External Testing

Information Gathering

nmap

$ nmap --open -oA nmap_1k trilocor.local

Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-01-16 01:11 EST
Nmap scan report for trilocor.local (10.129.170.212)
Host is up (0.30s latency).
Not shown: 989 closed tcp ports (reset)
PORT     STATE SERVICE
21/tcp   open  ftp
22/tcp   open  ssh
25/tcp   open  smtp
53/tcp   open  domain
80/tcp   open  http
110/tcp  open  pop3
111/tcp  open  rpcbind
143/tcp  open  imap
993/tcp  open  imaps
995/tcp  open  pop3s
7777/tcp open  cbt

Nmap done: 1 IP address (1 host up) scanned in 4.37 seconds

# Nmap 7.94SVN scan initiated Thu Jan 16 02:02:25 2025 as: /usr/lib/nmap/nmap --privileged --open -p- -A -oA nmap_all trilocor.local
Nmap scan report for trilocor.local (10.129.170.213)
Host is up (0.41s latency).
Not shown: 65524 closed tcp ports (reset)
PORT     STATE SERVICE  VERSION
21/tcp   open  ftp      vsftpd 3.0.3
22/tcp   open  ssh      OpenSSH 8.2p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 71:08:b0:c4:f3:ca:97:57:64:97:70:f9:fe:c5:0c:7b (RSA)
|   256 45:c3:b5:14:63:99:3d:9e:b3:22:51:e5:97:76:e1:50 (ECDSA)
|_  256 2e:c2:41:66:46:ef:b6:81:95:d5:aa:35:23:94:55:38 (ED25519)
25/tcp   open  smtp     Postfix smtpd
|_smtp-commands: WEB-NIX01, PIPELINING, SIZE 10240000, VRFY, ETRN, STARTTLS, ENHANCEDSTATUSCODES, 8BITMIME, DSN, SMTPUTF8, CHUNKING
53/tcp   open  domain   (unknown banner: ISC BIND 9 (Ubuntu Linux))
| dns-nsid: 
|_  bind.version: ISC BIND 9 (Ubuntu Linux)
| fingerprint-strings: 
|   DNSVersionBindReqTCP: 
|     version
|     bind
|_    BIND 9 (Ubuntu Linux)
80/tcp   open  http     Apache httpd 2.4.41 ((Ubuntu))
|_http-title: Trilocor &#8211; A cutting edge robotics company!
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-generator: WordPress 5.8.3
110/tcp  open  pop3     Dovecot pop3d
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonName=ubuntu
| Subject Alternative Name: DNS:ubuntu
| Not valid before: 2022-08-03T08:24:29
|_Not valid after:  2032-07-31T08:24:29
|_pop3-capabilities: SASL STLS AUTH-RESP-CODE UIDL RESP-CODES CAPA PIPELINING TOP
111/tcp  open  rpcbind  2-4 (RPC #100000)
| rpcinfo: 
|   program version    port/proto  service
|   100000  2,3,4        111/tcp   rpcbind
|   100000  2,3,4        111/udp   rpcbind
|   100000  3,4          111/tcp6  rpcbind
|_  100000  3,4          111/udp6  rpcbind
143/tcp  open  imap     Dovecot imapd (Ubuntu)
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonName=ubuntu
| Subject Alternative Name: DNS:ubuntu
| Not valid before: 2022-08-03T08:24:29
|_Not valid after:  2032-07-31T08:24:29
993/tcp  open  ssl/imap Dovecot imapd (Ubuntu)
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonName=ubuntu
| Subject Alternative Name: DNS:ubuntu
| Not valid before: 2022-08-03T08:24:29
|_Not valid after:  2032-07-31T08:24:29
995/tcp  open  ssl/pop3 Dovecot pop3d
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonName=ubuntu
| Subject Alternative Name: DNS:ubuntu
| Not valid before: 2022-08-03T08:24:29
|_Not valid after:  2032-07-31T08:24:29
7777/tcp open  http     Werkzeug httpd 2.2.1 (Python 3.8.10)
|_http-title: Site doesn't have a title (text/html; charset=utf-8).
|_http-server-header: Werkzeug/2.2.1 Python/3.8.10
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port53-TCP:V=7.94SVN%I=7%D=1/16%Time=6788AF58%P=aarch64-unknown-linux-g
SF:nu%r(DNSVersionBindReqTCP,46,"\0D\0\x06\x85\0\0\x01\0\x01\0\0\0\0\x07ve
SF:rsion\x04bind\0\0\x10\0\x03\xc0\x0c\0\x10\0\x03\0\0\0\0\0\x1a\x19ISC\x2
SF:0BIND\x209\x20\(Ubuntu\x20Linux\)");
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.94SVN%E=4%D=1/16%OT=21%CT=1%CU=35304%PV=Y%DS=2%DC=T%G=Y%TM=6788
OS:AFE6%P=aarch64-unknown-linux-gnu)SEQ(TI=Z%CI=Z%II=I%TS=9)SEQ(SP=FE%GCD=1
OS:%ISR=106%TI=Z%CI=Z%II=I%TS=A)SEQ(SP=FE%GCD=1%ISR=107%TI=Z%CI=Z%TS=A)OPS(
OS:O1=M53AST11NW7%O2=M53AST11NW7%O3=M53ANNT11NW7%O4=M53AST11NW7%O5=M53AST11
OS:NW7%O6=M53AST11)WIN(W1=FE88%W2=FE88%W3=FE88%W4=FE88%W5=FE88%W6=FE88)ECN(
OS:R=N)ECN(R=Y%DF=Y%T=40%W=FAF0%O=M53ANNSNW7%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%A
OS:=S+%F=AS%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%
OS:Q=)T5(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S=
OS:A%A=Z%F=R%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S=O%A=Z%F=R%O=%RD=0%Q=)T7(R=N)
OS:U1(R=Y%DF=N%T=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%D
OS:FI=N%T=40%CD=S)

