如何在面试时保持冷静
Hack The Box (HTB) is an online platform allowing you to test your penetration testing skills. It contains several challenges that are constantly updated. Some of them simulating real world scenarios and some of them leaning more towards a CTF style of challenge.
Hack The Box(HTB)是一个在线平台,可让您测试渗透测试技能。 它包含一些不断更新的挑战。 其中一些模拟现实世界的场景,而另一些则更倾向于CTF的挑战风格。
Note. Only write-ups of retired HTB machines are allowed.
注意 。 只允许注销HTB机器。
Legacy is the second machine published on Hack The Box and is for beginners, requiring only one exploit to obtain root access.
Legacy是在Hack The Box上发布的第二台机器,适用于初学者,只需要一种利用即可获得root访问权限。
We will use the following tools to pawn the box on a Kali Linux box
我们将使用以下工具将盒子当成Kali Linux盒子
第1步-扫描网络 (Step 1 - Scanning the network)
The first step before exploiting a machine is to do a little bit of scanning and reconnaissance.
开发机器之前的第一步是进行一些扫描和侦察。
This is one of the most important parts as it will determine what you can try to exploit afterwards. It is always better to spend more time on that phase to get as much information as you could.
这是最重要的部分之一,因为它将决定您以后可以尝试利用的内容。 最好在该阶段花费更多的时间以获取尽可能多的信息。
I will use Nmap (Network Mapper). Nmap is a free and open source utility for network discovery and security auditing. It uses raw IP packets to determine what hosts are available on the network, what services those hosts are offering, what operating systems they are running, what type of packet filters/firewalls are in use, and dozens of other characteristics.
我将使用Nmap(网络映射器)。 Nmap是一个免费的开源实用程序,用于网络发现和安全审核。 它使用原始IP数据包来确定网络上可用的主机,这些主机提供的服务,它们正在运行的操作系统,使用的数据包过滤器/防火墙的类型以及许多其他特征。
There are many commands you can use with this tool to scan the network. If you want to learn more about it, you can have a look at the documentation here
此工具可以使用许多命令来扫描网络。 如果您想了解更多信息,可以在这里查看文档
I use the following command to get a basic idea of what we are scanning
我使用以下命令来了解我们正在扫描的内容
nmap -sV -O -F --version-light 10.10.10.4
-sV: Probe open ports to determine service/version info
-sV:探测打开的端口以确定服务/版本信息
-O: Enable OS detection
-O:启用操作系统检测
-F: Fast mode - Scan fewer ports than the default scan
-F:快速模式-扫描的端口少于默认扫描
--version-light: Limit to most likely probes (intensity 2)
--version-light:限制为最可能的探测(强度2)
10.10.10.4: IP address of the Legacy box
10.10.10。 4 :旧版框的IP地址
You can also use Zenmap, which is the official Nmap Security Scanner GUI. It is a multi-platform, free and open source application which aims to make Nmap easy for beginners to use while providing advanced features for experienced Nmap users.
您也可以使用Zenmap,这是官方的Nmap Security Scanner GUI。 它是一个多平台,免费和开源的应用程序,旨在使Nmap易于初学者使用,同时为经验丰富的Nmap用户提供高级功能。
I use almost the same set of commands to perform a quick scan plus. The only difference is the addition of the flag -T4
我使用几乎相同的命令集来执行快速扫描。 唯一的区别是添加了标志-T4
nmap -sV -T4 -O -F --version-light 10.10.10.4
-T4: Faster execution
- T4:更快的执行
If you find the results a little bit too overwhelming, you can move to the Ports/Hosts tab to only get the open ports
如果发现结果有点不堪重负,则可以移至“ 端口/主机”选项卡以仅获取打开的端口
We can see that there are 2 open ports:
我们可以看到有2个开放端口:
Port 139. NetBIOS Session Service
端口139 。 NetBIOS会话服务
Port 445. Microsoft-DS (Directory Services) SMB file sharing
端口445 。 Microsoft-DS(目录服务)SMB文件共享
Let's do some research to see what we can find.
