HTB之Crocodile
涂寐 Lv5
  2023-08-17 23:23:58 2023-08-17 23:23   2023-10-08 22:46:07    

声明:文中所涉及的技术、思路和工具仅供以安全为目的的学习交流使用,任何人不得将其用于非法用途以及盈利等目的,否则后果自行承担!

TASK 1

  • 问:Nmap在扫描交换机期间,使用哪个参数调用默认脚本?
  • 答:-sC

image

TASK 2

  • 问:发现端口21上运行的服务版本是什么?
  • 答:vsftpd 3.0.3

image

TASK 3

  • 问:“允许匿名FTP登录”消息返回给我们的FTP代码是什么?
  • 答:230

image

TASK 4

  • 问:使用FTP客户端连接到FTP服务器后,当提示匿名登录时,我们提供什么用户名?
  • 答:anonymous

image

TASK 5

  • 问:匿名连接到FTP服务器后,我们可以使用什么命令下载在FTP服务器上找到的文件?
  • 答:get

image

TASK 6

  • 问:在我们从FTP服务器下载的‘Allowed.Userlist’中,听起来更高权限的用户名是什么?
  • 答:admin

image

TASK 7

  • 问:目标主机上运行的Apache HTTP Server的版本是什么?
  • 答:Apache httpd 2.4.41

image

TASK 8

  • 问:Gobuster可以使用什么开关来指定我们要查找的特定文件类型?
  • 答:-x

image

TASK 9

  • 问:我们可以使用目录蛮力识别哪个PHP文件,从而提供向web服务进行身份验证的机会?
  • 答:login.php

image

SUBMIT FLAG

  • 问:Submit root flag
  • 答:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
# P.S.nmap 起手式
kali@kali:~/Test$ nmap -sC -sV -T4 10.129.228.202
Starting Nmap 7.93 ( https://nmap.org ) at 2023-02-28 16:10 CST
Nmap scan report for 10.129.228.202
Host is up (0.77s latency).
Not shown: 998 closed tcp ports (conn-refused)
PORT   STATE SERVICE VERSION
21/tcp open  ftp     vsftpd 3.0.3
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
| -rw-r--r--    1 ftp      ftp            33 Jun 08  2021 allowed.userlist
|_-rw-r--r--    1 ftp      ftp            62 Apr 20  2021 allowed.userlist.passwd
| ftp-syst: 
|   STAT: 
| FTP server status:
|      Connected to ::ffff:10.10.16.33
|      Logged in as ftp
|      TYPE: ASCII
|      No session bandwidth limit
|      Session timeout in seconds is 300
|      Control connection is plain text
|      Data connections will be plain text
|      At session startup, client count was 3
|      vsFTPd 3.0.3 - secure, fast, stable
|_End of status
80/tcp open  http    Apache httpd 2.4.41 ((Ubuntu))
|_http-title: Smash - Bootstrap Business Template
|_http-server-header: Apache/2.4.41 (Ubuntu)
Service Info: OS: Unix

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 68.10 seconds
# P.S.gobuster 爆破web目录
kali@kali:~/Test$ gobuster dir --url http://10.129.228.202/ -w /usr/share/dirb/wordlists/small.txt -x .php
===============================================================
Gobuster v3.5
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://10.129.228.202/
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/dirb/wordlists/small.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.5
[+] Extensions:              php
[+] Timeout:                 10s
===============================================================
2023/02/28 16:04:54 Starting gobuster in directory enumeration mode
===============================================================
/assets               (Status: 301) [Size: 317] [--> http://10.129.228.202/assets/]
/config.php           (Status: 200) [Size: 0]
/css                  (Status: 301) [Size: 314] [--> http://10.129.228.202/css/]
/js                   (Status: 301) [Size: 313] [--> http://10.129.228.202/js/]
/login.php            (Status: 200) [Size: 1577]
/logout.php           (Status: 302) [Size: 0] [--> login.php]
Progress: 1918 / 1920 (99.90%)
===============================================================
2023/02/28 16:06:53 Finished
===============================================================
# P.S.ftp 拿到账号密码的字典,gobuster 扫出登录界面,可想而知喽
# P.S.根据前面问题的暗示,账号就是admin,密码就4个,懒得打开 bp

image

  • P.S.扫描出 ftp 服务,匿名登录拿到账号和密码相关字典;扫描出 http 服务,扫描web路径得到登录界面,利用字典进行爆破拿到flag。
  • 本文标题HTB之Crocodile
  • 本文作者涂寐
  • 创建时间2023-08-17 23:23:58
  • 本文链接article/a62377d0.html
  • 版权声明本博客所有文章除特别声明外,均采用 BY-NC-SA 许可协议。转载请注明出处!
 评论
  1. 1. TASK 1
  2. 2. TASK 2
  3. 3. TASK 3
  4. 4. TASK 4
  5. 5. TASK 5
  6. 6. TASK 6
  7. 7. TASK 7
  8. 8. TASK 8
  9. 9. TASK 9
  10. 10. SUBMIT FLAG