题目描述
难度:难 描述: 前置条件:
https://racc0x.github.io/posts/lantern/#box-info
基本信息
| 🚀 | 本地机器信息 | 目标机器信息 |
|---|---|---|
| IP | 10.17.5.121 | 10.10.11.29 |
| OS | kali | Linux |
信息搜集
端口扫描
[~] The config file is expected to be at "/home/kali/.rustscan.toml"
[!] File limit is lower than default batch size. Consider upping with --ulimit. May cause harm to sensitive servers
[!] Your file limit is very small, which negatively impacts RustScan's speed. Use the Docker image, or up the Ulimit with '--ulimit 5000'.
Open 10.10.11.29:22
Open 10.10.11.29:80
Open 10.10.11.29:3000
[~] Starting Script(s)
[~] Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-11-18 01:06 CST
Initiating Ping Scan at 01:06
Scanning 10.10.11.29 [2 ports]
Completed Ping Scan at 01:06, 0.24s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 01:06
Completed Parallel DNS resolution of 1 host. at 01:06, 0.01s elapsed
DNS resolution of 1 IPs took 0.01s. Mode: Async [#: 1, OK: 1, NX: 0, DR: 0, SF: 0, TR: 1, CN: 0]
Initiating Connect Scan at 01:06
Scanning lantern.htb (10.10.11.29) [3 ports]
Discovered open port 80/tcp on 10.10.11.29
Discovered open port 22/tcp on 10.10.11.29
Discovered open port 3000/tcp on 10.10.11.29
Completed Connect Scan at 01:06, 0.24s elapsed (3 total ports)
Nmap scan report for lantern.htb (10.10.11.29)
Host is up, received syn-ack (0.24s latency).
Scanned at 2024-11-18 01:06:52 CST for 0s
PORT STATE SERVICE REASON
22/tcp open ssh syn-ack
80/tcp open http syn-ack
3000/tcp open ppp syn-ack
Read data files from: /usr/bin/../share/nmap
Nmap done: 1 IP address (1 host up) scanned in 0.52 seconds路径枚举
特殊点
文件上传?
Skipper Proxy 是一种开源 HTTP 代理,旨在管理和路由 Web 流量。
SSRF
获取密码没看懂, 先看别人wp获取
使用凭证登录 lantern.htb:3000 admin:AJbFA_Q@925p9ap#22漏洞发现
本地文件读取
获取到用户
tomas:x:1000:1000:tomas:/home/tomas:/bin/bash