Json
1. User
1.1. Recon
1.1.1. PortScan
┌──(root㉿kali)-[~/Desktop/htb/json]
└─# nmap 10.129.227.191 -p- --min-rate 10000
Starting Nmap 7.95 ( https://nmap.org ) at 2025-12-12 09:07 EST
Warning: 10.129.227.191 giving up on port because retransmission cap hit (10).
Nmap scan report for 10.129.227.191
Host is up (0.090s latency).
Not shown: 65495 closed tcp ports (reset), 26 filtered tcp ports (no-response)
PORT STATE SERVICE
21/tcp open ftp
80/tcp open http
135/tcp open msrpc
139/tcp open netbios-ssn
445/tcp open microsoft-ds
5985/tcp open wsman
47001/tcp open winrm
49152/tcp open unknown
49153/tcp open unknown
49154/tcp open unknown
49155/tcp open unknown
49156/tcp open unknown
49157/tcp open unknown
49158/tcp open unknown
Nmap done: 1 IP address (1 host up) scanned in 18.46 seconds
┌──(root㉿kali)-[~/Desktop/htb/json]
└─# nmap 10.129.227.191 -p21,80,135,139,445,5985,47001,49152,49153,49154,49155,49156,49157,49158 -sCV -O
Starting Nmap 7.95 ( https://nmap.org ) at 2025-12-12 09:09 EST
Nmap scan report for 10.129.227.191
Host is up (0.065s latency).
PORT STATE SERVICE VERSION
21/tcp open ftp FileZilla ftpd 0.9.60 beta
| ftp-syst:
|_ SYST: UNIX emulated by FileZilla
80/tcp open http Microsoft IIS httpd 8.5
|_http-title: Json HTB
|_http-server-header: Microsoft-IIS/8.5
| http-methods:
|_ Potentially risky methods: TRACE
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds Microsoft Windows Server 2008 R2 - 2012 microsoft-ds
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
47001/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
49152/tcp open msrpc Microsoft Windows RPC
49153/tcp open msrpc Microsoft Windows RPC
49154/tcp open msrpc Microsoft Windows RPC
49155/tcp open msrpc Microsoft Windows RPC
49156/tcp open msrpc Microsoft Windows RPC
49157/tcp open msrpc Microsoft Windows RPC
49158/tcp open msrpc Microsoft Windows RPC
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Microsoft Windows 2012
OS CPE: cpe:/o:microsoft:windows_server_2012:r2
OS details: Microsoft Windows Server 2012 or 2012 R2
Network Distance: 2 hops
Service Info: OSs: Windows, Windows Server 2008 R2 - 2012; CPE: cpe:/o:microsoft:windows
Host script results:
|_nbstat: NetBIOS name: JSON, NetBIOS user: <unknown>, NetBIOS MAC: 00:50:56:b9:a7:29 (VMware)
| smb2-time:
| date: 2025-12-12T14:10:40
|_ start_date: 2025-12-12T14:06:21
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
| smb2-security-mode:
| 3:0:2:
|_ Message signing enabled but not required
|_clock-skew: mean: 2s, deviation: 0s, median: 1s
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 69.64 seconds
1.1.2. FTP
FileZilla服务端的Ftp,这个貌似全是一些DOS的洞,没啥价值
┌──(root㉿kali)-[~/Desktop/htb/json]
└─# ftp 10.129.227.191
Connected to 10.129.227.191.
220-FileZilla Server 0.9.60 beta
220-written by Tim Kosse (tim.kosse@filezilla-project.org)
220 Please visit https://filezilla-project.org/
Name (10.129.227.191:root): anonymous
331 Password required for anonymous
Password:
