Rainbow
1. User
1.1. Recon
1.1.1. PortScan
PORT STATE SERVICE VERSION
21/tcp open ftp Microsoft ftpd
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
| 01-18-22 08:22AM 258 dev.txt
| 01-18-22 08:30AM 54784 rainbow.exe
| 01-16-22 01:34PM 479 restart.ps1
|_01-16-22 12:14PM <DIR> wwwroot
| ftp-syst:
|_ SYST: Windows_NT
80/tcp open http Microsoft IIS httpd 10.0
| http-methods:
|_ Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/10.0
|_http-title: IIS Windows Server
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds?
3389/tcp open ms-wbt-server Microsoft Terminal Services
| rdp-ntlm-info:
| Target_Name: RAINBOW
| NetBIOS_Domain_Name: RAINBOW
| NetBIOS_Computer_Name: RAINBOW
| DNS_Domain_Name: rainbow
| DNS_Computer_Name: rainbow
| Product_Version: 10.0.17763
|_ System_Time: 2025-11-01T12:27:17+00:00
| ssl-cert: Subject: commonName=rainbow
| Not valid before: 2025-10-31T12:17:02
|_Not valid after: 2026-05-02T12:17:02
|_ssl-date: 2025-11-01T12:27:58+00:00; +2s from scanner time.
8080/tcp open http-proxy
| http-open-proxy: Potentially OPEN proxy.
|_Methods supported:CONNECTION
| fingerprint-strings:
| GetRequest, HTTPOptions:
| HTTP/1.1 200 OK
| Cache-Control: no-cache, private
| Content-Type: text/html
| X-Powered-By: Rainbow 0.1
| Content-Length: 1478
| <!DOCTYPE html>
| <html lang="en" xmlns="http://www.w3.org/1999/xhtml">
| <head>
| <meta charset="utf-8" />
| <title>Dev Wiki powered by Rainbow Webserver</title>
| <style>
| .rainbow {
| font-size: 24pt;
| background-image: linear-gradient(to left, violet, indigo, blue, green, yellow, orange, red); -webkit-background-clip: text;
| color: transparent;
| body {
| display: flex;
| justify-content: center;
| align-items: center;
| text-align: center;
| min-height: 100vh;
| </style>
| </head>
| <body>
| <!--
| Under Development, please come back later -->
| <pre class="rainbow">
| _.--'_......----........
| _,i,,-'' __,,...........___
|_ ,;-' _.--'' ___,,...
|_http-title: Dev Wiki powered by Rainbow Webserver
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port8080-TCP:V=7.95%I=7%D=11/1%Time=6905FC03%P=x86_64-pc-linux-gnu%r(Ge
SF:tRequest,646,"HTTP/1\.1\x20200\x20OK\r\nCache-Control:\x20no-cache,\x20
SF:private\r\nContent-Type:\x20text/html\r\nX-Powered-By:\x20Rainbow\x200\
SF:.1\r\nContent-Length:\x201478\r\n\r\n\xef\xbb\xbf<!DOCTYPE\x20html>\n\n
SF:<html\x20lang=\"en\"\x20xmlns=\"http://www\.w3\.org/1999/xhtml\">\n<hea
SF:d>\n\x20\x20\x20\x20<meta\x20charset=\"utf-8\"\x20/>\n\x20\x20\x20\x20<
SF:title>Dev\x20Wiki\x20powered\x20by\x20Rainbow\x20Webserver</title>\n\x2
SF:0\x20\x20\x20<style>\x20\x20\x20\x20\n\x20\x20\x20\x20\x20\x20\x20\x20\
SF:.rainbow\x20{\n\t\tfont-size:\x2024pt;\n\t\tbackground-image:\x20linear
SF:-gradient\(to\x20left,\x20violet,\x20indigo,\x20blue,\x20green,\x20yell
SF:ow,\x20orange,\x20red\);\x20\x20\x20-webkit-background-clip:\x20text;\n
SF:\x20\t\tcolor:\x20transparent;\n\t}\n\tbody\x20{\n\x20\x20\t\tdisplay:\
SF:x20flex;\n\x20\x20\t\tjustify-content:\x20center;\n\x20\t\t\x20align-it
SF:ems:\x20center;\n\x20\x20\t\ttext-align:\x20center;\n\x20\x20\t\tmin-he
SF:ight:\x20100vh;\n\t}\n\x20\x20\x20\x20</style>\n</head>\n<body>\n\x20\x
SF:20\x20\x20<!--\x20\xf0\x9f\x8c\x88\x20Under\x20Development,\x20please\x
SF:20come\x20back\x20later\x20-->\n\n\n\x20\x20\x20\x20\x20<pre\x20class=\
SF:"rainbow\">\n\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x
SF:20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20_\.--'_\.\.\.\.\.\.--
SF:--\.\.\.\.\.\.\.\.\n\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x2
SF:0\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20_,i,,-''\x20__,,\.\.\.\.\.
