r3tr0's blog
0%

HTB-WhiteRabbit

Posted on Edited on In
Symbols count in article: 5.9k Reading time ≈ 5 mins.
WhiteRabbit 是 HackTheBox season7 的insane难度的machine,也是该赛季最后一台machine,是调动之后我再次有时间尝试HTB的赛季machine。(~~虽然很可能以失败告终~~)

WhiteRabbit

image-20250410101919492

信息搜集阶段

首先访问IP地址,发现自动跳转为whiterabbit.htb,那么

1
2
3
4
5
6
sudo vim /etc/hosts

# 写入以下内容
10.10.11.63 whiterabbit.htb

# :wq

dirsearch 扫描该网站没发现什么内容,指纹分析出是 Caddy 的网站,主页也没什么敏感信息泄露,尝试爆破子域名获取更多资产信息。

1
2
3
# ffuf 枚举子域名
ffuf -u http://whiterabbit.htb/ -w /Users/r3tr0/hack/KaliLists/SecLists-master/Discovery/dns/subdomains-top1million-1100
00.txt -H "Host: FUZZ.whiterabbit.htb" -H "X-Forwarded-For: localhost"

运行后发现出现大量返回size为0的302跳转,那么这明显不是我们想要的回显,把他们过滤掉。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
➜  whiterabbit ffuf -u http://whiterabbit.htb/ -w /Users/r3tr0/hack/KaliLists/SecLists-master/Discovery/dns/subdomains-top1million-1100
00.txt -H "Host: FUZZ.whiterabbit.htb" -H "X-Forwarded-For: localhost" -fs 0

        /'___\  /'___\           /'___\       
       /\ \__/ /\ \__/  __  __  /\ \__/       
       \ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\      
        \ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/      
         \ \_\   \ \_\  \ \____/  \ \_\       
          \/_/    \/_/   \/___/    \/_/       

       v2.1.0-dev
________________________________________________

 :: Method           : GET
 :: URL              : http://whiterabbit.htb/
 :: Wordlist         : FUZZ: /Users/r3tr0/hack/KaliLists/SecLists-master/Discovery/dns/subdomains-top1million-110000.txt
 :: Header           : Host: FUZZ.whiterabbit.htb
 :: Header           : X-Forwarded-For: localhost
 :: Follow redirects : false
 :: Calibration      : false
 :: Timeout          : 10
 :: Threads          : 40
 :: Matcher          : Response status: 200-299,301,302,307,401,403,405,500
 :: Filter           : Response size: 0
________________________________________________

status                  [Status: 302, Size: 32, Words: 4, Lines: 1, Duration: 92ms]
:: Progress: [114441/114441] :: Job [1/1] :: 421 req/sec :: Duration: [0:05:02] :: Errors: 0 ::

注意,这里需要过滤掉size为0的数据包,因为可能正常返回的数据包也是302跳转的状态码,但是size不会为0,或者直接使用gobuster 的 vhost模式

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
➜  whiterabbit gobuster vhost -u http://whiterabbit.htb/  --append-domain -w=/Users/r3tr0/hack/KaliLists/SecLists-master/Discovery/DNS/
subdomains-top1million-110000.txt
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:             http://whiterabbit.htb/
[+] Method:          GET
[+] Threads:         10
[+] Wordlist:        /Users/r3tr0/hack/KaliLists/SecLists-master/Discovery/DNS/subdomains-top1million-110000.txt
[+] User Agent:      gobuster/3.6
[+] Timeout:         10s
[+] Append Domain:   true
===============================================================
Starting gobuster in VHOST enumeration mode
===============================================================
Found: status.whiterabbit.htb Status: 302 [Size: 32] [--> /dashboard]
Progress: 114441 / 114442 (100.00%)
===============================================================
Finished
===============================================================

dirsearch 扫描一下status子域名下的目录(已删除一些404无关结果)

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
➜  whiterabbit dirsearch -u http://status.whiterabbit.htb/ --crawl

  _|. _ _  _  _  _ _|_    v0.4.3.post1
 (_||| _) (/_(_|| (_| )

Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 25 | Wordlist size: 11460

Output File: /Users/r3tr0/hack/hackthebox/machines/whiterabbit/reports/http_status.whiterabbit.htb/__25-04-10_15-56-53.txt

