保持冷静并砍箱子-块状

最新推荐文章于 2024-09-14 19:55:29 发布

cumi7754

最新推荐文章于 2024-09-14 19:55:29 发布

阅读量3.4k

点赞数

文章标签：网络 python linux java 数据库

原文链接：https://www.freecodecamp.org/news/keep-calm-and-hack-the-box-blocky/

版权

Hack The Box (HTB) is an online platform allowing you to test your penetration testing skills. It contains several challenges that are constantly updated. Some of them are simulating real world scenarios and some of them lean more towards a CTF style of challenge.

Hack The Box(HTB)是一个在线平台，可让您测试渗透测试技能。它包含一些不断更新的挑战。他们中的一些人正在模拟现实世界的场景，而另一些人则更倾向于CTF的挑战风格。

Note. Only write-ups of retired HTB machines are allowed.

注意。 只允许注销HTB机器。

Blocky is fairly simple overall, and was based on a real-world machine. It demonstrates the risks of bad password practices as well as exposing internal files on a public facing system.

Blocky总体上来说相当简单，并且是基于真实世界的机器。它展示了错误的密码做法以及在面向公众的系统上公开内部文件的风险。

We will use the following tools to pawn the box on a Kali Linux box:

我们将使用以下工具在Kali Linux盒子上放置盒子：

nmap
纳帕
nikto
尼克托
gobuster
猛击者
wpscan
wpscan
jd-gui
jd-gui
hash-identifier
哈希标识符

Let's get started.

让我们开始吧。

I add blocky on the /etc/hosts file

我在/ etc / hosts文件中添加了块状

nano /etc/hosts

with

与

10.10.10.37     blocky.htb

第1步-侦察 (Step 1 - Reconnaissance)

The first step before exploiting a machine is to do a little bit of scanning and reconnaissance.

开发机器之前的第一步是进行一些扫描和侦察。

This is one of the most important parts as it will determine what you can try to exploit afterwards. It is always better to spend more time on this phase to get as much information as you can.

这是最重要的部分之一，因为它将决定您以后可以尝试利用的内容。在此阶段花更多的时间来获取尽可能多的信息总是更好的选择。

端口扫描 (Port scanning)

I will use Nmap (Network Mapper). Nmap is a free and open source utility for network discovery and security auditing. It uses raw IP packets to determine what hosts are available on the network, what services those hosts are offering, what operating systems they are running, what type of packet filters/firewalls are in use, and dozens of other characteristics.

我将使用Nmap (网络映射器)。 Nmap是一个免费的开源实用程序，用于网络发现和安全审核。它使用原始IP数据包来确定网络上可用的主机，这些主机提供的服务，它们正在运行的操作系统，使用的数据包过滤器/防火墙的类型以及许多其他特征。

There are many commands you can use with this tool to scan the network. If you want to learn more about it, you can have a look at the documentation here.

此工具可以使用许多命令来扫描网络。如果您想了解更多信息，可以在这里查看文档。

I use the following command to perform an intensive scan:

我使用以下命令执行密集扫描：

nmap -A -v blocky.htb

-A: Enable OS detection, version detection, script scanning, and traceroute

-A：启用操作系统检测，版本检测，脚本扫描和跟踪路由

-v: Increase verbosity level

-v：提高详细程度

blocky.htb: hostname for the Blocky box

blocky.htb：“阻止 ”框的主机名

If you find the results a little bit too overwhelming, you can do another command to get only the open ports.

如果发现结果有点不堪重负，则可以执行另一个命令以仅获取打开的端口。

nmap blocky.htb

We can see that there are 3 open ports:

我们可以看到有3个开放端口：

Port 21, File Transfer Protocol (FTP) control (command)

端口21 ，文件传输协议(FTP)控制(命令)

Port 22, Secure Shell (SSH), secure logins, file transfers (scp, sftp) and port forwarding

端口22 ，安全外壳(SSH)，安全登录，文件传输(scp，sftp)和端口转发

Port 80, most often used by Hypertext Transfer Protocol (HTTP)

端口 80 ，超文本传输协议(HTTP)最常使用的端口

目录扫描 (Directory scanning)