530 Login or password incorrect!
ftp: Login failed
ftp> ls
530 Please log in with USER and PASS first.
530 Please log in with USER and PASS first.
ftp: Can't bind for data connection: Address already in use
ftp> exit
221 Goodbye
并不存在匿名登录
1.1.3. domain
┌──(root㉿kali)-[~/Desktop/htb/json]
└─# nxc smb 10.129.227.191 -u '' -p '' --generate-hosts-file hosts
SMB 10.129.227.191 445 JSON [*] Windows Server 2012 R2 Datacenter 9600 x64 (name:JSON) (domain:json) (signing:False) (SMBv1:True)
SMB 10.129.227.191 445 JSON [-] json\: STATUS_ACCESS_DENIED
┌──(root㉿kali)-[~/Desktop/htb/json]
└─# cat hosts
10.129.227.191 JSON.json JSON
┌──(root㉿kali)-[~/Desktop/htb/json]
└─# cat hosts >> /etc/hosts
┌──(root㉿kali)-[~/Desktop/htb/json]
└─# nxc smb 10.129.227.191 -u '' -p '' --generate-krb5-file /etc/krb5.conf
SMB 10.129.227.191 445 JSON [*] Windows Server 2012 R2 Datacenter 9600 x64 (name:JSON) (domain:json) (signing:False) (SMBv1:True)
SMB 10.129.227.191 445 JSON [-] json\: STATUS_ACCESS_DENIED
┌──(root㉿kali)-[~/Desktop/htb/json]
└─# cat /etc/krb5.conf
[libdefaults]
dns_lookup_kdc = false
dns_lookup_realm = false
default_realm = RETRO.VL
[realms]
RETRO.VL = {
kdc = dc.retro.vl
admin_server = dc.retro.vl
default_domain = retro.vl
}
[domain_realm]
.retro.vl = RETRO.VL
retro.vl = RETRO.VL
1.1.4. SMB
┌──(root㉿kali)-[~/Desktop/htb/json]
└─# smbmap -H 10.129.227.191
________ ___ ___ _______ ___ ___ __ _______
/" )|" \ /" || _ "\ |" \ /" | /""\ | __ "\
(: \___/ \ \ // |(. |_) :) \ \ // | / \ (. |__) :)
\___ \ /\ \/. ||: \/ /\ \/. | /' /\ \ |: ____/
__/ \ |: \. |(| _ \ |: \. | // __' \ (| /
/" \ :) |. \ /: ||: |_) :)|. \ /: | / / \ \ /|__/ \
(_______/ |___|\__/|___|(_______/ |___|\__/|___|(___/ \___)(_______)
-----------------------------------------------------------------------------
SMBMap - Samba Share Enumerator v1.10.7 | Shawn Evans - ShawnDEvans@gmail.com
https://github.com/ShawnDEvans/smbmap
[\] Checking for open ports... [|] Checking for open ports... [*] Detected 1 hosts serving SMB
[/] Initializing hosts... [-] Authenticating... [\] Authenticating... [|] Authenticating... [/] Authenticating... [-] Authenticating... [\] Authenticating... [|] Authenticating... [/] Authenticating... [-] Authenticating... [*] Established 1 SMB connections(s) and 0 authenticated session(s)
[\] Enumerating shares... [|] Enumerating shares... [!] Something weird happened on (10.129.227.191) Error occurs while reading from remote(104) on line 1015
[/] Closing connections.. [-] Closing connections.. [*] Closed 1 connections
┌──(root㉿kali)-[~/Desktop/htb/json]
└─# nxc smb 10.129.227.191 -u '' -p '' --shares
SMB 10.129.227.191 445 JSON [*] Windows Server 2012 R2 Datacenter 9600 x64 (name:JSON) (domain:json) (signing:False) (SMBv1:True)
SMB 10.129.227.191 445 JSON [-] json\: STATUS_ACCESS_DENIED
SMB 10.129.227.191 445 JSON [-] Error enumerating shares: Error occurs while reading from remote(104)
┌──(root㉿kali)-[~/Desktop/htb/json]
└─# nxc smb 10.129.227.191 -u 'guest' -p '' --shares
SMB 10.129.227.191 445 JSON [*] Windows Server 2012 R2 Datacenter 9600 x64 (name:JSON) (domain:json) (signing:False) (SMBv1:True)
SMB 10.129.227.191 445 JSON [-] json\guest: STATUS_ACCOUNT_DISABLED
也没有匿名登录
1.2. web
1.2.1. vhost
检查一下子域名
┌──(root㉿kali)-[~/Desktop/htb/json]
└─# ffuf -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt -u http://json.json/ -H "Host: FUZZ.json.json" -ac
