No.3-Jarvis-难度普通-HTB-walkthrough
**
挺有意思的一台机器,有挺多种方式拿 low priv shell。
**
攻击机:官方Kali linux 2019 64位
作者:Ikonw
靶机介绍
一,端口扫描
只有HTTP 比较有兴趣,title 是 Stark Hotel
Starting Nmap 7.80 ( https://nmap.org ) at 2020-01-22 11:48 +08
Nmap scan report for jarvis.htb (10.10.10.143)
Host is up (0.33s latency).
Not shown: 998 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.4p1 Debian 10+deb9u6 (protocol 2.0)
| ssh-hostkey:
| 2048 03:f3:4e:22:36:3e:3b:81:30:79:ed:49:67:65:16:67 (RSA)
| 256 25:d8:08:a8:4d:6d:e8:d2:f8:43:4a:2c:20:c8:5a:f6 (ECDSA)
|_ 256 77:d4:ae:1f:b0:be:15:1f:f8:cd:c8:15:3a:c3:69:e1 (ED25519)
80/tcp open http Apache httpd 2.4.25 ((Debian))
| http-cookie-flags:
| /:
| PHPSESSID:
|_ httponly flag not set
|_http-server-header: Apache/2.4.25 (Debian)
|_http-title: Stark Hotel
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
二,HTTP Enumeration
第一个习惯就是先把gobuster 上起来
gobuster dir -w directory-list-2.3-medium.txt -u 10.10.10.143 -t 50
发现有 phpmyadmin
经过一番尝试,default 账号和密码都无效。暂时先跳过。
继续浏览 stark hotel(钢铁侠爱好者,stark 和 jarvis)
在网页上发现几处可疑的域名
supersecurehotel.htb