首页 > 其他分享 >vulnhub - Nagini - writeup

vulnhub - Nagini - writeup

时间:2023-10-14 15:25:06浏览次数:38  
标签:-- writeup joomla 192.168 Nagini vulnhub file curl public

信息收集

基础信息

目标只开放了22和88:

root@Lockly tmp/nagini » arp-scan -I eth1 -l
Interface: eth1, type: EN10MB, MAC: 00:0c:29:fa:3d:23, IPv4: 192.168.56.106
Starting arp-scan 1.10.0 with 256 hosts (https://github.com/royhills/arp-scan)
192.168.56.1    0a:00:27:00:00:1f       (Unknown: locally administered)
192.168.56.100  08:00:27:41:61:d7       PCS Systemtechnik GmbH
192.168.56.108  08:00:27:10:e2:a8       PCS Systemtechnik GmbH

3 packets received by filter, 0 packets dropped by kernel
Ending arp-scan 1.10.0: 256 hosts scanned in 2.563 seconds (99.88 hosts/sec). 3 responded
root@Lockly tmp/nagini » nmap -A -sT -p- -Pn --min-rate 6000 192.168.56.108 -o /root/temp/tmp/nagini/nagini.nmap  
Starting Nmap 7.94 ( https://nmap.org ) at 2023-10-08 14:45 CST
Nmap scan report for 192.168.56.108
Host is up (0.0028s latency).
Not shown: 65533 closed tcp ports (conn-refused)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey: 
|   2048 48:df:48:37:25:94:c4:74:6b:2c:62:73:bf:b4:9f:a9 (RSA)
|   256 1e:34:18:17:5e:17:95:8f:70:2f:80:a6:d5:b4:17:3e (ECDSA)
|_  256 3e:79:5f:55:55:3b:12:75:96:b4:3e:e3:83:7a:54:94 (ED25519)
80/tcp open  http    Apache httpd 2.4.38 ((Debian))
|_http-title: Site doesn't have a title (text/html).
|_http-server-header: Apache/2.4.38 (Debian)
MAC Address: 08:00:27:10:E2:A8 (Oracle VirtualBox virtual NIC)
Device type: general purpose
Running: Linux 4.X|5.X
OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5
OS details: Linux 4.15 - 5.8
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE
HOP RTT     A![image-20231008145457178](assets/image-20231008145457178.png)DDRESS
1   2.82 ms 192.168.56.108

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 84.58 seconds

访问网页,真就开局一张图其他全靠编。

image-20231008145508397

目录探测

这里有一个joomla这个cms好像在DC系列见过,还有一个note.txt

root@Lockly tmp/nagini » gobuster dir -u http://192.168.56.108 -w /usr/share/dirb/wordlists/common.txt
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://192.168.56.108
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/dirb/wordlists/common.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.6
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/.hta                 (Status: 403) [Size: 279]
/.htaccess            (Status: 403) [Size: 279]
/.htpasswd            (Status: 403) [Size: 279]
/index.html           (Status: 200) [Size: 97]
/note.txt             (Status: 200) [Size: 234]
/joomla               (Status: 301) [Size: 317] [--> http://192.168.56.108/joomla/]
/server-status        (Status: 403) [Size: 279]
Progress: 4614 / 4615 (99.98%)
===============================================================
Finished
===============================================================

http3访问

访问这个note.txt,提示了要绑定域名 并且以HTTP3来访问。

root@Lockly tmp/nagini » curl http://192.168.56.108/note.txt                                                                       
Hello developers!!


I will be using our new HTTP3 Server at https://quic.nagini.hogwarts for further communications.
All developers are requested to visit the server regularly for checking latest announcements.


Regards,
site_amdin

edge,火狐均按网上步骤开启HTTP3访问但都无效,单独下了chrome canary版,chrome.exe --enable-quic --quic-version=h3-27开启HTTP3访问也不行。想用python中的库http3来试试,但报错无法连接。

import http3

client = http3.Client()
response = client.get("https://quic.nagini.hogwarts")
print(response.text)

# ConnectionRefusedError: [Errno 111] Connect call failed ('192.168.56.109', 443)

去搜了搜go中实现http3客户端,也尝试了一下还是失败访问不到。

package main

import (
	"crypto/tls"
	"fmt"
	quic "github.com/quic-go/quic-go"
	quichttp "github.com/quic-go/quic-go/http3"
	"io/ioutil"
	"net/http"
)

func main() {
	tr := &quichttp.RoundTripper{
		TLSClientConfig: &tls.Config{InsecureSkipVerify: true},
		QuicConfig:      &quic.Config{Versions: []quic.VersionNumber{quic.Version2}},
	}

	client := &http.Client{Transport: tr}

	resp, err := client.Get("https://192.168.56.109/")
	if err != nil {
		fmt.Println(err)
		return
	}
	defer resp.Body.Close()

	body, err := ioutil.ReadAll(resp.Body)
	if err != nil {
		fmt.Println(err)
		return
	}

	fmt.Println(string(body))
}

// Get "https://192.168.56.109/": timeout: no recent network activity

看了别人的wp,如下操作网速太慢老失败,先挂着先。

git clone https://github.com/cloudflare/quiche
cd quiche
apt purge rustc
export RUSTUP_DIST_SERVER=https://mirrors.ustc.edu.cn/rust-static
export RUSTUP_UPDATE_ROOT=https://mirrors.ustc.edu.cn/rust-static/rustup
curl -proto '=https'--tlsv1.2 -sSf https://sh.rustup.rs | sh    //这里会有一个选项,选第一个   
source "$HOME/.cargo/env"
cargo build --examples   
cargo test