Network Distance: 2 hops
Service Info: Host:  WEB-NIX01; OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE (using port 80/tcp)
HOP RTT       ADDRESS
1   524.50 ms 10.10.16.1
2   524.51 ms trilocor.local (10.129.170.213)

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Thu Jan 16 02:06:14 2025 -- 1 IP address (1 host up) scanned in 229.28 seconds

Subdomain

trilocor.local
www.trilocor.local
blog.trilocor.local
careers.trilocor.local
dev.trilocor.local
portal.trilocor.local
pr.trilocor.local
remote.trilocor.local
store.trilocor.local
osticketapp.trilocor.local

trilocor.local www.trilocor.local blog.trilocor.local careers.trilocor.local dev.trilocor.local portal.trilocor.local pr.trilocor.local remote.trilocor.local store.trilocor.local osticketapp.trilocor.local

dig

$ dig axfr trilocor.local @10.129.170.214

; <<>> DiG 9.20.4-2-Debian <<>> axfr trilocor.local @10.129.170.214
;; global options: +cmd
trilocor.local.         86400   IN      SOA     ns1.trilocor.local. dnsadmin.trilocor.local. 21 604800 86400 2419200 86400
trilocor.local.         86400   IN      NS      trilocor.local.
trilocor.local.         86400   IN      A       127.0.0.1
blog.trilocor.local.    86400   IN      A       127.0.0.1
careers.trilocor.local. 86400   IN      A       127.0.0.1
dev.trilocor.local.     86400   IN      A       127.0.0.1
portal.trilocor.local.  86400   IN      A       127.0.0.1
pr.trilocor.local.      86400   IN      A       127.0.0.1
remote.trilocor.local.  86400   IN      A       127.0.0.1
store.trilocor.local.   86400   IN      A       127.0.0.1
trilocor.local.         86400   IN      SOA     ns1.trilocor.local. dnsadmin.trilocor.local. 21 604800 86400 2419200 86400
;; Query time: 755 msec
;; SERVER: 10.129.170.214#53(10.129.170.214) (TCP)
;; WHEN: Thu Jan 16 02:21:38 EST 2025
;; XFR size: 11 records (messages 1, bytes 338)

fuff

Ethernaut

post @ 2025-09-01

Hello Ethernaut

查看这个合约的 info 函数 contract.info()，如果你使用的是 Chrome v62, 可以使用 await contract.info()。你应该已经在合约内找到帮你通过关卡的东西了。当你知道你已经完成了这个关卡，通过这个页面的橙色按钮提交合约。这会将你的实例发送回给 ethernaut，然后来判断你是否完成了任务。

Solution

await contract.info()
'You will find what you need in info1().'
await contract.info1()
'Try info2(), but with "hello" as a parameter.'
await contract.info2("hello")
'The property infoNum holds the number of the next info method to call.'
await contract.infoNum()
i {negative: 0, words: Array(2), length: 1, red: null}length: 1negative: 0red: nullwords: (2) [42, 空白][[Prototype]]: Object
await contract.info42()
'theMethodName is the name of the next method.'
await contract.theMethodName()
'The method name is method7123949.'
await contract.method7123949()
'If you know the password, submit it to authenticate().'
await contract.password()
'ethernaut0'
await contract.authenticate('ethernaut0')  // 校验凭证并执行链上交易
{tx: '0x62719934031a6ca365b6666f0e011ce0d28ee8ee5b93980bc7f480fdf6ea6ad5', receipt: {…}, logs: Array(0)}

Memo

交易对象

ethers.js / web3.js 调用写入链上函数后返回的交易对象：

{tx: '0x62719934031a6ca365b6666f0e011ce0d28ee8ee5b93980bc7f480fdf6ea6ad5', receipt: {…}, logs: Array(0)}
/*
	tx → 交易哈希
	receipt → 交易回执
	logs → 合约事件
*/

可以在 Etherscan 中查询 0x62719934031a6ca365b6666f0e011ce0d28ee8ee5b93980bc7f480fdf6ea6ad5 交易详情。

Prev Home Next

n2ryx's Blog|

Full-Pentest