HTB_Preignition - meruneru/tech_memo GitHub Wiki

Machine - Preignition

イントロのマシン

WEBのマシン。

dir busting

web enumerationでディレクトリを探索すること。 最重要スキルとのこと。

ツールとしては、 #gobuster が有名。

port scan

ポート80は、HTTPサーバ。

┌─[✗]─[htb-meruneru@htb-4ygdk8b8dx]─[~]
└──╼ $nmap -sV -sC -Pn 10.129.185.121
Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.
Starting Nmap 7.91 ( https://nmap.org ) at 2021-11-12 14:48 UTC
Nmap scan report for 10.129.185.121
Host is up (0.078s latency).
Not shown: 999 closed ports
PORT   STATE SERVICE VERSION
80/tcp open  http    nginx 1.14.2
|_http-server-header: nginx/1.14.2
|_http-title: Welcome to nginx!

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 9.82 seconds

Enumulation

gobusterで探索すると、admin.phpが見つかった。 なお、wordlistがどこにあるか最初は分からなったが、locateコマンドで探した。

─[✗]─[htb-meruneru@htb-4ygdk8b8dx]─[~]
└──╼ $locate common.txt
locate: warning: database ‘/var/cache/locate/locatedb’ is more than 8 days old (actual age is 197.4 days)
/etc/theHarvester/wordlists/general/common.txt
/opt/pycharm-community/plugins/python-ce/helpers/typeshed/tests/stubtest_whitelists/py3_common.txt
/opt/useful/SecLists/Discovery/Web-Content/common.txt
/opt/useful/SecLists/Passwords/Common-Credentials/10k-most-common.txt
/usr/share/dirb/wordlists/common.txt
/usr/share/dirb/wordlists/extensions_common.txt
/usr/share/dirb/wordlists/mutations_common.txt
/usr/share/metasploit-framework/data/wordlists/http_owa_common.txt
/usr/share/metasploit-framework/data/wordlists/sap_common.txt
/usr/share/wfuzz/wordlist/general/common.txt
/usr/share/wfuzz/wordlist/general/extensions_common.txt
/usr/share/wfuzz/wordlist/general/mutations_common.txt
┌─[htb-meruneru@htb-4ygdk8b8dx]─[~]
└──╼ $gobuster dir -u 10.129.185.121 -w /opt/useful/SecLists/Discovery/Web-Content/common.txt

===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://10.129.185.121
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /opt/useful/SecLists/Discovery/Web-Content/common.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.1.0
[+] Timeout:                 10s
===============================================================
2021/11/12 14:59:15 Starting gobuster in directory enumeration mode
===============================================================

Progress: 91 / 4653 (1.96%)
Progress: 161 / 4653 (3.46%)
/admin.php            (Status: 200) [Size: 999]
                                               
===============================================================
2021/11/12 14:59:53 Finished
===============================================================

Access

ブラウザでhttp://10.129.185.121/admin.phpにアクセス。 ID/PWはadminで入ると、フラグが表示されていた。

⚠️ **GitHub.com Fallback** ⚠️