hackthebox靶场练习

准备

注册

网络环境

1. 登录

2. 下载oenvpn的配置文件

3. 安装 brew install openvpn

4. openvpn —config starting_point_lewo.ovpn 连接

To restart openvpn after an upgrade:
  sudo brew services restart openvpn
Or, if you don't want/need a background service you can just run:
  /opt/homebrew/opt/openvpn/sbin/openvpn --config /opt/homebrew/etc/openvpn/openvpn.conf

utun2: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 1500
        inet 10.10.16.51 --> 10.10.16.51 netmask 0xfffffe00 
        inet6 fe80::1a3e:efff:fee6:3a66%utun2 prefixlen 64 scopeid 0x13 
        inet6 dead:beef:4::1031 prefixlen 64 
        nd6 options=201<PERFORMNUD,DAD>

第一课 starting point

Archetype

sudo nmap -sC -sV 10.10.10.27

Starting Nmap 7.92 ( https://nmap.org ) at 2021-09-01 09:31 +08
Nmap scan report for 10.10.10.27
Host is up (0.81s latency).
Not shown: 996 closed tcp ports (reset)
PORT     STATE SERVICE      VERSION
135/tcp  open  msrpc        Microsoft Windows RPC
139/tcp  open  netbios-ssn  Microsoft Windows netbios-ssn
445/tcp  open  microsoft-ds Windows Server 2019 Standard 17763 microsoft-ds
1433/tcp open  ms-sql-s     Microsoft SQL Server 2017 14.00.1000.00; RTM
| ssl-cert: Subject: commonName=SSL_Self_Signed_Fallback
| Not valid before: 2021-09-01T01:41:31
|_Not valid after:  2051-09-01T01:41:31
|_ssl-date: 2021-09-01T01:56:40+00:00; +24m39s from scanner time.
| ms-sql-ntlm-info: 
|   Target_Name: ARCHETYPE
|   NetBIOS_Domain_Name: ARCHETYPE
|   NetBIOS_Computer_Name: ARCHETYPE
|   DNS_Domain_Name: Archetype
|   DNS_Computer_Name: Archetype
|_  Product_Version: 10.0.17763
Service Info: OSs: Windows, Windows Server 2008 R2 - 2012; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-security-mode: 
|   3.1.1: 
|_    Message signing enabled but not required
| smb2-time: 
|   date: 2021-09-01T01:56:16
|_  start_date: N/A
| ms-sql-info: 
|   10.10.10.27:1433: 
|     Version: 
|       name: Microsoft SQL Server 2017 RTM
|       number: 14.00.1000.00
|       Product: Microsoft SQL Server 2017
|       Service pack level: RTM
|       Post-SP patches applied: false
|_    TCP port: 1433
|_clock-skew: mean: 1h48m39s, deviation: 3h07m51s, median: 24m38s
| smb-os-discovery: 
|   OS: Windows Server 2019 Standard 17763 (Windows Server 2019 Standard 6.3)
|   Computer name: Archetype
|   NetBIOS computer name: ARCHETYPE\x00
|   Workgroup: WORKGROUP\x00
|_  System time: 2021-08-31T18:56:13-07:00
| smb-security-mode: 
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default

$ smbutil


usage: smbutil [-hv] subcommand [args]
where subcommands are:
 help          display help on specified subcommand
 lookup        resolve NetBIOS name to IP address
 status        resolve IP address or DNS name to NetBIOS names
 view          list resources on specified host
 dfs           list DFS referrals
 identity      identity of the user as known by the specified host
 statshares    list the attributes of mounted share(s)
 multichannel  list the attributes of the channels of mounted share(s)
 snapshot      list snapshots for the mount path
$ smbutil view -NG //10.10.10.27 

smbutil: server rejected the authentication: Authentication error

<DTSConfiguration>
    <DTSConfigurationHeading>
        <DTSConfigurationFileInfo GeneratedBy="..."
GeneratedFromPackageName="..." GeneratedFromPackageID="..."
GeneratedDate="20.1.2019 10:01:34"/>
    </DTSConfigurationHeading>
    <Configuration ConfiguredType="Property"
Path="\Package.Connections[Destination].Properties[ConnectionString]"
ValueType="String">
        <ConfiguredValue>Data Source=.;Password=M3g4c0rp123;User
ID=ARCHETYPE\sql_svc;Initial Catalog=Catalog;Provider=SQLNCLI10.1;Persist
Security Info=True;Auto Translate=False;</ConfiguredValue>
    </Configuration>
</DTSConfiguration>

oopsie

PORT   STATE SERVICE    VERSION
22/tcp open  ssh        OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 61:e4:3f:d4:1e:e2:b2:f1:0d:3c:ed:36:28:36:67:c7 (RSA)
|   256 24:1d:a4:17:d4:e3:2a:9c:90:5c:30:58:8f:60:77:8d (ECDSA)
|_  256 78:03:0e:b4:a1:af:e5:c2:f9:8d:29:05:3e:29:c9:f2 (ED25519)
80/tcp open  tcpwrapped
Aggressive OS guesses: Linux 4.15 - 5.6 (95%), Linux 5.3 - 5.4 (95%), Linux 3.1 (95%), Linux 3.2 (95%), AXIS 210A or 211 Network Camera (Linux 2.6.17) (94%), Linux 2.6.32 (94%), Linux 5.0 - 5.3 (94%), ASUS RT-N56U WAP (Linux 3.4) (93%), Linux 3.16 (93%), Linux 5.4 (93%)