Fortresses-Jet

About 达到HTB的Hacker等级后可以进入Advanced Labs,本文是关于Fortresses(堡垒)中的Jet挑战 Connect Nmap扫描结果如下 [root@kali] /home/kali/Jet ❯ nmap 10.13.37.10 -T4 -Pn -sS Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-12-18 15:06 CST Nmap scan report for jet.com (10.13.37.10) Host is up (0.38s latency). Not shown: 994 closed tcp ports (reset) PORT STATE SERVICE 22/tcp open ssh 53/tcp open domain 80/tcp open http 2222/tcp open EtherNetIP-1 5555/tcp open freeciv 7777/tcp open cbt 使用浏览器打开80端口即可获得flag ...

2024年12月19日 · 9 分钟 · 4249 字 · HYH

HTB-Chemistry

Box Info OS Linux Difficulty Easy Nmap [root@kali] /home/kali ❯ nmap Chemistry.htb -sS -Pn -T4 Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-12-17 20:11 CST Nmap scan report for Chemistry.htb (10.10.11.38) Host is up (0.10s latency). Not shown: 998 closed tcp ports (reset) PORT STATE SERVICE 22/tcp open ssh 5000/tcp open upnp Nmap done: 1 IP address (1 host up) scanned in 1.78 seconds 开放端口:22、5000 ...

2024年12月17日 · 3 分钟 · 1302 字 · HYH

HTB-Heal

Box Info OS Linux Difficulty Medium Nmap [root@kali] /home/kali/Heal ❯ nmap -sSCV -Pn heal.htb Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-12-15 17:29 CST Nmap scan report for heal.htb (10.10.11.46) Host is up (0.085s latency). Not shown: 998 closed tcp ports (reset) PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 8.9p1 Ubuntu 3ubuntu0.10 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 256 68:af:80:86:6e:61:7e:bf:0b:ea:10:52:d7:7a:94:3d (ECDSA) |_ 256 52:f4:8d:f1:c7:85:b6:6f:c6:5f:b2:db:a6:17:68:ae (ED25519) 80/tcp open http nginx 1.18.0 (Ubuntu) |_http-title: Heal |_http-server-header: nginx/1.18.0 (Ubuntu) Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 12.40 seconds 开放端口:22、80 ...

2024年12月15日 · 4 分钟 · 1738 字 · HYH

Sherlocks-Brutus

Sherlock Scenario 在这个非常简单的 Sherlock 中,您将熟悉 Unix auth.log 和 wtmp 日志。我们将探索一个场景,其中 Confluence 服务器通过其 SSH 服务被暴力破解。获得对服务器的访问权限后,攻击者执行了其他活动,我们可以使用 auth.log 进行跟踪。尽管 auth.log 主要用于暴力分析,但我们将在调查中深入研究此工件的全部潜力,包括权限提升、持久性方面,甚至对命令执行的一些可见性。 ...

