10.10.11.190

信息搜集

./fscan_amd64 -h 10.10.11.190                                                                                                                                                            1 ⚙

   ___                              _    
  / _ \     ___  ___ _ __ __ _  ___| | __ 
 / /_\/____/ __|/ __| '__/ _` |/ __| |/ /
/ /_\\_____\__ \ (__| | | (_| | (__|   <    
\____/     |___/\___|_|  \__,_|\___|_|\_\   
                     fscan version: 1.8.1
start infoscan
(icmp) Target 10.10.11.190    is alive
[*] Icmp alive hosts len is: 1
10.10.11.190:3000 open
10.10.11.190:22 open
[*] alive ports len is: 2
start vulscan
[*] WebTitle:http://10.10.11.190:3000  code:200 len:4774   title:derailed.htb
已完成 0/2 [-] ssh 10.10.11.190:22 root 1 dial tcp 10.10.11.190:22: i/o timeout

echo "10.10.11.190 derailed.htb" >> /etc/hosts

http://derailed.htb
http://10.10.11.190:3000/register
http://10.10.11.190:3000/login
http://10.10.11.190:3000/clipnotes/1
注册user/ password进行登陆

发现目录遍历漏洞，可以fuzz这个数字
http://derailed.htb:3000/

发现一个用户名alice

./gobuster.sh                                                                                                                                       1 ⚙
which url? http://derailed.htb:3000
===============================================================
Gobuster v3.5
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://derailed.htb:3000
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.5
[+] Expanded:                true
[+] Timeout:                 10s
===============================================================
2023/06/13 23:05:22 Starting gobuster in directory enumeration mode
===============================================================
http://derailed.htb:3000/login                (Status: 200) [Size: 5592]
http://derailed.htb:3000/register             (Status: 200) [Size: 5908]
http://derailed.htb:3000/logout               (Status: 302) [Size: 91] [--> http://derailed.htb:3000/]
http://derailed.htb:3000/404                  (Status: 200) [Size: 1722]
http://derailed.htb:3000/administration       (Status: 302) [Size: 96] [--> http://derailed.htb:3000/login]
http://derailed.htb:3000/500                  (Status: 200) [Size: 1635]
http://derailed.htb:3000/422                  (Status: 200) [Size: 1705]

hydra -l alice -P /usr/share/wordlists/seclists/Passwords/500-worst-passwords.txt -f derailed.htb -s 3000 http-post-form “/login:user=alice&pass=^PASS^:Invalid”
hydra -l alice -P /usr/share/wordlists/seclists/Passwords/darkweb2017-top10000.txt -f derailed.htb -s 3000 http-post-form “/login:user=alice&pass=^PASS^:Invalid”

getshell

提权

总结

参考资料