HTB:Ignition[WriteUP]

0DayHP2024-10-06 20:28

目录

连接至HTB服务器并启动靶机

[1.Which service version is found to be running on port 80?](#1.Which service version is found to be running on port 80?)

[2.What is the 3-digit HTTP status code returned when you visit http://{machine IP}/?](#2.What is the 3-digit HTTP status code returned when you visit http://{machine IP}/?)

[3.What is the virtual host name the webpage expects to be accessed by?](#3.What is the virtual host name the webpage expects to be accessed by?)

[4.What is the full path to the file on a Linux computer that holds a local list of domain name to IP address pairs?](#4.What is the full path to the file on a Linux computer that holds a local list of domain name to IP address pairs?)

[5.Use a tool to brute force directories on the webserver. What is the full URL to the Magento login page?](#5.Use a tool to brute force directories on the webserver. What is the full URL to the Magento login page?)

[6.Look up the password requirements for Magento and also try searching for the most common passwords of 2023. Which password provides access to the admin account?](#6.Look up the password requirements for Magento and also try searching for the most common passwords of 2023. Which password provides access to the admin account?)

​编辑ROOT_FLAG:797d6c988d9dc5865e010b9410f247e0

连接至HTB服务器并启动靶机

靶机IP:10.129.1.27

分配IP:10.10.16.12

1.Which service version is found to be running on port 80?

使用nmap 对靶机80端口进行脚本、服务信息扫描:

nmap -sC -sV -p 80 {TARGET_IP}

nmap 扫描结果可见,在VERSION 栏目下的服务版本为:nginx 1.14.2

2.What is the 3-digit HTTP status code returned when you visit http://{machine IP}/?

使用curl 对靶机URL进行访问,使用**-i**参数使输出包含响应头

由curl输出结果可见,访问靶机HTTP地址响应状态码:302

3.What is the virtual host name the webpage expects to be accessed by?

直接使用浏览器对靶机URL:**http://{TARGET_IP}**进行访问:

或者使用curl 中的**-v** 参数再次访问http://{TARGET_IP}

发现被重定向到了:ignition.htb

4.What is the full path to the file on a Linux computer that holds a local list of domain name to IP address pairs?

我们这里尝试修改本地hosts文件,使该域名从本地解析

hosts文件通常默认路径为:/etc/hosts

使用vim打开hosts文件:

vim /etc/hosts

在文件中添加一行:{TARGET_IP} ignition.htb

或者直接在命令行中输入,表示将改行字符串追加进hosts中:

echo '{TARGET_IP} ignition.htb' >> /etc/hosts

5.Use a tool to brute force directories on the webserver. What is the full URL to the Magento login page?

再次使用浏览器对ignition.htb进行访问,发现已经正常显示页面:

我这里使用gobuster对该域名进行目录爆破:

gobuster dir --url http://ignition.htb --wordlist /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt

使用浏览器尝试对**/admin** 进行访问:

可以成功进入后台登录界面,完整路径:http://ignition.htb/admin

6.Look up the password requirements for Magento and also try searching for the most common passwords of 2023. Which password provides access to the admin account?

随便抓一个AI来问一下magento 的最短密码长度,发现是7 位,而且默认开启登录限制的

这道题最后我也是通过看了官方WP知道是弱口令猜解:

账户:admin

密码:qwerty123

进入后台面板:

ROOT_FLAG:797d6c988d9dc5865e010b9410f247e0

相关推荐
Hugo_McQueen11 小时前
pWnos1.0 靶机渗透 (Perl CGI 的反弹 shell 利用)
linux·服务器·网络安全
学习溢出13 小时前
深入了解 net user 命令:上一次是谁登录的?
windows·网络安全·系统安全
CyberMuse1 天前
网络安全cybersecurity的几个新领域
网络安全
HEX9CF1 天前
【CTF Web】Pikachu xss之href输出 Writeup(GET请求+反射型XSS+javascript:伪协议绕过)
开发语言·前端·javascript·安全·网络安全·ecmascript·xss
kuber09091 天前
APISIX 联动雷池 WAF 实现 Web 安全防护
网络安全
计算机科研之友(Friend)2 天前
物联网(一)——CMC特刊推荐
开发语言·人工智能·深度学习·物联网·计算机视觉·网络安全
sleepywin2 天前
【BUUCTF N1BOOK】[第一章 web入门]
web安全·网络安全
newxtc2 天前
【社保通-注册安全分析报告-滑动验证加载不正常导致安全隐患】
安全·web安全·网络安全·安全威胁分析
热门推荐
01分享几个惊艳的 Three.js 个人站点02【经验分享】Ubuntu22.04安装微信(linux官方版)032024年高教社杯数学建模国赛C题超详细解题思路分析04组基轨迹建模 GBTM的介绍与实现(Stata 或 R)05安卓系列机型永久去除data分区加密 详细步骤解析06【2024数模国赛赛题思路公开】国赛B题思路丨附可运行代码丨无偿自提07CTF网络安全大赛简单的web抓包题目:HEADache08Ubuntu24.04安装中文输入法09【2024高教社杯全国大学生数学建模竞赛】B题 生产过程中的决策问题——解题思路 代码 论文10springer 在线投稿编译踩坑