2024年12月10日 · 2 分钟 · 976 字 · HYH

HTB-LinkVortex

Box Info OS Linux Difficulty Easy Nmap [root@kali] /home/kali ❯ nmap -sSCV -Pn LinkVortex.htb Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-12-08 21:44 CST Nmap scan report for LinkVortex.htb (10.10.11.47) Host is up (0.088s latency). Not shown: 998 closed tcp ports (reset) PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 8.9p1 Ubuntu 3ubuntu0.10 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 256 3e:f8:b9:68:c8:eb:57:0f:cb:0b:47:b9:86:50:83:eb (ECDSA) |_ 256 a2:ea:6e:e1:b6:d7:e7:c5:86:69:ce:ba:05:9e:38:13 (ED25519) 80/tcp open http Apache httpd |_http-server-header: Apache | http-title: BitByBit Hardware |_Requested resource was http://linkvortex.htb/ | http-robots.txt: 4 disallowed entries |_/ghost/ /p/ /email/ /r/ |_http-generator: Ghost 5.58 Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 20.62 seconds Subdomain Fuzz [root@kali] /home/kali/LinkVortex ❯ ffuf -u http://linkvortex.htb/ -w ./fuzzDicts/subdomainDicts/main.txt -H "Host:FUZZ.linkvortex.htb" -mc 200 ⏎ /'___\ /'___\ /'___\ /\ \__/ /\ \__/ __ __ /\ \__/ \ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\ \ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/ \ \_\ \ \_\ \ \____/ \ \_\ \/_/ \/_/ \/___/ \/_/ v2.1.0-dev ________________________________________________ :: Method : GET :: URL : http://linkvortex.htb/ :: Wordlist : FUZZ: /home/kali/LinkVortex/fuzzDicts/subdomainDicts/main.txt :: Header : Host: FUZZ.linkvortex.htb :: Follow redirects : false :: Calibration : false :: Timeout : 10 :: Threads : 40 :: Matcher : Response status: 200 ________________________________________________ dev [Status: 200, Size: 2538, Words: 670, Lines: 116, Duration: 73ms] :: Progress: [167378/167378] :: Job [1/1] :: 500 req/sec :: Duration: [0:05:55] :: Errors: 46 :: 发现存在:dev.linkvortex.htb,添加到/etc/hosts ...

