靶场:https://app.hackinghub.io/hubs/prison-hack
信息收集
子域名收集
1.subfinder
files.jabprisons.com
staging.jabprisons.com
cobrowse.jabprisons.com
a1.top.jabprisons.com
cf1.jabprisons.com
va.cobrowse.jabprisons.com
vs.jabprisons.com
collect.jabprisons.com
log.jabprisons.com
fls.jabprisons.com
cf2.jabprisons.com
com.jabprisons.com
ident.jabprisons.com
top.jabprisons.com
wpengine.jabprisons.com
api.jabprisons.com
library.jabprisons.com
rsc.jabprisons.com
dev.jabprisons.com
am.jabprisons.com
cdn.jabprisons.com
ssl.cf2.jabprisons.com
ame.jabprisons.com
s3.jabprisons.com
test.jabprisons.com
demo.jabprisons.com
p.jabprisons.com
ssl.cf1.jabprisons.com
glb.jabprisons.com
url 探活,发现都访问不了
2.githubDork
worklms.jabprisons.com
3.谷歌 dork 、时光机、OneForAll均没有结果
4.burp 爬虫
- 先锁定范围 避免其他站点乱入
- 打开站点 点击页面中所有我们能点击的功能点
- 打开站点地图会发现有三个域名 , 访问 stor.clarke.ctfio.com 后发现没有什么能点的功能点,
整理所有的子域名
chlorine.ctfio.com -- 主域名
login.chlorine.ctfio.com
stor.chlorine.ctfio.com
worklms.chlorine.ctfio.com
路径收集
ffuf
对四个域名进行fuzz
1. 先用小字典
https://github.com/TheKingOfDuck/fuzzDicts/blob/master/directoryDicts/Filenames_or_Directories_All.txt
下载:wget https://raw.githubusercontent.com/TheKingOfDuck/fuzzDicts/refs/heads/master/directoryDicts/Filenames_or_Directories_All.txt
ffuf -w Filenames_or_Directories_All.txt -u https://stor.garnet.ctfio.com/FUZZ -mc 403,200,301 -fs 0 -c -t 50 -v -of html -o output.html
stor.bromine.ctfio.com:
| https://stor.bromine.ctfio.com/scripts |
| https://stor.bromine.ctfio.com/style |
| https://stor.bromine.ctfio.com/var |
递归扫描后发现 /var/doc 、 /var/storage 、 /var/nas
访问后 拿到:sql、 无用的zip、音频
sql 有个密码无法解密
2. 再用大字典
https://github.com/six2dez/OneListForAll/blob/main/onelistforallmicro.txt
stor.bromine.ctfio.com
https://stor.bromine.ctfio.com/var发现 userphoto
拿到照片
https://worklms.garnet.ctfio.com
发现 .git
3. 使用githack 拿到最后的flag
python GitHack.py https://worklms.chlorine.ctfio.com/.git/