I use Gobuster. Gobuster is a directory scanner written in Go. More info on the tool here. Gobuster uses wordlists on Kali which are located in the /usr/share/wordlists directory. I'm using wordlists from dirb and dirbuster, but you can download more wordlists from SecLists here

我使用Gobuster 。 Gobuster是用Go编写的目录扫描程序。在工具更多信息在这里。 Gobuster在/ ali / share / wordlists目录中的Kali上使用单词表。我正在使用来自dirb和dirbuster的单词列表，但是您可以在此处从SecLists下载更多单词列表

I use this command for the dirb common.txt wordlist

我将此命令用于dirb common.txt单词表

gobuster dir -u blocky.htb -w /usr/share/wordlists/dirb/common.txt

We can see some there are WordPress directories (wp-admin, wp-content-wp-includes). There is also a couple of other interesting pages (/phpmyadmin and /plugins)

我们可以看到其中有一些WordPress目录(wp-admin，wp-content-wp-includes)。还有两个其他有趣的页面(/ phpmyadmin和/ plugins)

I use Nikto.

我使用Nikto 。

Nikto is an Open Source web server scanner which performs comprehensive tests against web servers for multiple items, checks for outdated versions of over 1250 servers, and version specific problems on over 270 servers. It also checks for server configuration items such as the presence of multiple index files, HTTP server options, and will attempt to identify installed web servers and software.

Nikto是一个开源Web服务器扫描程序，可对Web服务器进行多项测试，测试1250多个服务器的过时版本，以及270多个服务器的特定版本问题。它还会检查服务器配置项，例如是否存在多个索引文件，HTTP服务器选项，并将尝试识别已安装的Web服务器和软件。

More info on the tool here

有关该工具的更多信息这里

I use this command to launch the scan

我使用此命令启动扫描

nikto -host blocky.htb

I see a couple of directories that could be interesting (/wp-content/uploads/ and /wp-login.php)

我看到了几个可能很有趣的目录(/ wp-content / uploads /和/wp-login.php)

Finally I use WPScan. WPScan is a black box WordPress vulnerability scanner that can be used to scan remote WordPress installations to find security issues

最后，我使用WPScan 。 WPScan是一个黑盒WordPress漏洞扫描程序，可用于扫描远程WordPress安装以查找安全问题。

I use this command to launch the scan

我使用此命令启动扫描

wpscan --url blocky.htb -e

We have one username, Notch

我们有一个用户名Notch

第2步-访问网页 (Step 2 - Visiting the web page)

Let's visit the pages we found from the reconnaissance phase. Let's start by the main web page. It's a blog on Minecraft - BlockyCraft

让我们访问在侦察阶段发现的页面。让我们从主页开始。这是Minecraft上的博客-BlockyCraft

I look at the wiki page. Nothing interesting

我看维基页面。没什么有趣的

I have a look at the /wp-content/uploads page. Nothing interesting

我看一下/ wp-content / uploads页面。没什么有趣的

I find the admin panel

我找到管理面板

as well as the phpMyAdmin panel

以及phpMyAdmin面板

I navigate to the /plugins folder and find two jar files.

我导航到/ plugins文件夹并找到两个jar文件。

A JAR is a package file format typically used to aggregate many Java class files and associated metadata and resources into one file for distribution. JAR files are archive files that include a Java-specific manifest file. They are built on the ZIP format and typically have a .jar file extension

JAR是一种包文件格式，通常用于将许多Java类文件以及关联的元数据和资源聚合到一个文件中以进行分发。 JAR文件是包含Java特定清单文件的存档文件。它们基于ZIP格式构建，通常具有.jar文件扩展名

I download both zip files on my Kali box

我在Kali盒子上下载了两个zip文件

I use JD-Gui to be decompile the java files. JD-GUI is a standalone graphical utility that displays Java source codes of “.class” files. More info on the tool here