2024年12月09日 · 4 分钟 · 1695 字 · HYH

HTB-Certified

Box Info OS Windows Difficulty Medium As is common in Windows pentests, you will start the Certified box with credentials for the following account: Username: judith.mader Password: judith09 Nmap ┌──(root㉿kali)-[/home/kali/Certified] └─# nmap -sSCV -Pn -p- Certified.htb Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-12-06 20:00 CST Stats: 0:02:15 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan SYN Stealth Scan Timing: About 90.13% done; ETC: 20:02 (0:00:15 remaining) Stats: 0:03:16 elapsed; 0 hosts completed (1 up), 1 undergoing Service Scan Service scan Timing: About 61.90% done; ETC: 20:04 (0:00:25 remaining) Stats: 0:03:16 elapsed; 0 hosts completed (1 up), 1 undergoing Service Scan Service scan Timing: About 61.90% done; ETC: 20:04 (0:00:25 remaining) Nmap scan report for Certified.htb (10.10.11.41) Host is up (0.083s latency). Not shown: 65514 filtered tcp ports (no-response) PORT STATE SERVICE VERSION 53/tcp open domain Simple DNS Plus 88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2024-12-06 18:49:00Z) 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: certified.htb0., Site: Default-First-Site-Name) | ssl-cert: Subject: commonName=DC01.certified.htb | Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:DC01.certified.htb | Not valid before: 2024-05-13T15:49:36 |_Not valid after: 2025-05-13T15:49:36 |_ssl-date: 2024-12-06T18:50:32+00:00; +6h45m59s from scanner time. 445/tcp open microsoft-ds? 464/tcp open kpasswd5? 593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0 636/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: certified.htb0., Site: Default-First-Site-Name) | ssl-cert: Subject: commonName=DC01.certified.htb | Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:DC01.certified.htb | Not valid before: 2024-05-13T15:49:36 |_Not valid after: 2025-05-13T15:49:36 |_ssl-date: 2024-12-06T18:50:32+00:00; +6h45m59s from scanner time. 3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: certified.htb0., Site: Default-First-Site-Name) |_ssl-date: 2024-12-06T18:50:32+00:00; +6h45m59s from scanner time. | ssl-cert: Subject: commonName=DC01.certified.htb | Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:DC01.certified.htb | Not valid before: 2024-05-13T15:49:36 |_Not valid after: 2025-05-13T15:49:36 3269/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: certified.htb0., Site: Default-First-Site-Name) | ssl-cert: Subject: commonName=DC01.certified.htb | Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:DC01.certified.htb | Not valid before: 2024-05-13T15:49:36 |_Not valid after: 2025-05-13T15:49:36 |_ssl-date: 2024-12-06T18:50:32+00:00; +6h45m59s from scanner time. 5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) |_http-server-header: Microsoft-HTTPAPI/2.0 |_http-title: Not Found 9389/tcp open mc-nmf .NET Message Framing 49666/tcp open msrpc Microsoft Windows RPC 49668/tcp open msrpc Microsoft Windows RPC 49673/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0 49674/tcp open msrpc Microsoft Windows RPC 49683/tcp open msrpc Microsoft Windows RPC 49715/tcp open msrpc Microsoft Windows RPC 49737/tcp open msrpc Microsoft Windows RPC 49772/tcp open msrpc Microsoft Windows RPC Service Info: Host: DC01; OS: Windows; CPE: cpe:/o:microsoft:windows Host script results: | smb2-time: | date: 2024-12-06T18:49:56 |_ start_date: N/A |_clock-skew: mean: 6h45m58s, deviation: 0s, median: 6h45m58s | smb2-security-mode: | 3:1:1: |_ Message signing enabled and required Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 254.91 seconds GetAllUserName ┌──(root㉿kali)-[~kali/Certified] └─# crackmapexec smb certified.htb -u "judith.mader" -p "judith09" --rid-brute | grep SidTypeUser SMB Certified.htb 445 DC01 500: CERTIFIED\Administrator (SidTypeUser) SMB Certified.htb 445 DC01 501: CERTIFIED\Guest (SidTypeUser) SMB Certified.htb 445 DC01 502: CERTIFIED\krbtgt (SidTypeUser) SMB Certified.htb 445 DC01 1000: CERTIFIED\DC01$ (SidTypeUser) SMB Certified.htb 445 DC01 1103: CERTIFIED\judith.mader (SidTypeUser) SMB Certified.htb 445 DC01 1105: CERTIFIED\management_svc(SidTypeUser) SMB Certified.htb 445 DC01 1106: CERTIFIED\ca_operator (SidTypeUser) SMB Certified.htb 445 DC01 1601: CERTIFIED\alexander.huges (SidTypeUser) SMB Certified.htb 445 DC01 1602: CERTIFIED\harry.wilson (SidTypeUser) SMB Certified.htb 445 DC01 1603: CERTIFIED\gregory.cameron (SidTypeUser) Bloodhound ┌──(root㉿kali)-[~kali/Certified] └─# bloodhound-python -u judith.mader -p 'judith09' -c All -d certified.htb -ns 10.10.11.41 INFO: Found AD domain: certified.htb INFO: Getting TGT for user WARNING: Failed to get Kerberos TGT. Falling back to NTLM authentication. Error: Kerberos SessionError: KRB_AP_ERR_SKEW(Clock skew too great) INFO: Connecting to LDAP server: dc01.certified.htb INFO: Found 1 domains INFO: Found 1 domains in the forest INFO: Found 1 computers INFO: Connecting to LDAP server: dc01.certified.htb INFO: Found 10 users INFO: Found 53 groups INFO: Found 2 gpos INFO: Found 1 ous INFO: Found 19 containers INFO: Found 0 trusts INFO: Starting computer enumeration with 10 workers INFO: Querying computer: DC01.certified.htb INFO: Done in 00M 17S 导入到bloodhoundGUI里面进行分析 ...

