file

这台靶机的投票中EasyMedium票数不相上下,总体难度还算简单,主要考查到了两个地方:

  • 目录及目录下的文件爆破
  • shellshock漏洞

目录爆破

目录爆破,我想各位应该都很熟练了,我们可以使用ffuf工具来进行目录爆破:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
ffuf -u http://10.10.10.56/FUZZ -w /usr/share/seclists/Discovery/Web-Content/big.txt

        /'___\  /'___\           /'___\       
       /\ \__/ /\ \__/  __  __  /\ \__/       
       \ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\      
        \ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/      
         \ \_\   \ \_\  \ \____/  \ \_\       
          \/_/    \/_/   \/___/    \/_/       

       v1.5.0 Kali Exclusive <3
________________________________________________

 :: Method           : GET
 :: URL              : http://10.10.10.56/FUZZ
 :: Wordlist         : FUZZ: /usr/share/seclists/Discovery/Web-Content/big.txt
 :: Follow redirects : false
 :: Calibration      : false
 :: Timeout          : 10
 :: Threads          : 40
 :: Matcher          : Response status: 200,204,301,302,307,401,403,405,500
________________________________________________

.htaccess               [Status: 403, Size: 295, Words: 22, Lines: 12, Duration: 3ms]
.htpasswd               [Status: 403, Size: 295, Words: 22, Lines: 12, Duration: 4ms]
cgi-bin/                [Status: 403, Size: 294, Words: 22, Lines: 12, Duration: 7ms]
server-status           [Status: 403, Size: 299, Words: 22, Lines: 12, Duration: 4ms]
:: Progress: [20476/20476] :: Job [1/1] :: 7857 req/sec :: Duration: [0:00:02] :: Errors: 0 ::

也可以使用gobuster工具来进行爆破:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
gobuster dir -u http://10.10.10.56 -w /usr/share/seclists/Discovery/Web-Content/big.txt 
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://10.10.10.56
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/seclists/Discovery/Web-Content/big.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.1.0
[+] Timeout:                 10s
===============================================================
2022/09/14 08:59:52 Starting gobuster in directory enumeration mode
===============================================================
/.htaccess            (Status: 403) [Size: 295]
/.htpasswd            (Status: 403) [Size: 295]
/cgi-bin/             (Status: 403) [Size: 294]
/server-status        (Status: 403) [Size: 299]

===============================================================
2022/09/14 08:59:57 Finished
===============================================================

从上述结果中可以看到,当前靶机所提供的web服务中,存在/cgi-bin/子目录。

如果目录爆破的工作就到此为止的话,恐怕你和我一样,会卡在这里,然后去Google搜其它人写的write up了。

因此,这台靶机带给我的启示之一是:当你爆破出某个子目录时,应该做进一步爆破,尝试爆破该子目录下的更多内容(子目录/文件)

所以,我们接下来需要对/cgi-bin/子目录来进行进一步爆破:

文件名爆破

我翻了翻网上的其它人写的write up后,总结如下:

可以通过feroxbuster工具来爆破文件名:

1
feroxbuster -u http://10.10.10.56/cgi-bin/ -x sh,cgi,pl

也可以通过gobuster工具配合directory-list-2.3-medium.txt字典爆破文件名:

1
gobuster dir -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u 10.10.10.56/cgi-bin/ -x sh,cgi

看到上面的命令,我去看了一下字典里的文件名,总觉得有些运气成分在里面,因为字典里的文件名太少了!!!

万一我下一次遇到的靶机某个文件不在这个字典里,那不就又歇菜了!!?

所以进一步又引发了我的思考:有没有一个特别牛逼的大而全的文件名字典和后缀名字典?以后见到子目录无脑扫就完事了!

经过我的一番查找,在SecLists里找到了一个文件名大全的字典(big.txt)和文件后缀名大全的字典(extensions-skipfish.fuzz.txt)。

以Moderators靶机为例,后续遇到某个特殊的子目录,就可以这样继续扫它的子目录:

1
ffuf -u http://10.10.11.173/logs/e21cece511f43a5cb18d4932429915ed/FUZZ/ -w big.txt

也可以通过以下方式扫子目录里的文件:

1
ffuf -u http://10.10.11.173/logs/e21cece511f43a5cb18d4932429915ed/FUZZ1.FUZZ2  -w big.txt:FUZZ1 -w ../../Fuzzing/extensions-skipfish.fuzz.txt:FUZZ2

shellshock

至于shellshock漏洞原理及利用,可以参考以下内容: https://owasp.org/www-pdf-archive/Shellshock_-_Tudor_Enache.pdf

在此我就不赘述了。

参考文章

https://0xdf.gitlab.io/2021/05/25/htb-shocker.html

https://ranakhalil101.medium.com/hack-the-box-shocker-writeup-w-o-metasploit-feb9e5fa5aa2

https://www.freecodecamp.org/news/keep-calm-and-hack-the-box-shocker/

[HTB]Shocker Writeup