HTB:Ignition[WriteUP]
目录
1.Which service version is found to be running on port 80?
2.What is the 3-digit HTTP status code returned when you visit http://{machine IP}/?
3.What is the virtual host name the webpage expects to be accessed by?
编辑ROOT_FLAG:797d6c988d9dc5865e010b9410f247e0
连接至HTB服务器并启动靶机
靶机IP:10.129.1.27
分配IP:10.10.16.12
1.Which service version is found to be running on port 80?
使用nmap对靶机80端口进行脚本、服务信息扫描:
nmap -sC -sV -p 80 {TARGET_IP}
由nmap扫描结果可见,在VERSION栏目下的服务版本为:nginx 1.14.2
2.What is the 3-digit HTTP status code returned when you visit http://{machine IP}/?
使用curl对靶机URL进行访问,使用-i参数使输出包含响应头
由curl输出结果可见,访问靶机HTTP地址响应状态码:302
3.What is the virtual host name the webpage expects to be accessed by?
直接使用浏览器对靶机URL:http://{TARGET_IP}进行访问:
或者使用curl中的-v参数再次访问http://{TARGET_IP}:
发现被重定向到了:ignition.htb
4.What is the full path to the file on a Linux computer that holds a local list of domain name to IP address pairs?
我们这里尝试修改本地hosts文件,使该域名从本地解析
hosts文件通常默认路径为:/etc/hosts
使用vim打开hosts文件:
vim /etc/hosts在文件中添加一行:{TARGET_IP} ignition.htb
或者直接在命令行中输入,表示将改行字符串追加进hosts中:
echo '{TARGET_IP} ignition.htb' >> /etc/hosts
5.Use a tool to brute force directories on the webserver. What is the full URL to the Magento login page?
再次使用浏览器对ignition.htb进行访问,发现已经正常显示页面:
我这里使用gobuster对该域名进行目录爆破:
gobuster dir --url http://ignition.htb --wordlist /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt
使用浏览器尝试对/admin进行访问:
可以成功进入后台登录界面,完整路径:http://ignition.htb/admin
6.Look up the password requirements for Magento and also try searching for the most common passwords of 2023. Which password provides access to the admin account?
随便抓一个AI来问一下magento的最短密码长度,发现是7位,而且默认开启登录限制的
这道题最后我也是通过看了官方WP知道是弱口令猜解:
账户:admin
密码:qwerty123
进入后台面板:
ROOT_FLAG:797d6c988d9dc5865e010b9410f247e0
原文地址:https://blog.csdn.net/qq_43007452/article/details/142726958
免责声明:本站文章内容转载自网络资源,如本站内容侵犯了原著者的合法权益,可联系本站删除。更多内容请关注自学内容网(zxcms.com)!