SF:\.\.\.\.\.\.___\n\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x
SF:20\x20\x20\x20\x20\x20\x20\x20\x20,;-'\x20_\.--''\x20\x20\x20\x20___,,\
SF:.\.\.")%r(HTTPOptions,646,"HTTP/1\.1\x20200\x20OK\r\nCache-Control:\x20
SF:no-cache,\x20private\r\nContent-Type:\x20text/html\r\nX-Powered-By:\x20
SF:Rainbow\x200\.1\r\nContent-Length:\x201478\r\n\r\n\xef\xbb\xbf<!DOCTYPE
SF:\x20html>\n\n<html\x20lang=\"en\"\x20xmlns=\"http://www\.w3\.org/1999/x
SF:html\">\n<head>\n\x20\x20\x20\x20<meta\x20charset=\"utf-8\"\x20/>\n\x20
SF:\x20\x20\x20<title>Dev\x20Wiki\x20powered\x20by\x20Rainbow\x20Webserver
SF:</title>\n\x20\x20\x20\x20<style>\x20\x20\x20\x20\n\x20\x20\x20\x20\x20
SF:\x20\x20\x20\.rainbow\x20{\n\t\tfont-size:\x2024pt;\n\t\tbackground-ima
SF:ge:\x20linear-gradient\(to\x20left,\x20violet,\x20indigo,\x20blue,\x20g
SF:reen,\x20yellow,\x20orange,\x20red\);\x20\x20\x20-webkit-background-cli
SF:p:\x20text;\n\x20\t\tcolor:\x20transparent;\n\t}\n\tbody\x20{\n\x20\x20
SF:\t\tdisplay:\x20flex;\n\x20\x20\t\tjustify-content:\x20center;\n\x20\t\
SF:t\x20align-items:\x20center;\n\x20\x20\t\ttext-align:\x20center;\n\x20\
SF:x20\t\tmin-height:\x20100vh;\n\t}\n\x20\x20\x20\x20</style>\n</head>\n<
SF:body>\n\x20\x20\x20\x20<!--\x20\xf0\x9f\x8c\x88\x20Under\x20Development
SF:,\x20please\x20come\x20back\x20later\x20-->\n\n\n\x20\x20\x20\x20\x20<p
SF:re\x20class=\"rainbow\">\n\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\
SF:x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20_\.--'_\
SF:.\.\.\.\.\.----\.\.\.\.\.\.\.\.\n\x20\x20\x20\x20\x20\x20\x20\x20\x20\x
SF:20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20_,i,,-''\x20_
SF:_,,\.\.\.\.\.\.\.\.\.\.\.___\n\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\
SF:x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20,;-'\x20_\.--''\x20\x20\
SF:x20\x20___,,\.\.\.");
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb2-time:
| date: 2025-11-01T12:27:20
|_ start_date: N/A
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled but not required
|_clock-skew: mean: 1s, deviation: 0s, median: 1s
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 220.55 seconds
✓ 模块执行成功
1.2. ftp
┌──(root㉿kali)-[~/Desktop/htb/Rainbow]
└─# ftp 10.129.234.171
Connected to 10.129.234.171.
220 Microsoft FTP Service
Name (10.129.234.171:root): anonymous
331 Anonymous access allowed, send identity (e-mail name) as password.
Password:
\230 User logged in.
Remote system type is Windows_NT.
ftp> \ls
229 Entering Extended Passive Mode (|||50101|)
150 Opening ASCII mode data connection.
01-18-22 08:22AM 258 dev.txt
01-18-22 08:30AM 54784 rainbow.exe
01-16-22 01:34PM 479 restart.ps1
01-16-22 12:14PM <DIR> wwwroot
226 Transfer complete.
ftp> get dev.txt
local: dev.txt remote: dev.txt
229 Entering Extended Passive Mode (|||50102|)
125 Data connection already open; Transfer starting.
100% |***************************************************************************| 258 2.87 KiB/s 00:00 ETA
226 Transfer complete.
WARNING! 5 bare linefeeds received in ASCII mode.
File may not have transferred correctly.