/'___\ /'___\ /'___\
/\ \__/ /\ \__/ __ __ /\ \__/
\ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\
\ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/
\ \_\ \ \_\ \ \____/ \ \_\
\/_/ \/_/ \/___/ \/_/
v2.1.0-dev
________________________________________________
:: Method : GET
:: URL : http://json.json/
:: Wordlist : FUZZ: /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt
:: Header : Host: FUZZ.json.json
:: Follow redirects : false
:: Calibration : true
:: Timeout : 10
:: Threads : 40
:: Matcher : Response status: 200-299,301,302,307,401,403,405,500
________________________________________________
:: Progress: [4989/4989] :: Job [1/1] :: 335 req/sec :: Duration: [0:00:21] :: Errors: 0 ::
没有,
1.2.2. dirsearch
┌──(root㉿kali)-[~/Desktop/htb/json]
└─# dirsearch -u http://10.129.227.191 -x 403,404
/usr/lib/python3/dist-packages/dirsearch/dirsearch.py:23: DeprecationWarning: pkg_resources is deprecated as an API. See https://setuptools.pypa.io/en/latest/pkg_resources.html
from pkg_resources import DistributionNotFound, VersionConflict
_|. _ _ _ _ _ _|_ v0.4.3
(_||| _) (/_(_|| (_| )
Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 25 | Wordlist size: 11460
Output File: /root/Desktop/htb/json/reports/http_10.129.227.191/_25-12-12_09-21-39.txt
Target: http://10.129.227.191/
[09:21:39] Starting:
[09:21:40] 301 - 148B - /js -> http://10.129.227.191/js/
[09:22:11] 301 - 149B - /css -> http://10.129.227.191/css/
[09:22:13] 400 - 4KB - /docpicker/internal_proxy/https/127.0.0.1:9043/ibm/console
[09:22:15] 301 - 151B - /files -> http://10.129.227.191/files/
[09:22:18] 301 - 149B - /img -> http://10.129.227.191/img/
[09:22:22] 400 - 4KB - /jolokia/exec/com.sun.management:type=DiagnosticCommand/help/*
[09:22:22] 400 - 4KB - /jolokia/exec/com.sun.management:type=DiagnosticCommand/vmLog/disable
[09:22:22] 400 - 4KB - /jolokia/exec/com.sun.management:type=DiagnosticCommand/jfrStart/filename=!/tmp!/foo
[09:22:22] 400 - 4KB - /jolokia/exec/com.sun.management:type=DiagnosticCommand/compilerDirectivesAdd/!/etc!/passwd
[09:22:22] 400 - 4KB - /jolokia/read/java.lang:type=*/HeapMemoryUsage
[09:22:22] 400 - 4KB - /jolokia/exec/com.sun.management:type=DiagnosticCommand/vmLog/output=!/tmp!/pwned
[09:22:22] 400 - 4KB - /jolokia/exec/com.sun.management:type=DiagnosticCommand/jvmtiAgentLoad/!/etc!/passwd
[09:22:22] 400 - 4KB - /jolokia/exec/java.lang:type=Memory/gc
[09:22:22] 400 - 4KB - /jolokia/read/java.lang:type=Memory/HeapMemoryUsage/used
[09:22:22] 400 - 4KB - /jolokia/search/*:j2eeType=J2EEServer,*
[09:22:22] 400 - 4KB - /jolokia/write/java.lang:type=Memory/Verbose/true
[09:22:22] 400 - 4KB - /jolokia/exec/com.sun.management:type=DiagnosticCommand/vmSystemProperties
[09:22:24] 200 - 4KB - /login.html
[09:22:48] 301 - 151B - /views -> http://10.129.227.191/views/
Task Completed
1.2.3. JS反混淆
当我网页登录的时候,我发现他会先显示一个后台页面
然后就会跳转到这个登录框
抓包看看,我开启了抓包,但是还会很快跳转到这个页面。那么这个跳转应该就是前端控制的,
这里我把它clone下来
┌──(root㉿kali)-[~/Desktop/htb/json]
└─# wget --mirror http://10.129.227.191 -nv
2025-12-12 09:43:27 URL:http://10.129.227.191/ [40163/40163] -> "10.129.227.191/index.html" [1]
http://10.129.227.191/robots.txt:
2025-12-12 09:43:27 ERROR 404: Not Found.
http://10.129.227.191/vendor/fontawesome-free/css/all.min.css:
2025-12-12 09:43:27 ERROR 404: Not Found.