Target: http://status.whiterabbit.htb/

[15:56:53] Starting: 
[15:57:25] 301 -  179B  - /assets  ->  /assets/
[15:57:36] 200 -   15KB - /favicon.ico
[15:57:45] 200 -  415B  - /manifest.json
[15:57:46] 401 -    0B  - /metrics/
[15:57:46] 401 -    0B  - /metrics
[15:57:54] 200 -   25B  - /robots.txt
[15:57:55] 301 -  189B  - /screenshots  ->  /screenshots/
[15:57:59] 404 -    2KB - /status/
[15:57:59] 404 -    2KB - /status
[15:57:59] 404 -    2KB - /status?full=true
[15:57:59] 200 -   57KB - /assets/polyfills-legacy-COqB9mNb.js
[15:57:59] 200 -  477KB - /assets/index-CYsZUv7d.js
[15:58:02] 301 -  179B  - /Upload  ->  /Upload/
[15:58:02] 301 -  179B  - /upload  ->  /upload/


Task Completed

再次递归扫描,查看扫描出来的目录还有什么东西(没有东西的目录不展示了)

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
➜  whiterabbit dirsearch -u http://status.whiterabbit.htb/status/ --crawl --exclude-sizes 2KB

  _|. _ _  _  _  _ _|_    v0.4.3.post1
 (_||| _) (/_(_|| (_| )

Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 25 | Wordlist size: 11460

Output File: /Users/r3tr0/hack/hackthebox/machines/whiterabbit/reports/http_status.whiterabbit.htb/_status__25-04-10_18-27-59.txt

Target: http://status.whiterabbit.htb/

[18:27:59] Starting: status/
[18:31:04] 200 -    3KB - /status/temp
[18:31:07] 200 -  477KB - /assets/index-CYsZUv7d.js
[18:31:07] 200 -   57KB - /assets/polyfills-legacy-COqB9mNb.js

Task Completed

访问 /status/temp

image-20250410183302572

大发现!隐藏的域名都在这,全部加入hosts。

第一个页面打开来发现是个钓鱼的登录页面,暂时搁置。

第二个页面打开,发现了==重要信息!==

image-20250411172026027

再次扫描看看

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
➜  whiterabbit dirsearch -u http://a668910b5514e.whiterabbit.htb/ --crawl --exclude-sizes 9B

  _|. _ _  _  _  _ _|_    v0.4.3.post1
 (_||| _) (/_(_|| (_| )

Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 25 | Wordlist size: 11460

Output File: /Users/r3tr0/hack/hackthebox/machines/whiterabbit/reports/http_a668910b5514e.whiterabbit.htb/__25-04-11_17-02-27.txt

Target: http://a668910b5514e.whiterabbit.htb/

[17:02:27] Starting: 
[17:02:57] 418 -    0B  - /.well-known/acme-challenge/dtfy
[17:03:04] 403 -    2KB - /A
[17:03:04] 403 -    2KB - /a
[17:03:04] 200 -    5KB - /_assets/js/runtime.js?1716156900
[17:03:08] 200 -    2MB - /_assets/js/app.js?1716156900
[17:04:10] 200 -    2KB - /d
[17:04:16] 500 -    2KB - /e
[17:04:19] 200 -   15KB - /favicon.ico
[17:04:24] 400 -   18B  - /graphql/schema.xml
[17:04:24] 400 -   18B  - /graphql/graphql
[17:04:24] 400 -   18B  - /graphql/schema.yaml
[17:04:24] 400 -   18B  - /graphql/console/
[17:04:24] 400 -   18B  - /graphql/schema.json
[17:04:24] 400 -   18B  - /graphql/console
[17:04:24] 400 -   18B  - /graphql/
[17:04:24] 400 -   18B  - /graphql
[17:04:28] 200 -   11B  - /healthz
[17:04:28] 200 -    3KB - /home
[17:04:28] 200 -    3KB - /home.html
[17:04:29] 302 -   23B  - /i  ->  /
[17:04:40] 200 -    2KB - /login
[17:04:41] 500 -    2KB - /login/cpanel.aspx
[17:04:41] 500 -    2KB - /login/cpanel.php
[17:04:41] 500 -    2KB - /login/cpanel.js
[17:04:41] 500 -    2KB - /login/login
[17:04:41] 500 -    2KB - /login/index
[17:04:41] 500 -    2KB - /login/cpanel.jsp
[17:04:41] 500 -    2KB - /login/cpanel.html
[17:04:41] 500 -    2KB - /login/super
[17:04:41] 302 -   23B  - /logout  ->  /
[17:04:57] 200 -    2KB - /p
[17:05:13] 500 -    2KB - /register
[17:05:14] 200 -    0B  - /robots.txt
[17:05:14] 200 -    2KB - /s
[17:05:14] 200 -    2KB - /s/sfsites/aura
[17:05:34] 200 -    2KB - /t

Task Completed

==存在 /login 登录界面,/healthz api,暂时搁置==

将例子中的域名加入hosts,并访问,发现也是一个登录页面,再次扫描目录看看