hackthebox靶场练习

date
Sep 1, 2021 04:30 AM
Related to 日程数据 1 (blog)
tags
Writeup
Website
slug
hackthebox
summary
hackthebox,据说实战程度高 ,还有免费靶机。OSCP省钱第一步

准备

注册

网络支持google人机验证即可

网络环境

  1. 登录
    1. notion image
  1. 下载oenvpn的配置文件
  1. 安装 brew install openvpn
  1. openvpn —config starting_point_lewo.ovpn 连接
    1. To restart openvpn after an upgrade:
        sudo brew services restart openvpn
      Or, if you don't want/need a background service you can just run:
        /opt/homebrew/opt/openvpn/sbin/openvpn --config /opt/homebrew/etc/openvpn/openvpn.conf
      utun2: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 1500
              inet 10.10.16.51 --> 10.10.16.51 netmask 0xfffffe00 
              inet6 fe80::1a3e:efff:fee6:3a66%utun2 prefixlen 64 scopeid 0x13 
              inet6 dead:beef:4::1031 prefixlen 64 
              nd6 options=201<PERFORMNUD,DAD>

第一课 starting point

Archetype

notion image
sudo nmap -sC -sV 10.10.10.27

Starting Nmap 7.92 ( https://nmap.org ) at 2021-09-01 09:31 +08
Nmap scan report for 10.10.10.27
Host is up (0.81s latency).
Not shown: 996 closed tcp ports (reset)
PORT     STATE SERVICE      VERSION
135/tcp  open  msrpc        Microsoft Windows RPC
139/tcp  open  netbios-ssn  Microsoft Windows netbios-ssn
445/tcp  open  microsoft-ds Windows Server 2019 Standard 17763 microsoft-ds
1433/tcp open  ms-sql-s     Microsoft SQL Server 2017 14.00.1000.00; RTM
| ssl-cert: Subject: commonName=SSL_Self_Signed_Fallback
| Not valid before: 2021-09-01T01:41:31
|_Not valid after:  2051-09-01T01:41:31
|_ssl-date: 2021-09-01T01:56:40+00:00; +24m39s from scanner time.
| ms-sql-ntlm-info: 
|   Target_Name: ARCHETYPE
|   NetBIOS_Domain_Name: ARCHETYPE
|   NetBIOS_Computer_Name: ARCHETYPE
|   DNS_Domain_Name: Archetype
|   DNS_Computer_Name: Archetype
|_  Product_Version: 10.0.17763
Service Info: OSs: Windows, Windows Server 2008 R2 - 2012; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-security-mode: 
|   3.1.1: 
|_    Message signing enabled but not required
| smb2-time: 
|   date: 2021-09-01T01:56:16
|_  start_date: N/A
| ms-sql-info: 
|   10.10.10.27:1433: 
|     Version: 
|       name: Microsoft SQL Server 2017 RTM
|       number: 14.00.1000.00
|       Product: Microsoft SQL Server 2017
|       Service pack level: RTM
|       Post-SP patches applied: false
|_    TCP port: 1433
|_clock-skew: mean: 1h48m39s, deviation: 3h07m51s, median: 24m38s
| smb-os-discovery: 
|   OS: Windows Server 2019 Standard 17763 (Windows Server 2019 Standard 6.3)
|   Computer name: Archetype
|   NetBIOS computer name: ARCHETYPE\x00
|   Workgroup: WORKGROUP\x00
|_  System time: 2021-08-31T18:56:13-07:00
| smb-security-mode: 
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default
发现共享的smb
$ smbutil


usage: smbutil [-hv] subcommand [args]
where subcommands are:
 help          display help on specified subcommand
 lookup        resolve NetBIOS name to IP address
 status        resolve IP address or DNS name to NetBIOS names
 view          list resources on specified host
 dfs           list DFS referrals
 identity      identity of the user as known by the specified host
 statshares    list the attributes of mounted share(s)
 multichannel  list the attributes of the channels of mounted share(s)
 snapshot      list snapshots for the mount path
$ smbutil view -NG //10.10.10.27 

smbutil: server rejected the authentication: Authentication error
哈哈 结束
据说有个共享的配置文件,泄漏了
<DTSConfiguration>
    <DTSConfigurationHeading>
        <DTSConfigurationFileInfo GeneratedBy="..."
GeneratedFromPackageName="..." GeneratedFromPackageID="..."
GeneratedDate="20.1.2019 10:01:34"/>
    </DTSConfigurationHeading>
    <Configuration ConfiguredType="Property"
Path="\Package.Connections[Destination].Properties[ConnectionString]"
ValueType="String">
        <ConfiguredValue>Data Source=.;Password=M3g4c0rp123;User
ID=ARCHETYPE\sql_svc;Initial Catalog=Catalog;Provider=SQLNCLI10.1;Persist
Security Info=True;Auto Translate=False;</ConfiguredValue>
    </Configuration>
</DTSConfiguration>
又据说
果然是 very easy 啊
据说还有很多步
 
 
 
 
 

oopsie

notion image
PORT   STATE SERVICE    VERSION
22/tcp open  ssh        OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 61:e4:3f:d4:1e:e2:b2:f1:0d:3c:ed:36:28:36:67:c7 (RSA)
|   256 24:1d:a4:17:d4:e3:2a:9c:90:5c:30:58:8f:60:77:8d (ECDSA)
|_  256 78:03:0e:b4:a1:af:e5:c2:f9:8d:29:05:3e:29:c9:f2 (ED25519)
80/tcp open  tcpwrapped
Aggressive OS guesses: Linux 4.15 - 5.6 (95%), Linux 5.3 - 5.4 (95%), Linux 3.1 (95%), Linux 3.2 (95%), AXIS 210A or 211 Network Camera (Linux 2.6.17) (94%), Linux 2.6.32 (94%), Linux 5.0 - 5.3 (94%), ASUS RT-N56U WAP (Linux 3.4) (93%), Linux 3.16 (93%), Linux 5.4 (93%)
notion image
没啥关键信息 继续找
notion image
有趣的目录都看看
notion image
 

© lewoking 2021 - 2022