In addition to Weibo, there is also WeChat
Please pay attention
WeChat public account
Shulou
2025-03-31 Update From: SLTechnology News&Howtos shulou NAV: SLTechnology News&Howtos > Network Security >
Share
Shulou(Shulou.com)05/31 Report--
This article will give you a detailed explanation on how to carry out HTB-Luke actual combat, the content of the article is of high quality, so the editor will share it with you for reference. I hope you will have a certain understanding of the relevant knowledge after reading this article.
Information collection
Open 10.10.10.137 and find that it's just like a static one. I'm used to looking at the source code first and I find it's a static one.
Bootstrap 4
Port test
21/tcp ftp
22/tcp ssh
80/tcp http
3000/tcp ppp
8000/tcp http-alt
1. 10.10.10.137 8000 Ajenti login accounts
2. 10.10.10.1373000 return
{"success": false, "message": "Auth token is not supplied"}
Directory traversal
Custom dirsearch.py traverses 80 and 3000 entries, respectively.
80-year-old discovery
[]-B-/ .ht_wsr.txt []-B-/ .htaccess-dev []-B-/ .htaccess-local []-B-/ .hta []-B-/ .htaccess-marco []-B-/ .htaccess.bak1 []-B-/ .htaccess.BAK []-B-/ .htaccess.old []-B-/ .htaccessOLD []-B-/ .htaccess.orig [: :]-B-/ .htaccess_orig []-B-/ .htaccess.sample []-B-/ .htaccess.txt []-B-/ .htaccess_sc []-B-/ .htaccessBAK []-B-/ .htaccess_extra []-B-/ .htaccess.save []-B-/ .htpasswd-old []-B-/ .htaccess ~ []-B-/ .htpasswds []-B- / .htpasswd_test []-B-/ .htaccessOLD2 []-B-/ .htgroup []-B-/ .htusers []-B-/ config.php []-B-/ css-> http: []-KB-/ index.html []-B-/ js-> http: []-KB-/ login.php []-B-/ management []-B-/ management/ []-B- / member-> http: []-KB-/ package.json []-KB-/ README.md
Among them, / management and login.php are also "login accounts" / config.php includes the mysql account password.
$dbHost =; $dbUsername =; $dbPassword =; $db =; $conn = mysqli ($dbHost, $dbUsername, $dbPassword,$db) (. $conn-> error)
3000 Tianyuan discovery
[:] Starting: [:]-B-/ login [::]-B-/ Login [::]-B-[:]-B-[:]-B-/ users [::]-B-/ users/admin [::]-B-where / login returns, users also returns {:,:}
Integration of information
Three landing traps
10.10.10.137:8000 、 10.10.10.137/login.php 、 10.10.10.137/management
Get a mysql account password root/Zk6heYCyv6ZE9Xcg
10.10.10.137UR 3000 return information
{:,:}
10.10.10.137:3000/login returns
"please auth"
Concrete analysis
The breakthrough lies in
In "Auth token is not supplied"
It is found that the return information of jwt authentication failure is found under the Google account, so it is speculated that the authentication information post should be constructed to
10.10.10.137Suzhou 3000 then get the "user voucher" and then request it.
10.10.10.137:3000/users .
The "account information" of post is probably the mysql account password of the previous mysql, because only this "can" and this account information tries.
The login was not successful at both the login server and the mysql server.
Make "curl"
Curl-s-X POST-H'Accept: application/json'-H 'Content-Type:application/json'-- data' {:,:}'
Echo information
ErrorSyntaxError: Unexpected token r in JSON at position 11 & ampnbsp; at JSON.parse (& amplt;anonymous>) & ampnbsp; at parse (/ nodeapp/node_modules/body-parser/lib/types/json.js:89:19) & ampnbsp; at / nodeapp/node_modules/body-parser/lib/read.js:121:18 & ampnbsp; at invokeCallback (/ nodeapp/node_modules/raw-body/index.js:224:16) & ampnbsp;&nbsp At done (/ nodeapp/node_modules/raw-body/index.js:213:7) & ampnbsp; & ampnbsp;at IncomingMessage.onEnd (/ nodeapp/node_modules/rawbody/index.js:273:7) & ampnbsp; & ampnbsp;at IncomingMessage.emit (events.js:202:15) & ampnbsp; & ampnbsp;at endReadableNT (_ stream_readable.js:1132:12) & ampnbsp; & ampnbsp;at processTicksAndRejections (internal/process/next_tick.js:76:17)
I don't know why it is estimated that the curl is wrong, but what is certain is that the idea is right. Change the postman to send json.
Request
Get the admin's
Token
three
This token request / users and / users/ {user}
-H-H https://10.10.10.137:3000/users
Get to
[{:,:,:}, {:,:}] {:,:}% {:,:
Log in to http://10.10.10.137/management and visit http://10.10.10.137/management/config.json
Get the account information of root/KpMasng6S5EtTy9Z and finally log in to
ten
Flag:8448343028fadde1e2a1b0a44d01e650
To raise the right
Direct login of root/KpMasng6S5EtTy9Z to ssh shows that this is just an account of web. But the ajenti service has root rights.
The limit also means that you can operate at will.
"File Manager" has been flipped through the "under configuration" section, you can directly find the ssh configuration section / etc/sshd_config and have editing permissions.
Then modify the configuration item
PermitRootLogin yes
Restart the ssh service and try to log in to ssh and find that it is still not possible to root
The password is not the password of the web account. If you have Users to open and reset the root password directly, you do not need to reset the old password.
Ssh login
About how to carry on the HTB-Luke actual combat to share here, hoped that the above content can have the certain help to everybody, can learn more knowledge. If you think the article is good, you can share it for more people to see.
Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.
Views: 0
*The comments in the above article only represent the author's personal views and do not represent the views and positions of this website. If you have more insights, please feel free to contribute and share.
Continue with the installation of the previous hadoop.First, install zookooper1. Decompress zookoope
"Every 5-10 years, there's a rare product, a really special, very unusual product that's the most un
© 2024 shulou.com SLNews company. All rights reserved.