258 bytes received in 00:00 (2.86 KiB/s)
ftp> get restart.ps1
local: restart.ps1 remote: restart.ps1
229 Entering Extended Passive Mode (|||50103|)
150 Opening ASCII mode data connection.
100% |***************************************************************************| 479 6.43 KiB/s 00:00 ETA
226 Transfer complete.
479 bytes received in 00:00 (6.36 KiB/s)
ftp> cd wwwroot
250 CWD command successful.
ftp> ls
229 Entering Extended Passive Mode (|||50105|)
125 Data connection already open; Transfer starting.
01-16-22 11:48AM 1523 index.html
226 Transfer complete.
ftp> get index.html
local: index.html remote: index.html
229 Entering Extended Passive Mode (|||50107|)
125 Data connection already open; Transfer starting.
100% |***************************************************************************| 1523 13.87 KiB/s 00:00 ETA
226 Transfer complete.
1523 bytes received in 00:00 (13.84 KiB/s)
ftp> exit
221 Goodbye
┌──(root㉿kali)-[~/Desktop/htb/Rainbow]
└─# cat dev.txt
* Our webserver has been crashing a lot lately. Instead of touching the code we added a restart script!
* The server will dynamically pick a port when its default port is unresponsive (8080-8090).
* We'll fix this later by adding load balancer.
- dev team
┌──(root㉿kali)-[~/Desktop/htb/Rainbow]
└─# cat restart.ps1
Set-Location -Path c:\rainbow
for(;;){
try{
If (!(Get-Process -Name rainbow -ErrorAction SilentlyContinue))
{Invoke-Expression "C:\rainbow\rainbow.exe" }
$proc = Get-Process -Name rainbow | Sort-Object -Property ProcessName -Unique -ErrorAction SilentlyContinue
If (!$proc -or ($proc.Responding -eq $false) –or ($proc.WorkingSet -GT 200000*1024)) {
$proc.Kill()
Start-Sleep -s 10
Invoke-Expression "C:\rainbow\rainbow.exe"}
}
catch { }
Start-sleep -s 30
}
- 开发说网站经常崩溃,于是弄了一个重启的ps脚本,网站崩溃后会在8080-8090端口上重新启动,下面这个是重启脚本
- 脚本会检测是否有
C:\rainbow\rainbow.exe这个进程,如果没有就重启,或者如果内存超限也会重启
1.3. WEB
80端口是经典的IIS服务器默认页面
8080主页面。也是IIS
1.3.1. dirsearch
┌──(root㉿kali)-[~/Desktop/htb/Rainbow]
└─# dirsearch -u http://10.129.234.171/ -x 403,404
/usr/lib/python3/dist-packages/dirsearch/dirsearch.py:23: DeprecationWarning: pkg_resources is deprecated as an API. See https://setuptools.pypa.io/en/latest/pkg_resources.html
from pkg_resources import DistributionNotFound, VersionConflict
_|. _ _ _ _ _ _|_ v0.4.3
(_||| _) (/_(_|| (_| )
Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 25 | Wordlist size: 11460
Output File: /root/Desktop/htb/Rainbow/reports/http_10.129.234.171/__25-11-01_08-38-54.txt
Target: http://10.129.234.171/
[08:38:54] Starting:
Task Completed
┌──(root㉿kali)-[~/Desktop/htb/Rainbow]
└─# dirsearch -u http://10.129.234.171:8080/ -x 403,404
/usr/lib/python3/dist-packages/dirsearch/dirsearch.py:23: DeprecationWarning: pkg_resources is deprecated as an API. See https://setuptools.pypa.io/en/latest/pkg_resources.html
from pkg_resources import DistributionNotFound, VersionConflict
_|. _ _ _ _ _ _|_ v0.4.3
(_||| _) (/_(_|| (_| )
Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 25 | Wordlist size: 11460
Output File: /root/Desktop/htb/Rainbow/reports/http_10.129.234.171_8080/__25-11-01_08-40-03.txt
Target: http://10.129.234.171:8080/
[08:40:03] Starting:
Task Completed
1.4. SMB
┌──(root㉿kali)-[~/Desktop/htb/Rainbow]
└─# nxc smb 10.129.234.171 -u guest -p '' --shares
SMB 10.129.234.171 445 RAINBOW [*] Windows 10 / Server 2019 Build 17763 x64 (name:RAINBOW) (domain:rainbow) (signing:False) (SMBv1:None)
SMB 10.129.234.171 445 RAINBOW [-] rainbow\guest: STATUS_ACCOUNT_DISABLED
PS:到这里时我已经走不动了,因为后面的利用需要用到很多二进制的东西,而这些是我不擅长的地方
后面的部分就是参考 0xdf的wp 来实现了。