Shulou(Shulou.com)05/31 Report--

This article will give you a detailed explanation on how to carry out HTB-Luke actual combat, the content of the article is of high quality, so the editor will share it with you for reference. I hope you will have a certain understanding of the relevant knowledge after reading this article.

Information collection

Open 10.10.10.137 and find that it's just like a static one. I'm used to looking at the source code first and I find it's a static one.

Bootstrap 4

Port test

21/tcp ftp

22/tcp ssh

80/tcp http

3000/tcp ppp

8000/tcp http-alt

1. 10.10.10.137 8000 Ajenti login accounts

2. 10.10.10.1373000 return

{"success": false, "message": "Auth token is not supplied"}

Directory traversal

Custom dirsearch.py traverses 80 and 3000 entries, respectively.

80-year-old discovery

[]-B-/ .ht_wsr.txt []-B-/ .htaccess-dev []-B-/ .htaccess-local []-B-/ .hta []-B-/ .htaccess-marco []-B-/ .htaccess.bak1 []-B-/ .htaccess.BAK []-B-/ .htaccess.old []-B-/ .htaccessOLD []-B-/ .htaccess.orig [: :]-B-/ .htaccess_orig []-B-/ .htaccess.sample []-B-/ .htaccess.txt []-B-/ .htaccess_sc []-B-/ .htaccessBAK []-B-/ .htaccess_extra []-B-/ .htaccess.save []-B-/ .htpasswd-old []-B-/ .htaccess ~ []-B-/ .htpasswds []-B- / .htpasswd_test []-B-/ .htaccessOLD2 []-B-/ .htgroup []-B-/ .htusers []-B-/ config.php []-B-/ css-> http: []-KB-/ index.html []-B-/ js-> http: []-KB-/ login.php []-B-/ management []-B-/ management/ []-B- / member-> http: []-KB-/ package.json []-KB-/ README.md

Among them, / management and login.php are also "login accounts" / config.php includes the mysql account password.

$dbHost =; $dbUsername =; $dbPassword =; $db =; $conn = mysqli ($dbHost, $dbUsername, $dbPassword,$db) (. $conn-> error)

3000 Tianyuan discovery

[:] Starting: [:]-B-/ login [::]-B-/ Login [::]-B-[:]-B-[:]-B-/ users [::]-B-/ users/admin [::]-B-where / login returns, users also returns {:,:}

Integration of information

Three landing traps

10.10.10.137:8000 、 10.10.10.137/login.php 、 10.10.10.137/management

Get a mysql account password root/Zk6heYCyv6ZE9Xcg

10.10.10.137UR 3000 return information

{:,:}

10.10.10.137:3000/login returns

"please auth"

Concrete analysis

The breakthrough lies in

In "Auth token is not supplied"

It is found that the return information of jwt authentication failure is found under the Google account, so it is speculated that the authentication information post should be constructed to

10.10.10.137Suzhou 3000 then get the "user voucher" and then request it.

10.10.10.137:3000/users .

The "account information" of post is probably the mysql account password of the previous mysql, because only this "can" and this account information tries.

The login was not successful at both the login server and the mysql server.

Make "curl"

Curl-s-X POST-H'Accept: application/json'-H 'Content-Type:application/json'-- data' {:,:}'

Echo information

ErrorSyntaxError: Unexpected token r in JSON at position 11 & ampnbsp; at JSON.parse (& amplt;anonymous>) & ampnbsp; at parse (/ nodeapp/node_modules/body-parser/lib/types/json.js:89:19) & ampnbsp; at / nodeapp/node_modules/body-parser/lib/read.js:121:18 & ampnbsp; at invokeCallback (/ nodeapp/node_modules/raw-body/index.js:224:16) & ampnbsp;&nbsp At done (/ nodeapp/node_modules/raw-body/index.js:213:7) & ampnbsp; & ampnbsp;at IncomingMessage.onEnd (/ nodeapp/node_modules/rawbody/index.js:273:7) & ampnbsp; & ampnbsp;at IncomingMessage.emit (events.js:202:15) & ampnbsp; & ampnbsp;at endReadableNT (_ stream_readable.js:1132:12) & ampnbsp; & ampnbsp;at processTicksAndRejections (internal/process/next_tick.js:76:17)

I don't know why it is estimated that the curl is wrong, but what is certain is that the idea is right. Change the postman to send json.

Request

Get the admin's

Token

three

This token request / users and / users/ {user}

-H-H https://10.10.10.137:3000/users

Get to

[{:,:,:}, {:,:}] {:,:}% {:,:

Log in to http://10.10.10.137/management and visit http://10.10.10.137/management/config.json

Get the account information of root/KpMasng6S5EtTy9Z and finally log in to

ten

Flag:8448343028fadde1e2a1b0a44d01e650

To raise the right

Direct login of root/KpMasng6S5EtTy9Z to ssh shows that this is just an account of web. But the ajenti service has root rights.

The limit also means that you can operate at will.

"File Manager" has been flipped through the "under configuration" section, you can directly find the ssh configuration section / etc/sshd_config and have editing permissions.

Then modify the configuration item

PermitRootLogin yes

Restart the ssh service and try to log in to ssh and find that it is still not possible to root

The password is not the password of the web account. If you have Users to open and reset the root password directly, you do not need to reset the old password.

Ssh login

About how to carry on the HTB-Luke actual combat to share here, hoped that the above content can have the certain help to everybody, can learn more knowledge. If you think the article is good, you can share it for more people to see.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.