终于是编译完了,编译好的工具在target/debug/examples这个目录下。

image-20231010083301041

666,什么内容都没有,错也不报。这个机器还重新配置了一遍也不行。没弄明白是为什么。

image-20231010092806905

搜了搜还可以用curl,他有个--http3参数,但是我的版本不支持(会报错:curl: option --http3: the installed libcurl version doesn't support this),需要重新编译。参考这里

标签:--,writeup,joomla,192.168,Nagini,vulnhub,file,curl,public
From: https://www.cnblogs.com/bktown/p/17764192.html

相关文章

  • vulnhub-wp-funbox1
    vulnhub靶机wp系列之funbox:1本文结构......
  • vulnhub-Vikings
    第九周打点arp-scan-l发现主机信息搜集nmap-p-192.168.56.12这里发现80端口存在http服务,直接使用浏览器进行访问。nmap-p22,80-sV192.168.56.12发现直接展示了目录。我们进行查看,这里因为它引用了一些国外的资源,加载比较慢。可能得好几分钟。进来之后就是这......
  • WriteUp-CTF-Web
    代码审计simple_php来源:攻防世界考点:php代码审计之数字与字符串的比较工具:手工难度:⭐分析过程打开场景,分析代码构造payload:?a="0"&b=12345s反序列化unserialize3来源:攻防世界考点:php反序列化漏洞、__wakeup()函数的绕过机制工具:手工难......
  • vulnhub - Fawks - writeup
    信息收集目标开放了21的ftp有匿名登录,除此之外还有常规的80,和连个ssh的端口。80端口的是一张图片,就是哈利波特的海报图。anonymous空密码登上去有一个文件下载下来是二进制的文件上kali里面运行看看。可以看到这个进程,接着看他开启什么服务没有,看到他在9898开放了,输入魔......
  • vulnhub - Aragog - writeup
    信息收集目标开放了80、22端口。root@Locklytemp/tmp»arp-scan-Ieth1-lInterface:eth1,type:EN10MB,MAC:00:0c:29:fa:3d:23,IPv4:192.168.56.106Startingarp-scan1.10.0with256hosts(https://githu......
  • vulnhub_phpmyadmin_CVE-2016-5734漏洞复现
    漏洞复现练习漏洞简介phpMyAdmin是一套开源的、基于Web的MySQL数据库管理工具。在其查找并替换字符串功能中,将用户输入的信息拼接进preg_replace函数第一个参数中。在PHP5.4.7以前,preg_replace的第一个参数可以利用\0进行截断,并将正则模式修改为e。众所周知,e模式的正则支持......
  • CewlKid(VulnHub)
    CewlKid(VulnHub)目录CewlKid(VulnHub)1、前期信息收集nmap扫描①存活主机②端口扫描、操作系统③漏洞探测④tcp、udp扫描gobuster目录爆破dirb目录爆破2、Web渗透部分思路一:SitemagicCMS漏洞库查询思路二:常规web渗透手法①信息收集②密码爆破,尝试进后台③上传webshell④拿下普通权......
  • WriteUp-CTF-MISC
    图片隐写图片隐写五部曲:查看详情信息;探测隐藏文件;检索关键字;查看不同通道;修改宽高尺寸Banmabanma来源:攻防世界考点:扫码工具的使用工具:在线扫码工具(BarcodeReader.FreeOnlineWebApplication(inliteresearch.com))难度:⭐分析过程下载文件,得到zip压缩包;解压......
  • 2023年“羊城杯”网络安全大赛-高职高专组 WriteUP
    2023羊城杯WriteUpByXp0int2023羊城杯附件.zip2023年“羊城杯”网络安全大赛-高职高专组WriteUP——剑来.pdfWeb-1题目名称:D0n'tpl4yg4m3!!!题目内容:小明不小心沉迷⚪⚪的东西把源码和猫猫搞丢了,请帮他找回来。请访问/p0p.php【Flag完整格式一般为:flag{}或者DA......
  • 【Sword系列】Vulnhub靶机Bob_v1.0.1 writeup
    个人博客地址:  http://www.sword-blogs.com/下载地址:https://www.vulnhub.com/entry/bob-101,226/信息搜集扫描IP地址扫描端口及端口信息访问80端口并没有发现有用的信息扫描目录看到有熟悉的robots.txt,访问看一下发现了dev_shell.php,可以执行一些简单的命令,但是不......