2025-12-12 09:43:28 URL:http://10.129.227.191/css/sb-admin-2.min.css [197979/197979] -> "10.129.227.191/css/sb-admin-2.min.css" [1]
2025-12-12 09:43:28 URL:http://10.129.227.191/img/interface.png [1460/1460] -> "10.129.227.191/img/interface.png" [1]
http://10.129.227.191/buttons.html:
2025-12-12 09:43:28 ERROR 404: Not Found.
http://10.129.227.191/cards.html:
2025-12-12 09:43:28 ERROR 404: Not Found.
http://10.129.227.191/utilities-color.html:
2025-12-12 09:43:28 ERROR 404: Not Found.
http://10.129.227.191/utilities-border.html:
2025-12-12 09:43:28 ERROR 404: Not Found.
http://10.129.227.191/utilities-animation.html:
2025-12-12 09:43:28 ERROR 404: Not Found.
http://10.129.227.191/utilities-other.html:
2025-12-12 09:43:28 ERROR 404: Not Found.
2025-12-12 09:43:28 URL:http://10.129.227.191/login.html [4305/4305] -> "10.129.227.191/login.html" [1]
http://10.129.227.191/register.html:
2025-12-12 09:43:29 ERROR 404: Not Found.
http://10.129.227.191/forgot-password.html:
2025-12-12 09:43:29 ERROR 404: Not Found.
http://10.129.227.191/404.html:
2025-12-12 09:43:29 ERROR 404: Not Found.
http://10.129.227.191/blank.html:
2025-12-12 09:43:29 ERROR 404: Not Found.
http://10.129.227.191/charts.html:
2025-12-12 09:43:29 ERROR 404: Not Found.
http://10.129.227.191/tables.html:
2025-12-12 09:43:29 ERROR 404: Not Found.
2025-12-12 09:43:29 URL:http://10.129.227.191/img/user.png [926/926] -> "10.129.227.191/img/user.png" [1]
2025-12-12 09:43:29 URL:http://10.129.227.191/img/undraw_posting_photo.svg [37285/37285] -> "10.129.227.191/img/undraw_posting_photo.svg" [1]
http://10.129.227.191/vendor/jquery/jquery.min.js:
2025-12-12 09:43:29 ERROR 404: Not Found.
http://10.129.227.191/vendor/bootstrap/js/bootstrap.bundle.min.js:
2025-12-12 09:43:29 ERROR 404: Not Found.
http://10.129.227.191/vendor/jquery-easing/jquery.easing.min.js:
2025-12-12 09:43:29 ERROR 404: Not Found.
http://10.129.227.191/js/sb-admin-2.min.js:
2025-12-12 09:43:29 ERROR 404: Not Found.
http://10.129.227.191/vendor/chart.js/Chart.min.js:
2025-12-12 09:43:29 ERROR 404: Not Found.
http://10.129.227.191/js/demo/chart-area-demo.js:
2025-12-12 09:43:30 ERROR 404: Not Found.
http://10.129.227.191/js/demo/chart-pie-demo.js:
2025-12-12 09:43:30 ERROR 404: Not Found.
2025-12-12 09:43:30 URL:http://10.129.227.191/js/angular.min.js [176592/176592] -> "10.129.227.191/js/angular.min.js" [1]
2025-12-12 09:43:30 URL:http://10.129.227.191/js/angular-cookies.js [12990/12990] -> "10.129.227.191/js/angular-cookies.js" [1]
2025-12-12 09:43:30 URL:http://10.129.227.191/js/app.min.js [2357/2357] -> "10.129.227.191/js/app.min.js" [1]
2025-12-12 09:43:30 URL:http://10.129.227.191/css/sb-admin-2.css [243258/243258] -> "10.129.227.191/css/sb-admin-2.css" [1]
2025-12-12 09:43:30 URL:http://10.129.227.191/img/Hack-The-Box-logo.png [69792/69792] -> "10.129.227.191/img/Hack-The-Box-logo.png" [1]
FINISHED --2025-12-12 09:43:30--
Total wall clock time: 3.3s
Downloaded: 11 files, 769K in 0.6s (1.16 MB/s)
然后打开index.html 就可以查看这个页面了
在下面有注意到提示 SB Admin 2 结合这个网站的样式,感觉这可能是一个CMS
搜索关键词 SB Admin 2可以发现这是一个模板,SB Admin 2 是⼀个基于 Bootstrap 4 的开源管理模板,⼴泛⽤于创建后台管理系统的⽤户界⾯
查看js文件可以发现 app.min.js是一个存在混淆的js文件,这很可疑
