hackthebox靶场练习
date
Sep 1, 2021 04:30 AM
Related to 日程数据 1 (blog)
tags
Writeup
Website
slug
hackthebox
summary
hackthebox,据说实战程度高 ,还有免费靶机。OSCP省钱第一步
准备
注册
网络支持google人机验证即可
网络环境
- 登录

- 下载oenvpn的配置文件
- 安装
brew install openvpn
openvpn —config starting_point_lewo.ovpn
连接
To restart openvpn after an upgrade:
sudo brew services restart openvpn
Or, if you don't want/need a background service you can just run:
/opt/homebrew/opt/openvpn/sbin/openvpn --config /opt/homebrew/etc/openvpn/openvpn.conf
utun2: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 1500
inet 10.10.16.51 --> 10.10.16.51 netmask 0xfffffe00
inet6 fe80::1a3e:efff:fee6:3a66%utun2 prefixlen 64 scopeid 0x13
inet6 dead:beef:4::1031 prefixlen 64
nd6 options=201<PERFORMNUD,DAD>
第一课 starting point
Archetype

sudo nmap -sC -sV 10.10.10.27
Starting Nmap 7.92 ( https://nmap.org ) at 2021-09-01 09:31 +08
Nmap scan report for 10.10.10.27
Host is up (0.81s latency).
Not shown: 996 closed tcp ports (reset)
PORT STATE SERVICE VERSION
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds Windows Server 2019 Standard 17763 microsoft-ds
1433/tcp open ms-sql-s Microsoft SQL Server 2017 14.00.1000.00; RTM
| ssl-cert: Subject: commonName=SSL_Self_Signed_Fallback
| Not valid before: 2021-09-01T01:41:31
|_Not valid after: 2051-09-01T01:41:31
|_ssl-date: 2021-09-01T01:56:40+00:00; +24m39s from scanner time.
| ms-sql-ntlm-info:
| Target_Name: ARCHETYPE
| NetBIOS_Domain_Name: ARCHETYPE
| NetBIOS_Computer_Name: ARCHETYPE
| DNS_Domain_Name: Archetype
| DNS_Computer_Name: Archetype
|_ Product_Version: 10.0.17763
Service Info: OSs: Windows, Windows Server 2008 R2 - 2012; CPE: cpe:/o:microsoft:windows
Host script results:
| smb2-security-mode:
| 3.1.1:
|_ Message signing enabled but not required
| smb2-time:
| date: 2021-09-01T01:56:16
|_ start_date: N/A
| ms-sql-info:
| 10.10.10.27:1433:
| Version:
| name: Microsoft SQL Server 2017 RTM
| number: 14.00.1000.00
| Product: Microsoft SQL Server 2017
| Service pack level: RTM
| Post-SP patches applied: false
|_ TCP port: 1433
|_clock-skew: mean: 1h48m39s, deviation: 3h07m51s, median: 24m38s
| smb-os-discovery:
| OS: Windows Server 2019 Standard 17763 (Windows Server 2019 Standard 6.3)
| Computer name: Archetype
| NetBIOS computer name: ARCHETYPE\x00
| Workgroup: WORKGROUP\x00
|_ System time: 2021-08-31T18:56:13-07:00
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default
发现共享的smb
$ smbutil
usage: smbutil [-hv] subcommand [args]
where subcommands are:
help display help on specified subcommand
lookup resolve NetBIOS name to IP address
status resolve IP address or DNS name to NetBIOS names
view list resources on specified host
dfs list DFS referrals
identity identity of the user as known by the specified host
statshares list the attributes of mounted share(s)
multichannel list the attributes of the channels of mounted share(s)
snapshot list snapshots for the mount path
$ smbutil view -NG //10.10.10.27
smbutil: server rejected the authentication: Authentication error
哈哈 结束
据说有个共享的配置文件,泄漏了
<DTSConfiguration>
<DTSConfigurationHeading>
<DTSConfigurationFileInfo GeneratedBy="..."
GeneratedFromPackageName="..." GeneratedFromPackageID="..."
GeneratedDate="20.1.2019 10:01:34"/>
</DTSConfigurationHeading>
<Configuration ConfiguredType="Property"
Path="\Package.Connections[Destination].Properties[ConnectionString]"
ValueType="String">
<ConfiguredValue>Data Source=.;Password=M3g4c0rp123;User
ID=ARCHETYPE\sql_svc;Initial Catalog=Catalog;Provider=SQLNCLI10.1;Persist
Security Info=True;Auto Translate=False;</ConfiguredValue>
</Configuration>
</DTSConfiguration>
又据说
果然是 very easy 啊
据说还有很多步
oopsie

PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 61:e4:3f:d4:1e:e2:b2:f1:0d:3c:ed:36:28:36:67:c7 (RSA)
| 256 24:1d:a4:17:d4:e3:2a:9c:90:5c:30:58:8f:60:77:8d (ECDSA)
|_ 256 78:03:0e:b4:a1:af:e5:c2:f9:8d:29:05:3e:29:c9:f2 (ED25519)
80/tcp open tcpwrapped
Aggressive OS guesses: Linux 4.15 - 5.6 (95%), Linux 5.3 - 5.4 (95%), Linux 3.1 (95%), Linux 3.2 (95%), AXIS 210A or 211 Network Camera (Linux 2.6.17) (94%), Linux 2.6.32 (94%), Linux 5.0 - 5.3 (94%), ASUS RT-N56U WAP (Linux 3.4) (93%), Linux 3.16 (93%), Linux 5.4 (93%)

没啥关键信息 继续找

有趣的目录都看看
