Hack The Box新手教程

新手教程

Fawn

What does the 3-letter acronym FTP stand for?

File Transfer Protocol

文件传输协议,在不登录其他主机的情况下实现与其他主机之间的文件交互

Which port does the FTP service listen on usually?

21

ftp 有两个端口 21用来认证,20用来传输文件

What acronym is used for the secure version of FTP?

sftp

What is the command we can use to send an ICMP echo request to test our connection to the target?

ping

ping的协议是ICMP

From your scans, what version is FTP running on the target?

在这里插入图片描述

nmap -sV ip 探测服务/版本信息

What is the command we need to run in order to display the ‘ftp’ client help menu?

ftp -h

就是打开菜单

What is username that is used over FTP when you want to log in without having an account?

在这里插入图片描述

anonymous

匿名用户登入 密码是空或者Email

What is the response code we get for the FTP message ‘Login successful’?

在这里插入图片描述

230

There are a couple of commands we can use to list the files and directories available on the FTP server. One is dir. What is the other that is a common way to list files on a Linux system.

ls

linux命令

What is the command used to download the file we found on the FTP server?

get

ftp命令

Submit root flag
在这里插入图片描述

先用lcd指定下载到本地的位置

然后用get下载

在这里插入图片描述

总结

ftp协议、ftp命令



Dancing

What does the 3-letter acronym SMB stand for?

Server Message Block

SMB协议用于在计算机间共享文件、打印机等资源

What port does SMB use to operate at?

445

What is the service name for port 445 that came up in our Nmap scan?

在这里插入图片描述

microsoft-ds

使用nmap -sV ip 扫描

What is the ‘flag’ or ‘switch’ that we can use with the smbclient utility to ‘list’ the available shares on Dancing?

-L

What is the name of the share we are able to access in the end with a blank password?

在这里插入图片描述

WorkShares

What is the command we can use within the SMB shell to download the files we find?

get

submit root flag

在这里插入图片描述

翻一下目录,找到flag.txt后

使用lcd指定下载的目录

用get下载

在这里插入图片描述

最后到对应目录找到flag

总结

SMB协议、smbclient 命令



Redeemer

Which TCP port is open on the machine?

6379

要使用-p-扫描全部端口,然后–min-rate 5000 设置速度(提速)

Which service is running on the port that is open on the machine?

redis

redis是一种内存数据库且是NoSQL(非关系数据类型),因为它存储在内存存储器(可以与CPU直接交换数据),所以它检索数据的时间很快

What type of database is Redis? Choose from the following options: (i) In-memory Database, (ii) Traditional Database

in-memory Database

Which command-line utility is used to interact with the Redis server? Enter the program name you would enter into the terminal without any arguments.

redis-cli

要先下载 redis-tools (sudo apt install redis-tools)

Which flag is used with the Redis command-line utility to specify the hostname?

-h

Once connected to a Redis server, which command is used to obtain the information and statistics about the Redis server?

info

在这里插入图片描述

Which command-line utility is used to interact with the Redis server? Enter the program name you would enter into the terminal without any arguments.

redis-cli

What is the version of the Redis server being used on the target machine?

5.0.7

在info里可以找到

Which command is used to select the desired database in Redis?

select

How many keys are present inside the database with index 0?

4

在这里插入图片描述

info keyspace

Which command is used to obtain all the keys in a database?

keys *

Submit root flag

在这里插入图片描述

总结

redis数据库、redis-cli命令



explosion

What does the 3-letter acronym RDP stand for?

Remote Desktop protocol

远程桌面协议,可以远程操控桌面

What is a 3-letter acronym that refers to interaction with the host through a command line interface?

cli

通过命令行与主机交互

What about graphical user interface interactions?

gui

通过图形化界面与主机交互

What is the name of an old remote access tool that came without encryption by default and listens on TCP port 23?

telnet

telnet由于缺乏安全加密的能力被认为是不安全的(容易被攻击者获得数据包并读取其中内容),现在主要被更安全的SSH取代

What is the name of an old remote access tool that came without encryption by default and listens on TCP port 23?