让我们做一些研究,看看我们能找到什么。
步骤2-了解可部署漏洞MS08-067 (Step 2 - Understanding exploitable vulnerability MS08-067)
Still on Zenmap, we look for any known vulnerabilities
仍然在Zenmap上,我们寻找任何已知的漏洞
I use the following command
我使用以下命令
nmap -p 445 --script vuln 10.10.10.4
-p: Set destination port(s)
- P:设置目的端口(S)
445: The open port we've discovered earlier
445 :我们之前发现的开放端口
--script vuln: Check for specific known vulnerabilities and generally only report results if they are found
- -script vuln:检查是否有特定的已知漏洞和一般只报告结果,如果他们被发现
10.10.10.4: IP address of the Legacy box
10.10.10。 4 :旧版框的IP地址
We can see that there is a vulnerability, smb-vuln-ms08-067, where Microsoft Windows system is vulnerable to remote code execution.
我们可以看到存在一个漏洞smb-vuln-ms08-067 ,Microsoft Windows系统容易受到远程代码执行的攻击。
This is the CVE for MS08-067.
这是MS08-067的CVE 。
Let's first understand how patching works in Microsoft and where this naming convention is coming from.
首先,让我们了解修补程序在Microsoft中的工作方式以及命名约定的来源。
This is an excerpt from rapid7 blog
这是rapid7博客的摘录
In November of 2003 Microsoft standardized its patch release cycle. By releasing its patches on the second Tuesday of every month Microsoft hoped to address issues that were the result of patches being release in a non uniform fashion. This effort has become known as Patch-Tuesday. From the implementation of Patch-Tuesday (November, 2003) until December, 2008 Microsoft released a total of 10 patches that were not release on a Patch-Tuesday also known as “out-of-band” patches. The 10th out-of-band patch released by Microsoft is outlined in the MS08-067 security bulletin
2003年11月,Microsoft对其补丁程序发布周期进行了标准化。 通过希望在每月的第二个星期二发布补丁,Microsoft希望解决由于补丁以非统一方式发布而导致的问题。 这项工作被称为周二补丁程序。 从实施星期二(2003年11月)到2008年12月,Microsoft总共发布了10个不在星期二(也称为“带外”补丁)中未发布的补丁。 MS08-067安全公告概述了Microsoft发布的第十个带外修补程序
Let's also have a look at Microsoft Security Bulletin on MS08-067
让我们也看看MS08-067上的Microsoft安全公告
Now that we have a little bit more information on that vulnerability, let's try to exploit it!
现在我们有了关于该漏洞的更多信息,让我们尝试利用它!
第3步-利用 MS08-067 (Step 3 - Exploiting MS08-067)
We use Searchsploit, a command line search tool for Exploit Database, to check if there's a Metasploit exploit available for us to use
我们使用Exploit Database的命令行搜索工具Searchsploit来检查是否有Metasploit漏洞可供我们使用
I use the following command
我使用以下命令
searchsploit ms08-067
I launch Metasploit and look for the command I should use to launch the exploit
我启动Metasploit,并寻找启动漏洞利用程序的命令
I use the command to look for all the payloads available for ms08-067
我使用命令查找适用于ms08-067的所有有效负载
search ms08_067
We find the payload to exploit the vulnerability
我们找到了可以利用此漏洞的有效载荷
exploit/windows/smb/ms08_067_netapi
ms08_067_netapi is one of the most popular remote exploits against Microsoft Windows. It is considered a reliable exploit and allows you to gain access as SYSTEM which is the highest Windows privilege.
