending domain is not resolved, and the mail server is an IIS. I threw it to fofa.
1692877158836
It should be a server specifically for sending spam emails, there is nothing useful to check.

QR Code Analysis#

Decode first

1692877481054

~~It seems to be this website, let's launch a precise penetration right away🤣~~
It is a live code that uses Weiyun to share files, and I obtained the website address again.

The short link redirects to two layers of URLs, obviously to bypass the URL security check by redirecting to a legitimate website.
~~This method of redirection is not a bad idea. Brothers, I decided to go and make some codes for gambling, we will meet again in the future🤪~~

Decode the base64 in the URL to get the second layer of the redirect URL, which is a service under Baidu, but I can't tell which one it is for now.
1692878078435

Finally, we have the protagonist of the story.

1692888998020

Website Periphery#

1692878319416

Direct access will be redirected to Baidu's error page, it seems that there is UA filtering.

Don't worry, I have User-Agent Switcher and Manager
1692878377033

1692878501063
I'm in, let's take a look at the structure of the website first.

1692878558486
It's a pseudo-static, any path name with /h8 will return to the CMS.
The search box is also not usable, let's try to jump out of h8, and there is an error.

1692878652837
After checking, it turns out to be the Ruoyi system, but there seems to be a jump or whitelist error. Going back to /login will still redirect to Baidu's error page.
Since there is no way to deal with the backend, I searched fofa and found a cname and an IP.

1692886695877
1692886721142
It's a bunch of station groups, there is no point in further investigation. After a quick look at the source site, there is nothing interesting. Next time, I will bring out the port scanning.

The cname is quite consistent, let's check it with whois.
1692886926471

Website Internal#

Let's take a look at the source code.

1692888028929
Combining with the frontend, I can't tell what CMS it is, and there is another layer of base64, let's decode it first.

1692888115971
Okay, a new domain.

1692888138159

1692888170108

I can't tell what CMS it is anymore, it seems that there is no way to do anything at the website level.

Payment Side#

Payment is required to watch the video.
1692888538140

1692888571048
Looks familiar, it's the YuanPay system, can't get in.
1692888636491

There is still an Alipay payment method, seems to be self-developed, and it has Google verification code.
1692888760069

1692888789302

Summary of why the people who run h websites are so technical now#

Incompetent, to the point where they can't even stand what they are doing.
Originally wanted to dig deeper, but now my brain has crashed. Fortunately, the domain and everything are in China. I will organize the relevant information and send it to my friends in network security 😶