2024年12月08日 · 7 分钟 · 3220 字 · HYH

HTB-Administrator

Box Info OS Windows Difficulty Medium As is common in real life Windows pentests, you will start the Administrator box with credentials for the following account: Username: Olivia Password: ichliebedich Nmap ┌──(root㉿kali)-[/home/kali/Administrator] └─# nmap -sSCV -Pn administrator.htb Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-12-05 15:51 CST Nmap scan report for administrator.htb (10.10.11.42) Host is up (0.072s latency). Not shown: 988 closed tcp ports (reset) PORT STATE SERVICE VERSION 21/tcp open ftp Microsoft ftpd | ftp-syst: |_ SYST: Windows_NT 53/tcp open domain Simple DNS Plus 88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2024-12-05 14:37:40Z) 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: administrator.htb0., Site: Default-First-Site-Name) 445/tcp open microsoft-ds? 464/tcp open kpasswd5? 593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0 636/tcp open tcpwrapped 3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: administrator.htb0., Site: Default-First-Site-Name) 3269/tcp open tcpwrapped Service Info: Host: DC; OS: Windows; CPE: cpe:/o:microsoft:windows Host script results: | smb2-security-mode: | 3:1:1: |_ Message signing enabled and required |_clock-skew: 6h46m00s | smb2-time: | date: 2024-12-05T14:37:51 |_ start_date: N/A Crackmapexec 通过SMB服务,获取到了当前存在的用户信息 ...

2024年12月05日 · 5 分钟 · 2354 字 · HYH

HTB-Vintage

Box Info OS Windows Difficulty Hard As is common in real life Windows pentests, you will start the Vintage box with credentials for the following account: P.Rosa / Rosaisbest123 Nmap Scan └─# nmap -sC -sV -T4 -Pn vintage.htb -p- PORT STATE SERVICE VERSION 53/tcp open domain Simple DNS Plus 88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2024-12-04 01:49:22Z) 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: vintage.htb0., Site: Default-First-Site-Name) 445/tcp open microsoft-ds? 464/tcp open kpasswd5? 593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0 636/tcp open tcpwrapped 3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: vintage.htb0., Site: Default-First-Site-Name) 3269/tcp open tcpwrapped 5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) |_http-title: Not Found 9389/tcp open mc-nmf .NET Message Framing 49664/tcp open unknown 49668/tcp open unknown 49670/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0 49681/tcp open unknown 50907/tcp open unknown 65103/tcp open unknown Service Info: Host: DC01; OS: Windows; CPE: cpe:/o:microsoft:windows Host script results: | smb2-security-mode: | 3:1:1: |_ Message signing enabled and required |_clock-skew: -13m55s | smb2-time: | date: 2024-12-04T01:49:48 |_ start_date: N/A 发现在3269端口这一行,存在一个名为:DC01 的域控主机,添加到/etc/hosts中 ...

2024年12月03日 · 8 分钟 · 3930 字 · HYH

WuCup-2024

Web Sign 题目介绍: POST浅浅签个到吧 HelloHacker 题目介绍: 你看到的不一定是真的 源码如下 <?php highlight_file(__FILE__); error_reporting(0); include_once 'check.php'; include_once 'ban.php'; $incompetent = $_POST['incompetent']; $WuCup = $_POST['WuCup']; if ($incompetent !== 'HelloHacker') { die('Come invade!'); } $required_chars = ['p', 'e', 'v', 'a', 'n', 'x', 'r', 'o', 'z']; $is_valid = true; if (!checkRequiredChars($WuCup, $required_chars)) { $is_valid = false; } if ($is_valid) { $prohibited_file = 'prohibited.txt'; if (file_exists($prohibited_file)) { $file = fopen($prohibited_file, 'r'); while ($line = fgets($file)) { $line = rtrim($line, "\r\n"); if ($line === '' && strpos($WuCup, ' ') === false) { continue; } if (stripos($WuCup, $line) !== false) { fclose($file); die('this road is blocked'); } } fclose($file); } eval($WuCup); } else { die('NO!NO!NO!'); } ?> 简单分析一下,post的参数中incompetent是HelloHacker ...

2024年12月01日 · 3 分钟 · 1432 字 · HYH

HTB-Alert

Box Info OS Linux Difficulty Easy Nmap Scan nmap alert.htb -sC -sV -T4 -Pn 开放端口:22、80,httpserver是Apache 进入80端口的网页,发现存在Markdown文件上传 ...

2024年11月30日 · 2 分钟 · 793 字 · HYH