ms08_067_netapi是针对Microsoft Windows的最受欢迎的远程攻击之一。 它被认为是可靠的利用,它使您能够以SYSTEM的身份获得访问权限,这是Windows的最高特权。
I use the following command for the exploit
我使用以下命令进行攻击
use exploit/windows/smb/ms08_067_netapi
This will launch the exploit. I use this command to display the available options
这将启动漏洞利用。 我使用此命令显示可用选项
show options
You can see that the remote host (RHOSTS) is not yet set. I will set the remote host as this piece of information is needed to run the exploit
您可以看到尚未设置远程主机(RHOSTS)。 我将设置远程主机,因为运行漏洞利用程序需要此信息
I use the following command to set the remote host using the IP address of HTB Legacy box
我使用以下命令通过HTB Legacy框的IP地址设置远程主机
set RHOSTS 10.10.10.4
You can also do a check before running the exploit and confirm that the target is vulnerable
您还可以在运行漏洞利用程序之前进行检查,并确认目标易受攻击。
I use the following command to do the check
我使用以下命令进行检查
check
We can now run the exploit
我们现在可以运行漏洞利用程序
Bingo! We have a Meterpreter session. Let's see what we can find :)
答对了! 我们有一个Meterpreter会议。 让我们看看我们能找到什么:)
步骤4-使用Meterpreter查找user.txt标志 (Step 4 - Using Meterpreter to find the user.txt flag)
From the Offensive Security website, we get this definition for Meterpreter
从“进攻性安全”网站上,我们获得了Meterpreter的定义
Meterpreter is an advanced, dynamically extensible payload that uses in-memory DLL injection stagers and is extended over the network at runtime. It communicates over the stager socket and provides a comprehensive client-side Ruby API. It features command history, tab completion, channels, and more.
Meterpreter是一种高级的,动态可扩展的有效负载,它使用内存中的 DLL注入暂存器,并在运行时通过网络进行了扩展。 它通过暂存器套接字进行通信,并提供全面的客户端Ruby API。 它具有命令历史记录,制表符完成,通道等功能。
You can read more about Meterpreter here, and get to know more commands for this tool here
你可以阅读更多关于Meterpreter就会在这里 ,并了解这个工具的更多命令这里
Let's find the user.txt flag
让我们找到user.txt标志
I use the following command to search for the file
我使用以下命令搜索文件
search -f user.txt
-f: File name
- F:文件名
The search commands provides a way of locating specific files on the target host. The command is capable of searching through the whole system or specific folders.
搜索命令提供了一种在目标主机上查找特定文件的方法。 该命令可以搜索整个系统或特定文件夹。
We now need to navigate to
现在我们需要导航到
c:\Documents and Settings\john\Desktop\user.txt
To check where you are, you can use the following command
要检查您的位置,可以使用以下命令
pwd
I am currently at
我目前在
C:\WINDOWS\system32
I use the following command twice to move to the parent directory
我两次使用以下命令移动到父目录
cd ..
I use the following command to list all the files/folders when I'm at C:\ level
我在C:\级别时,使用以下命令列出所有文件/文件夹
ls
I then move to the folder where the user.txt flag is. I use ls to list all files under the Desktop folder
然后,我移至user.txt标志所在的文件夹。 我使用ls列出“ 桌面”文件夹下的所有文件
We found the user.txt file! To read the content of the file I use the command
我们找到了user.txt文件! 要读取文件的内容,请使用以下命令
cat user.txt
Now that we have the user flag, let's find the root flag!
现在有了用户标志,让我们找到根标志!
第5步-寻找root.txt标志 (Step 5 - Looking for the root.txt flag)
I use the following command to search for the file
我使用以下命令搜索文件
search -f root.txt
We now need to navigate to
现在我们需要导航到
c:\Documents and Settings\Administrator\Desktop\root.txt
Going back to C:\ to navigate to the Administrator folder then the Desktop folder. I use ls to list all files under the Desktop folder
返回到C:\ ,导航到Administrator文件夹,然后导航到Desktop文件夹。 我使用ls列出“ 桌面”文件夹下的所有文件
We find the root.txt file!
我们找到了root.txt文件!
To read the content of the file I use the command
要读取文件的内容,请使用以下命令
cat root.txt
Congrats! You found both flags!
恭喜! 您找到了两个标志!
Please don’t hesitate to comment, ask questions or share with your friends :)
请不要犹豫,发表评论,提问或与您的朋友分享:)
You can see more of my articles here
您可以在这里看到更多我的文章
You can follow me on Twitter or on LinkedIn
And don't forget to #GetSecure, #BeSecure & #StaySecure!
并且不要忘记# GetSecure ,# BeSecure和#StaySecure !
Other articles in this series
本系列的其他文章
翻译自: https://www.freecodecamp.org/news/keep-calm-and-hack-the-box-legacy/
如何在面试时保持冷静