我使用JD-Gui来反编译java文件。 JD-GUI是一个独立的图形实用程序，显示“ .class”文件的Java源代码。此处有关该工具的更多信息

I launch the tool with

我用以下工具启动该工具

jd-gui

And then select the JAVA class I want to read - BlockyCore.class

然后选择我要阅读的JAVA类-BlockyCore.class

I can see a username and a password

我可以看到用户名和密码

I navigate back to phpMyAdmin and enter the credentials I just found. I have access to the database

我导航回phpMyAdmin并输入我刚刚找到的凭据。我有权访问数据库

I have a look at the table wp_users within the wordpress folder to see if I can get more information about the users of the blog

我看一下wordpress文件夹中的wp_users表，看看是否可以获得有关博客用户的更多信息。

The SQL query

SQL查询

SELECT * FROM `wp_users`

which can be translated by select all the users from the table wp_users would only give us one result, Notch

可以通过从表wp_users中选择所有用户来翻译，这只会给我们一个结果， Notch

I use hash-identifier to identify the possible hash. Hash-identifier is a software to identify the different types of hashes used to encrypt data and especially passwords. You can find more information here.

我使用哈希标识符来识别可能的哈希。哈希标识符是一种软件，用于识别用于加密数据(尤其是密码)的不同类型的哈希。您可以在此处找到更多信息。

I launch hash-identifier with the following command:

我使用以下命令启动哈希标识符：

hash-identifier

and copy/paste the hashed password I got earlier:

并复制/粘贴我之前获得的哈希密码：

We see the hash is most likely to be an MD5 (Wordpress) hash

我们看到哈希很可能是MD5(Wordpress)哈希

步骤3-使用端口22 (Step 3 - Using the port 22)

I'm back on my terminal and connect using SSH

我回到终端并使用SSH连接

The SSH protocol (also referred to as Secure Shell) is a method for secure remote login from one computer to another. It provides several alternative options for strong authentication, and it protects the communications security and integrity with strong encryption. It is a secure alternative to the non-protected login protocols (such as telnet, rlogin) and insecure file transfer methods (such as FTP).

SSH协议(也称为“安全外壳”)是一种用于从一台计算机安全登录到另一台计算机的方法。它提供了多种用于强身份验证的选项，并通过强加密来保护通信安全性和完整性。它是非受保护的登录协议(例如telnet ，rlogin)和不安全的文件传输方法(例如FTP )的安全替代方法。

More info here on the SSH Protocol

此处有关SSH协议的更多信息

I use the following command

我使用以下命令

ssh notch@10.10.10.37

and I enter the password I found on the BlockyCore.class file earlier

然后输入之前在BlockyCore.class文件中找到的密码

第4步-寻找user.txt标志 (Step 4 - Looking for the user.txt flag)

I'm now connected as Notch. I list all the folders/files

我现在以Notch身份连接。我列出了所有文件夹/文件

I find the user.txt file!

我找到了user.txt文件！

To read the content of the file I use the command

要读取文件的内容，请使用以下命令

cat user.txt

Now that we have the user flag, let's find the root flag!

现在有了用户标志，让我们找到根标志！

第5步-执行特权升级 (Step 5 - Performing Privilege Escalation)

I check the current access user with sudo.

我用sudo检查当前访问用户。

sudo is a program for Unix-like computer operating systems that allows users to run programs with the security privileges of another user, by default the superuser. It originally stood for "superuser do" as the older versions of sudo were designed to run commands only as the superuser

须藤是用于类Unix计算机操作系统的程序，该程序允许用户使用其他用户(默认情况下为超级用户)的安全特权运行程序。它最初代表“超级用户”，因为较早版本的sudo设计为仅以超级用户身份运行命令

More info on sudo here

sudo的更多信息在这里

I list the user's privileges with this command

我用此命令列出用户的特权

sudo -l

I use the same password I found previously

我使用以前找到的相同密码

I can see that Notch has unlimited privileges and can run any command on the system. I check the id. The id command in Linux is used to find out user and group names and numeric ID’s of the current user or any other user in the server

我可以看到Notch具有无限的特权，并且可以在系统上运行任何命令。我检查了身份证。 Linux中的id命令用于查找当前用户或服务器中任何其他用户的用户名和组名以及数字ID

I escalate to root using this command

我使用此命令升级到root