HTB_Ignition - meruneru/tech_memo GitHub Wiki
イントロのマシン
ログインIDとパスワードを推測する必要がある問題
#ポート80 は #httpd #nginx
┌──(kali㉿kali)-[~/htb]
└─$ nmap -sV -sC -Pn ignition.htb
Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.
Starting Nmap 7.91 ( https://nmap.org ) at 2021-11-13 20:32 EST
Nmap scan report for ignition.htb (10.129.70.10)
Host is up (0.17s latency).
Not shown: 986 closed ports
PORT STATE SERVICE VERSION
80/tcp open http nginx 1.14.2
|_http-server-header: nginx/1.14.2
|_http-title: Home page
340/tcp filtered unknown
1043/tcp filtered boinc
1061/tcp filtered kiosk
1069/tcp filtered cognex-insight
2111/tcp filtered kx
3905/tcp filtered mupdate
5859/tcp filtered wherehoo
6646/tcp filtered unknown
7004/tcp filtered afs3-kaserver
7920/tcp filtered unknown
8402/tcp filtered abarsd
9050/tcp filtered tor-socks
9502/tcp filtered unknown
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 34.53 seconds
┌──(kali㉿kali)-[~/htb/Ignition]
└─$ gobuster dir -u ignition.htb -w ~/wordlist/common.txt
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://ignition.htb
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /home/kali/wordlist/common.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.1.0
[+] Timeout: 10s
===============================================================
2021/11/13 20:52:50 Starting gobuster in directory enumeration mode
===============================================================
/0 (Status: 200) [Size: 25803]
/admin (Status: 200) [Size: 7092]
/catalog (Status: 302) [Size: 0] [--> http://ignition.htb/]
/checkout (Status: 302) [Size: 0] [--> http://ignition.htb/checkout/cart/]
/cms (Status: 200) [Size: 25817]
/contact (Status: 200) [Size: 28673]
/enable-cookies (Status: 200) [Size: 27176]
/errors (Status: 301) [Size: 185] [--> http://ignition.htb/errors/]
/Home (Status: 301) [Size: 0] [--> http://ignition.htb/home]
/home (Status: 200) [Size: 25802]
/index.php (Status: 200) [Size: 25815]
/media (Status: 301) [Size: 185] [--> http://ignition.htb/media/]
/opt (Status: 301) [Size: 185] [--> http://ignition.htb/opt/]
/rest (Status: 400) [Size: 52]
/robots (Status: 200) [Size: 1]
/robots.txt (Status: 200) [Size: 1]
/setup (Status: 301) [Size: 185] [--> http://ignition.htb/setup/]
/soap (Status: 200) [Size: 391]
/static (Status: 301) [Size: 185] [--> http://ignition.htb/static/]
/wishlist (Status: 302) [Size: 0] [--> http://ignition.htb/customer/account/login/referer/aHR0cDovL2lnbml0aW9uLmh0Yi93aXNob
GlzdA%2C%2C/]
http://ignition.htb/adminにブラウザにログインして、ログイン画面でSQL Injectionしてみるが、ダメだった。
#Magento というCMSを使っていて、6回間違うとログインがロックされてしまうため、ID/PWのBrute Forceアタックはできない。
The top 10 most common passwords list 2021 を試し見ると、
admin:qwerty123でログインできた。
123456
123456789
qwerty
password
12345
qwerty123
1q2w3e
12345678
111111
1234567890