Dockerlabs-Crackoff
Box Info OS Linux Difficulty Hard Nmap [root@kali] /home/kali/crackoff ❯ nmap 172.17.0.2 -sV -A -p- Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-02-28 21:28 CST Nmap scan report for sitio.dl (172.17.0.2) Host is up (0.00010s latency). Not shown: 65533 closed tcp ports (reset) PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 9.6p1 Ubuntu 3ubuntu13.4 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 256 3d:fc:bd:41:cb:81:e8:cd:a2:58:5a:78:68:2b:a3:04 (ECDSA) |_ 256 d8:5a:63:27:60:35:20:30:a9:ec:25:36:9e:50:06:8d (ED25519) 80/tcp open http Apache httpd 2.4.58 ((Ubuntu)) |_http-server-header: Apache/2.4.58 (Ubuntu) |_http-title: CrackOff - Bienvenido MAC Address: 02:42:AC:11:00:02 (Unknown) Device type: general purpose Running: Linux 4.X|5.X OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5 OS details: Linux 4.15 - 5.8 Network Distance: 1 hop Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel TRACEROUTE HOP RTT ADDRESS 1 0.10 ms sitio.dl (172.17.0.2) OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 8.67 seconds Gobuster [root@kali] /home/kali/crackoff ❯ gobuster dir -u http://172.17.0.2/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x php =============================================================== Gobuster v3.6 by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart) =============================================================== [+] Url: http://172.17.0.2/ [+] Method: GET [+] Threads: 10 [+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt [+] Negative Status codes: 404 [+] User Agent: gobuster/3.6 [+] Extensions: php [+] Timeout: 10s =============================================================== Starting gobuster in directory enumeration mode =============================================================== /.php (Status: 403) [Size: 275] /index.php (Status: 200) [Size: 2974] /login.php (Status: 200) [Size: 3968] /welcome.php (Status: 200) [Size: 2800] /db.php (Status: 302) [Size: 75] [--> error.php] /error.php (Status: 200) [Size: 2705] /.php (Status: 403) [Size: 275] /server-status (Status: 403) [Size: 275] Progress: 441120 / 441122 (100.00%) =============================================================== Finished =============================================================== SQL Injection 进入login.php,发现在username字段中存在SQL注入漏洞,单引号闭合 ...