在这里插入图片描述

What is the switch used to specify the target host’s IP address when using xfreerdp?
在这里插入图片描述
/v:

输入xfreerdp -h

What username successfully returns a desktop projection to us with a blank password?

administrator

Submit root flag

在这里插入图片描述

在这里插入图片描述

总结

DRP远程桌面协议、xfreerdp工具命令



preignition

Directory Brute-forcing is a technique used to check a lot of paths on a web server to find hidden pages. Which is another name for this? (i) Local File Inclusion, (ii) dir busting, (iii) hash cracking.

dir busting

What switch do we use for nmap’s scan to specify that we want to perform version detection

-sV

What does Nmap report is the service identified as running on port 80/tcp?

在这里插入图片描述

http

What server name and version of service is running on port 80/tcp?

在这里插入图片描述

nginx 1.14.2

What switch do we use to specify to Gobuster we want to perform dir busting specifically?

dir

When using gobuster to dir bust, what switch do we add to make sure it finds PHP pages?
在这里插入图片描述

-x php

先下载gobuster,然后使用gobuster dir -h

What page is found during our dir busting activities?
在这里插入图片描述
在这里插入图片描述

admin.php

注意 -w 的路径,就是爆破字典的路径 /usr/share/wordlists/dirb/common.txt

What is the HTTP status code reported by Gobuster for the discovered page?

200

Submit root flag

用爆破找到的目录进入登入页面,登入后得到flag

这里是用常见弱口令 admin admin

或使用nmap的表单爆破

nmap -p 80 --script=http-form-brute --script-args=http-form-brute.path=/admin.php ip -d

在这里插入图片描述

在这里插入图片描述

在这里插入图片描述
进入ip/admin.php 输入账号密码后得到flag

总结

gobuster的使用



Mongod

How many TCP ports are open on the machine?

在这里插入图片描述

2

使用nmap -p- --min-rate 10000 ip扫描

Which service is running on port 27017 of the remote host?

在这里插入图片描述

MongoDB 3.6.8

nmap -p 27017 -sV ip

What type of database is MongoDB? (Choose: SQL or NoSQL)

NoSQL

NoSQL(No Only SQL):使用非关系模型(可以有不同的数据模型,SQL是固定的行和列,遵顼事先定义的原则),较灵活,使用水平拓展的方式,虽然查询的结果没有SQL那样精确,但它使用于存储大量的数据

What is the command name for the Mongo shell that is installed with the mongodb-clients package?

Mongo

What is the command used for listing all the databases present on the MongoDB server? (No need to include a trailing 😉

show dbs

show dbs                     show database names
show collections             show collections in current database
show users                   show users in current database
show profile                 show most recent system.profile entries with time >= 1ms
show logs                    show the accessible logger names
show log [name]              prints out the last segment of log in memory, 'global' is default
use <db_name>                set current database
db.foo.find()                list objects in collection foo
db.foo.find( { a : 1 } )     list objects in foo where a == 1
it                           result of the last line evaluated; use to further iterate
DBQuery.shellBatchSize = x   set default number of items to display on shell
exit                         quit the mongo shell

What is the command used for listing out the collections in a database? (No need to include a trailing 😉

show collections

What is the command used for dumping the content of all the documents within the collection named flag in a format that is easy to read?

db.flag.find().pretty()

Submit root flag

在这里插入图片描述

总结

mongo数据库、mogon shell、NoSQL

synced

What is the default port for rsync?

在这里插入图片描述

873

rsync是一种文件传输协议,通过rsync,我们可以仅仅传输需要修改的文件,而不是整个文件(ftp只能传输整个文件),因此,rsync协议相较于ftp更快更便捷。

可在本地复制文件也可以通过远程shell与其他主机进行通信

How many TCP ports are open on the remote host?

在这里插入图片描述

1

What is the protocol version used by rsync on the remote machine?

31

第一题 -sV 参数扫描的时候就有

What is the most common command name on Linux to interact with rsync?

rsync

What credentials do you have to pass to rsync in order to use anonymous authentication? anonymous:anonymous, anonymous, None, rsync:rsync

None

这个None 就是空,不是名为None的账号

What is the option to only list shares and files on rsync? (No need to include the leading – characters)

在这里插入图片描述

list-only

使用 rsync -h命令查看

Submit root flag

在这里插入图片描述

总结

rsync协议、命令

评论 1
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包

打赏作者

hhhalloWelt

你的鼓励将是我创作的最大动力

¥1 ¥2 ¥4 ¥6 ¥10 ¥20
扫码支付:¥1
获取中
扫码支付

您的余额不足,请更换扫码支付或充值

打赏作者

实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值