Hackthebox—— Breadcrumbs

  • A+
所属分类:安全文章

Hackthebox—— Breadcrumbs

Breadcrumbs[1]

10.10.10.228 Windows

立足点

入门第一步先开nmap ,有http服务开启gobuster跑就完了。

nmap扫描: nmap -sC -sV -v 10.10.10.228 -oA nmap/nmap

# Nmap 7.91 scan initiated Thu Feb 25 01:09:30 2021 as: nmap -sC -sV -v -oA nmap/nmap 10.10.10.228Nmap scan report for 10.10.10.228Host is up (0.13s latency).Not shown: 993 closed portsPORT     STATE SERVICE       VERSION22/tcp   open  ssh           OpenSSH for_Windows_7.7 (protocol 2.0)| ssh-hostkey: |   2048 9d:d0:b8:81:55:54:ea:0f:89:b1:10:32:33:6a:a7:8f (RSA)|   256 1f:2e:67:37:1a:b8:91:1d:5c:31:59:c7:c6:df:14:1d (ECDSA)|_  256 30:9e:5d:12:e3:c6:b7:c6:3b:7e:1e:e7:89:7e:83:e4 (ED25519)80/tcp   open  http          Apache httpd 2.4.46 ((Win64) OpenSSL/1.1.1h PHP/8.0.1)| http-cookie-flags: |   /: |     PHPSESSID: |_      httponly flag not set| http-methods: |_  Supported Methods: GET HEAD POST OPTIONS|_http-server-header: Apache/2.4.46 (Win64) OpenSSL/1.1.1h PHP/8.0.1|_http-title: Library135/tcp  open  msrpc         Microsoft Windows RPC139/tcp  open  netbios-ssn   Microsoft Windows netbios-ssn443/tcp  open  ssl/http      Apache httpd 2.4.46 ((Win64) OpenSSL/1.1.1h PHP/8.0.1)| http-cookie-flags: |   /: |     PHPSESSID: |_      httponly flag not set| http-methods: |_  Supported Methods: GET HEAD POST|_http-server-header: Apache/2.4.46 (Win64) OpenSSL/1.1.1h PHP/8.0.1|_http-title: Library| ssl-cert: Subject: commonName=localhost| Issuer: commonName=localhost| Public Key type: rsa| Public Key bits: 1024| Signature Algorithm: sha1WithRSAEncryption| Not valid before: 2009-11-10T23:48:47| Not valid after:  2019-11-08T23:48:47| MD5:   a0a4 4cc9 9e84 b26f 9e63 9f9e d229 dee0|_SHA-1: b023 8c54 7a90 5bfa 119c 4e8b acca eacf 3649 1ff6|_ssl-date: TLS randomness does not represent time| tls-alpn: |_  http/1.1445/tcp  open  microsoft-ds?3306/tcp open  mysql?| fingerprint-strings: |   Kerberos, LDAPSearchReq, LPDString, NCP, RTSPRequest, SSLSessionReq, TerminalServer, giop: |_    Host '10.10.16.28' is not allowed to connect to this MariaDB server1 service unrecognized despite returning data. If you know the service/version, please submit Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

开放端口80、443,均为同一网站,books.php页面按钮无法使用,查看源代码发现

<script type="text/javascript" src='../js/books.js'></script>

重点关注函数:getInfo()、searchBooks(),泄露请求参数以及方法,其中getInfo函数中的book参数存在LFI漏洞。

本文始发于微信公众号(靶机狂魔):Hackthebox—— Breadcrumbs

发表评论

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen: